Network Security Introduction

1
Network Security - Introduction


While computer systems today have good security
systems, they are also vulnerable. Vulnerability
stems from world-wide access to computer systems
via Internet. Computer and network security comes
in many forms including encryption algorithms,
access to facilities, digital signatures, finger
prints, face scans, other biometric means, and
passwords.
2
Network Security, contd

• Companies are reluctant to publicly admit that
  they have suffered losses due to failed network
  security.
• Security goals must be set by IT, BUT SUPPORTED
  BY HIGHEST LEVELS OF MANAGEMENT.

3
Basic Security Measures


Basic security measures for computer systems fall
into eight categories External
security Operational security Surveillance Pas
swords Auditing Access rights Standard system
attacks Viruses
4
External Security


Protection from environmental damage such as
floods, earthquakes, and heat. Physical security
such as locking rooms, locking down computers,
keyboards, and other devices. Electrical
protection from power surges. Electromagnetic
noise protection from placing computers away from
devices that generate electromagnetic
interference.
5
Operational Security


Deciding who has access to what. Limiting time of
day access. Limiting day of week access. Limiting
access from a location, such as not allowing user
to use a remote login during certain periods or
any time.
6
Passwords and ID Systems

• Passwords - common form of security and most
  abused.
• Rules for safe passwords include
• Change your password often.
• Password - minimum 8 characters, mixed symbols.
• Dont share passwords or write them down.
• Dont select names and familiar objects as
  passwords.

7
Passwords and ID Systems

• Many new forms of passwords are emerging
  (biometrics)
• Fingerprints
• Face prints
• Retina scans and iris scans
• Voice prints
• Ear prints

8
Auditing as Security


Creating computer or paper audit can help detect
wrongdoing. Auditing can also be used as a
deterrent. Many network operating systems allow
administrator to audit most types of transactions.
9
Auditing as Security, contd

• Manual audits can be done by either internal or
  external personnel.
• Manual audits severe to verify effectiveness of
  policy development and implementation, and extent
  of security in overall corporate security policy.
  
• Automated audits depend on software able to
  assess weaknesses of network security and
  security standards.

10
Auditing as Security, contd

• Some automated audit tools are able to analyze
  network for vulnerabilities and make
  recommendations
• Other tools merely capture events so that
  security people can figure out who did what and
  when after security breach has occurred.

11
Auditing as Security, contd

• Security probes test various aspects of
  enterprise network security and report results
  and suggest improvements.
• Intrusion detection systems test perimeter of
  enterprise network through dial modems, remote
  access servers, web servers, or Internet access.
• Network based intrusion detection systems use
  network traffic probes distributed throughout
  network to identify traffic patterns that may
  indicate some type of attack may be underway

12
Access Rights as Security

Two basic questions to access rights who and
how? Who do you give access rights to? No one,
group of users, entire set of users? What level
of access does a user or group of users get?
Read, write, delete, print, copy,
execute? Procedures set to remove people who
leave or transfer. Most network OS have method
system for assigning access rights.

13
SECURITY POLICY DEVELOPMENT LIFE CYCLE

• SPDLC is depicted as cycle since evaluation
  processes validate the effectiveness of original
  analysis stages.
• Next slide shows SDLC.
• Look at this slide as management tool of steps
  that have to be taken.

14
Security Policy Development Life Cycle
15
Security Requirements Assessment

• Start research by finding out if your friends in
  field can give you manuals of what they have
  done.
• Define needs requirements for users in
  organization.
• Security refers to restrictions of information
  upon users, and responsibilities of users for
  implementation and enforcement.

16
Scope and Feasibility of Studies

• Define scope of security study.
• Realize that there is a balance between security
  and productivity.
• Optimal balance will protect resources while not
  impacting on worker productivity.

17
Security vs. Productivity Balance
18
Assets, Threats, and Risks

• Security methodologies have major steps
• Identify assets includes hardware, software,
  and media used to store data.
• Identify threats anything that can pose a
  danger to assets.
• Identify vulnerabilities potential problems in
  security system

19
Assets, Threats, and Risks

• Security methodologies- continued
• Consider risks probability of successfully
  attacking particular asset
• Identify risk domains groups of network systems
  sharing common functions and common elements of
  exposure.
• Take protective measures Virus protection,
  firewalls, authentication, encryption

20
Firewalls, contd


System or combination of systems that supports an
access control policy between two
networks. Firewall can limit types of
transactions that enter system, as well as types
of transactions that leave system. Firewalls can
be programmed to stop certain types or ranges of
IP addresses, as well as certain types of TCP
port numbers (applications).
21
Firewalls


22
Firewalls, contd


Packet filter firewall - essentially router that
has been programmed to filter out or allow in
certain IP addresses or TCP port numbers. Proxy
server - more advanced firewall that acts as
doorman into corporate network. Any external
transaction that requests something from
corporate network must enter through proxy
server. Proxy servers are more advanced but make
external accesses slower.
23
Proxy Server


24
Attack Strategies

• Attack strategies concentrate on weaknesses of
  specific systems.
• Two servers communicating with TCP set up three
  step exchange of address and confirmation.

25
Attack Strategies, contd

• Following attack strategies take negative
  advantage of three step exchange
• Denial of service attack hacker floods server
  with request to connect to non-existent servers
• Land attack hacker substitutes targeted
  servers own address as address of server
  requesting connection

26
Guarding Against Viruses


Signature-based scanners look for particular
virus patterns or signatures and alert
user. Terminate-and-stay-resident programs run in
background constantly watching for viruses and
their actions. Multi-level generic scanning is
combination of antivirus techniques including
intelligent checksum analysis and expert system
analysis.
27
Standard System Attacks, contd


Denial of service attacks - bombard computer site
with many messages site is incapable of answering
valid requests. e-mail bombing - user sends an
excessive amount of unwanted e-mail. Smurfing -
technique in which program attacks network by
exploiting IP broadcast addressing
operations. Ping storm - Internet Ping program is
used to send flood of packets to server.
28
Standard System Attacks, contd


Spoofing - user creates packet that appears to be
something else or from someone else. Trojan Horse
- malicious piece of code hidden inside seemingly
harmless piece of code. Stealing, guessing, and
intercepting passwords is also tried and true
form of attack.
29
Web Specific Attack Strategies

• Minimizing web attacks requires using following
  techniques
• Eliminate unused user accounts and default
  accounts (Guest)
• Remove/disable unused services such as FTP,
  Telnet, etc.
• Remove unused Unix command shells and interpreters

30
Web Specific Attack Strategies contd

• Properly set permission levels on files and
  directories
• Stay up to date with current attack strategies,
  and defenses.
• Beware of Common Gateway Interface programs
  extracting web server password files. Take
  corrective measures.

31
Management Role and Responsibility

• Executive responsibilities
• Set Security Policy of the Organization
• Allocate sufficient resources staff, funding,
  etc.
• Information is corporate resource
• Assign responsibility for protecting information
  resources
• Require computer security training for staff

32
Management Role and Responsibility, contd

• Hold employees responsibility for corporate
  resources in their care
• Audit (internal and external) corporate security
• Follow through with penalties for violations of
  corporate security

33
Management Role and Responsibility, contd

• Management responsibility
• Assess responsibilities in your corporate
  security area
• Assess balance between security and productivity
• Assess vulnerabilities with your area of
  responsibility
• Adhere and enforce corporate policies

34
Policy Development Process

• Establish processes and policies
• Be sure affected user groups are represented on
  policy development task force.
• Emphasis should be on corporate wide awareness
  relating to importance of protecting corporate
  information and network access.

35
Policy Implementation Process

• Having been included in policy development
  process, users are expected to support policies
• User responsibilities
• Protect data you have
• Corporate resources are property of company

36
Policy Implementation Process

• Continued
• Inform supervisor of suspicious actions, or
  people
• Never share your passwords
• Choose password that is impossible to discover
• Log off before leaving your computer
• Lock up sensitive material backups
• Backup important data

37
Policy Implementation Process, contd

• Policy implementation should force changes in
  peoples behaviors, which can cause resistance
• Use appropriate technology and associated
  processes to execute policy.
• Security architectures imply security solutions
  have been predefined for given corporations
  variety of computing and network platforms.

38
Policy Implementation Process, contd

• If users involvement was substantial during
  policy development stage and if buy-in was
  assured at each stage of policy development,
  then process stands better chance of succeeding.

39
VIRUS PROTECTION

• Comprehensive protection plan must combine
  policy, people, processes, and technology to be
  effective.
• Virus - describes computer program that gains
  access to computer system or network with
  potential to disrupt normal activity of that
  system or network.

40
VIRUS PROTECTION, contd

• Viruses triggered by passing of certain date or
  time is referred to as time bombs whereas viruses
  that require certain event to transpire are known
  as logic bombs.
• Trojan horse - actual virus is hidden inside
  program and delivered to target system or network
  to be infected.

41
ANTIVIRUS STRATEGIES

• Effective antivirus policies and procedures must
  first focus on use and checking of
  diskettes/files.
• Antivirus strategies
• Identify vulnerabilities
• Keep antivirus updated

42
ANTIVIRUS STRATEGIES, contd

• Antivirus strategies, continued
• Install virus scanning software
• Non employees should be prohibited from
  installing laptops to system.
• Install virus scanning software on commonly used
  laptops
• Write protect diskettes with .exe, .com files

43
Collaborative Software Infection/Reinfection Cycle
44
ANTIVIRUS TECHNOLOGIES

• Virus scanning is primary method for successful
  detection and removal.
• Emulation technology - detect unknown viruses by
  running programs with software emulation program
  known as a virtual PC. Execution program can be
  examined in environment for symptoms of viruses.
  
• Advantage of such programs is they identify
  potentially unknown viruses based on behavior
  rather than by relying on natures of known
  viruses.

45
ANTIVIRUS TECHNOLOGIES, contd

• CRC checkers or hashing checkers creates and
  saves unique cyclical redundancy check character
  each file to be monitored. Each time that file
  is subsequently saved, new CRC is checked against
  the reference CRC.
• If CRCs do not match, then file has been changed.
  Shortcoming of technology - only able to detect
  viruses after infection.
• Active control monitors is able to examine
  transmissions from Internet in real time and
  identify known malicious content based on
  contents of definition libraries.

46
Virus Infection Points of Attack and Protective
Measures
47
FIREWALLS

• To prevent unauthorized access from Internet into
  companys confidential data, specialized software
  known as firewall is often deployed.
• Firewall software usually runs on dedicated
  server that is connected to, but outside of,
  corporate network.
• All network packets entering firewall are
  filtered, or examined, to determine whether or
  not those users have authority to access
  requested files.

48
Firewall Architecture

• Difficulty with firewalls is there are no
  standards for firewall functionality,
  architectures, or interoperability.
• Firewall architecture
• 1. Packet filtering
• 2. Application gateway
• 3. Internet firewalls

49
PACKET FILTERING

• Packets of data on Internet are identified by
  source address of computer that issued message
  and destination address of Internet server.
• Filter - program that examines source address and
  destination address of incoming packet to
  firewall server.
• Filter tables - lists of addresses whose data
  packets and embedded messages are either allowed
  or prohibited from proceeding through the
  firewall.
• Filter tables can limit access of certain IP
  addresses to certain directories.

50
PACKET FILTERING, contd

• Filtering time introduces latency to overall
  transmission time.
• Packet filter gateways can be implemented on
  routers. Existing piece of technology can be used
  for dual purposes.
• Packet filters can be breached by hackers in
  technique known as IP spoofing.
• If hacker can make packet appear to come from an
  unauthorized or trusted IP address, then it can
  pass through firewall.

51
Application Gateways

• Also called application level filters
• Port level filters determine legitimacy of party
  asking for information, application level filters
  assures validity of what they are asking for.
• Application level filters examine entire request
  for data rather than source and destination
  addresses.

52
Application Gateways, contd

• Application gateways are concerned with what
  services or applications message is requesting in
  addition to who is making request.
• Once legitimacy of request has been established,
  only proxy clients and servers actually
  communicate with each other.

53
Packet Filters and Application Gateways
54
Proxies, Trusted Gateways, and Dual-Homed Gateways
55
INTERNET FIREWALLS

• Category of software known as internal firewalls
  has begun to emerge.
• Internal firewalls include filters that work on
  data link, network, and application layers to
  examine communications that occur only on a
  corporations internal network, inside reach of
  traditional firewall.
• Internal firewalls act as access control
  mechanisms, denying access to applications user
  does not have specific access approval.

56
Authentication and Access Control

• Authentication products break down into three
  overall categories
• What you know - single sign-on (SSO) access to
  multiple network attached servers and resources
  via passwords.
• What you have - requires user to posses type of
  smart card or token authentication device to
  generate single use passwords.
• What you are - validates users based on physical
  characteristic, i.e. fingerprints, hand geometry,
  or retinal scans.

57
Token Authentication

• Provides one-time use session passwords
  authenticated by associated server software.
• Hardware based smart cards are about size of
  credit card with or without numeric keypad.
• In-line token authentication devices connect to
  serial port of computer for dial-in
  authentication through modem.
• Software tokens are installed on the client PC
  and authenticated with server portion of token
  authentication product transparently to end user.

58
Challenge-response token authentication

• Challenge-response token authentication involves
  following steps
• User enters an assigned user ID and password at
  client.
• Token authentication server software returns
  numeric string known as challenge.
• Challenge number and PIN are entered on smart
  card.

59
Challenge-response token authentication, contd

• Smart card displays response number on LCD
  screen.
• Response number is entered on client workstation
  and transmitted back to token authentication
  server.
• Token authentication server validates response
  against expected response from user and this
  particular smart card.

60
Challange-Response vs. Time-Synchronous Token
Authentication
61
Biometric Authentication

• Biometric authentication can authenticate users
  based on fingerprints, palm prints, retinal
  patterns, voice recognition, or other physical
  characteristics.
• Biometric authentication devices require valid
  users first register by storing copies of
  fingerprints, voice, or retinal patterns in
  validation database.

62
Authorization vs. Authentication

• Authorization is concerned with assuring that
  properly authorized uses are able to access
  particular network resources.
• Authentication - ensures that only legitimate
  users are able to log into network.

63
KERBEROS

• Kerberos combination of authentication and
  authorization software.
• Kerberos architecture consists of three key
  components
• Kerberos client software
• Kerberos authentication server software
• Kerberos application server software

64
Kerberos Architecture
65
KERBEROS, contd

• Kerberos must communicate directly with
  application.
• Kerberos enforces authentication and
  authorization through use of ticket based system.
  Encrypted ticket is issued for sever to client
  session and is valid for preset amount of time.
• From network analysts perspective, concern is
  centered on amount of network bandwidth consumed
  by addition of Kerberos security.

66
Basic Encryption and Decryption Techniques


Cryptography - creating and using encryption and
decryption techniques. Plaintext - data before
any encryption has been performed. Ciphertext -
data after encryption has been performed. Key is
unique piece of information used to create
ciphertext and decrypt ciphertext back into
plaintext.
67
Encryption/Decryption


68
Ciphers

• A few ciphers to be examined
• Monoalphabetic Substitution-based Ciphers
• Polyalphabetic Substitution-based Ciphers
• Transposition-based Ciphers

69
Monoalphabetic Substitution-based Ciphers


Monoalphabetic substitution-based ciphers replace
character or characters with different character
or characters, based upon some key. Replacing abc
defghijklmnopqrstuvwxyz With POIUYTREWQLKJHGFDSA
MNBVCXZ The message how about lunch at
noon encodes into EGVPO GNMKN HIEPM HGGH
70
Polyalphabetic Substitution-based Ciphers


Similar to monoalphabetic ciphers except multiple
alphabetic strings are used to encode the
plaintext. For example, matrix of strings, 26
rows by 26 characters or columns can be used. Key
such as COMPUTERSCIENCE is placed repeatedly over
the plaintext. COMPUTERSCIENCECOMPUTERSCIENCECOMPU
TER thisclassondatacommunicationsisthebest
71
Polyalphabetic Substitution-based Ciphers


To encode the message, take the first letter of
the plaintext, t, and the corresponding key
character immediately above it, C. Go to row C
column t in the 26x26 matrix and retrieve the
cipher text character V. See next slide for 26 x
26 matrix. Continue with other characters in
plaintext.
72
26 x 26 Cipher Character Matrix


73
Transposition-based Ciphers


In transposition-based cipher, order of plaintext
is not preserved. As simple example, select key
such as COMPUTER. Number letters of word COMPUTER
in order they appear in alphabet. 1 4 3 5 8 7 2
6 C O M P U T E R
74
Transposition-based Ciphers, contd


Transposition-based Ciphers Now take the
plaintext message and write it under the key. 1 4
3 5 8 7 2 6 C O M P U T E R t h i s i s t h e b e
s t c l a s s i h a v e e v e r t a k e n
75
Transposition-based Ciphers, contd


Then read ciphertext down the columns, starting
with the column numbered 1, followed by column
number 2. TESVTLEEIEIRHBSESSHTHAENSCVKITAA
76
Public Key Cryptography and Secure Sockets Layer

Powerful encryption technique in which two keys
are used first key (public key) encrypts message
while second key (private key) decrypts
message. Not possible to deduce one key from
other. Not possible to break code given public
key. If you want someone to send you secure data,
give them your public key, you keep private
key. Secure sockets layer on Internet is common
example of public key cryptography.

77
Public Key Infrastructure


Combination of encryption techniques, software,
and services that involves all necessary pieces
to support digital certificates, certificate
authorities, and public key generation, storage,
and management. Digital certificate is an
electronic document, similar to passport, that
establishes your credentials when you are
performing transactions.
78
Public Key Infrastructure, contd


Digital certificate contains your name, serial
number, expiration dates, copy of your public
key, and digital signature of certificate-issuing
authority. Certificates are usually kept in
registry so other users may check them for
authenticity.
79
Public Key Infrastructure, contd


Certificates are issued by certificate authority
(CA). CA is either specialized software on
company network or trusted third party. Lets say
you want to order something over Internet. Web
site wants to make sure you are legitimate, so
web server requests your browser to sign order
with your private key (obtained from your
certificate).
80
Public Key Infrastructure, contd


Web server then requests your certificate from
third party CA, validates that certificate by
verifying third partys signature, then uses that
certificate to validate signature on your
order. User can do same procedure to make sure
web server is not bogus operation. Certificate
revocation list is used to deactivate users
certificate.
81
Public Key Infrastructure, contd

• Applications that could benefit from PKI
• World Wide Web transactions
• Virtual private networks
• Electronic mail
• Client-server applications
• Banking transactions

82
Triple-DES


More powerful data encryption standard. Data is
encrypted using DES three times the first time
by first key, second time by second key, and
third time by first key again. (Can also have 3
unique keys.) While virtually unbreakable,
triple-DES is CPU intensive. With more smart
cards, cell phones, and PDAs, a faster (and
smaller) piece of code is highly desirable.
83
Advanced Encryption Standard (AES)


Selected by U.S. government to replace
DES. National Institute of Standards and
Technology selected the algorithm Rijndael
(pronounced rain-doll) in October 2000 as basis
for AES. AES has more elegant mathematical
formulas, requires only one pass, and was
designed to be fast, unbreakable, and able to
support even smallest computing device.
84
Advanced Encryption Standard (AES)


Key size of AES 128, 192, or 256 bits. Estimated
time to crack (assuming a machine could crack a
DES key in 1 second) 149 trillion years. Very
fast execution with very good use of
resources. AES should be widely implemented by
2004.
85
ENCRYPTION

• Encryption - changing of data into indecipherable
  form before transmission.
• Decryption - changing unreadable text back into
  its original form.
• Types of encryption
• DES-Private Key
• RSA Public key
• Digital signature
• Key Management Alternatives

86
DES Private Key Encryption

• Decrypting device must use same algorithm to
  decode or decrypt data as encrypting device used
  to encrypt data.
• DES allows encryption devices manufactured by
  different firms to interoperate successfully.
• Encryption key customizes commonly known
  algorithm to prevent anyone without private key
  from decrypting documents.

87
RSA Public Key Encryption

• Public key - combines usage of both public and
  private keys.
• In public key encryption, sensing encryption
  device encrypts document using intended
  recipients public key and originating partys
  private key.
• To decrypt the document, receiving
  encryption/decryption device must be programmed
  with intended recipients own private key and
  sending partys public key.

88
Digital Signature Encryption

• Digital signature encryption - electronic means
  of guaranteeing authenticity of sending party and
  assurance that encrypted documents have not been
  altered during transmission.
• Original document is processed by hashing program
  to produce a mathematical string unique to exact
  content of original document.
• Unique mathematical string is encrypted using
  originators private key.
• Encrypted digital signature is appended to and
  transmitted with encrypted original document.

89
Digital Signature Encryption, contd

• To validate authenticity of received document,
  recipient uses public key associated with
  apparent sender to regenerate digital signature
  from received encrypted document.
• Transmitted digital signature is compared by
  recipient to regenerated digital signature
  produced by using public key and received
  document.

90
Private, Public, and Digital Signature
Encryption
91
Key Management Alternatives

• Key Management - Before computers can communicate
  in secure manner, they must be able to agree on
  encryption and authentication algorithms and
  establish keys.
• Standards for key management
• ISAKMP (Internal Security Association and Key
  Management Protocol) from IETF. Largely replaced
  by IKE (Internet Key Exchange).
• SKIP (Simple Key Management for IP)

92
Key Management Alternatives, contd

• Public key dissemination must be managed so users
  are assured public keys received are actually
  public keys of companies or organizations they
  are alleged to be.
• Public key infrastructures that link user to are
  implemented through use of server based software
  known as certificate services.
• Certificate server software supports encryption
  and digital signatures while flexibility
  supporting directory integration, multiple
  certificate types, and variety of request
  fulfillment options.

93
Digital Signatures


Document to be signed is sent through complex
mathematical computation that generates
hash. Hash is encoded with owners private
key. To prove future ownership, hash is decoded
using owners public key and hash is compared
with current hash of document. If two hashes
agree, document belongs to owner. U.S. has just
approved legislation to accept digitally signed
documents as legal proof.
94
Applied Security Scenarios

• Install only software/hardware need.
• Allow only essential traffic into/out of network.
  Eliminate other traffic by blocking with routers
  or firewalls.
• Investigate outsourcing web-hosting services so
  corporate web server is not physically on same
  network as rest of corporate information assets.
• Use routers to filter traffic by IP addresses.

95
Applied Security Scenarios, contd

• Make sure router OS software has been patched to
  prevent attacks by exploiting TCP
  vulnerabilities.
• Identify information assets most critical to
  corporation, and protect those servers first.
• Implement physical security constraints to hinder
  physical access to critical resources such as
  servers.

96
Applied Security Scenarios, contd

• Develop effective, and enforceable security
  policy. Monitor its implementation and
  effectiveness.
• Consider installing proxy server or application
  layer firewall.
• Block incoming DNS queries and requests for zone
  transfers.
• Disable all TCP ports and services not essential
  so hackers are not able to exploit and use
  services.

97
Integration with Information Systems and
Application Development

• Authentication products must be integrated with
  existing information systems and applications
  development efforts.
• APIs (Application Program Interfaces) are means
  by which authentication products are able to
  integrate with client/server applications.
• Application development fits combine an
  application development language with supported
  APIs.

98
Remote Access Security

• Protocol and associated architecture known as
  remote authentication dial-in user (RADIUS)
  offers potential to enable centralized management
  of remote access users and technology.
• RADIUS enables communication between following
  three tiers of technology
• Remote access devices such as remote access
  servers and token authentication technology from
  variety of vendors.
• Enterprise databases that contain authentication
  and access control information.
• RADIUS authentication server.

99
RADIUS
100
Remote Access Security, contd

• RADIUS allows network managers to centrally
  manage remote access users, access methods, and
  logon restrictions.
• RADIUS allows centralized auditing capabilities
  such as keeping track of volume of traffic sent
  and amount of time on-line.
• For authentication, it supports password
  authentication protocol (PAP), challenge
  handshake authentication protocol (CHAP), and
  SecurID token authentication.

101
Password Authentication Protocol (PAP),

• PAP is designed for dial in communication.
• PAP repeatedly sends user ID and password to
  authenticating system in clear text pairs until
  it is acknowledged or connection is dropped.

102
Challenge Handshake Authentication Protocol (CHAP)

• CHAP provides secure means for establishing dial
  in communication.
• CHAP uses three-way challenge or handshake that
  includes user ID, password, and key encryption
  for ID and password.
• Problem with system is some mechanism must be in
  place for both receiver and sender to know and
  have access to key.

103
E-Mail, Web, and Internet/Intranet Security

• Two primary standards for encrypting traffic on
  the WWW
• S-HTTP (Secure Hypertext Transport Protocol)
  secure version of HTTP requires both client and
  server S-HTTP versions to be installed for secure
  end-to-end encrypted transmission.
• SSL SSL is described as wrapping an encrypted
  envelope around HTTP transmissions. SSL is
  connection-level encryption method providing
  security to network link itself.

104
E-Mail, Web, and Internet/Intranet Security,
contd

• Secure Courier and is offered by Netscape.
• Secure Courier is based on SSL and allows users
  to create a secure digital envelope for
  transmission of financial transactions over
  Internet.

105
E-Mail, Web, and Internet/Intranet Security,
contd

• Additional forms of security are
• PCT
• PEM
• PGP
• SET
• S/MIME
• Virtual Private Network Security

106
Private Communications Technology (PCT)

• Microsofts version of SSL
• PCT supports secure transmissions across
  unreliable (UDP rather TCP based) connections by
  allowing decryption of transmitted records
  independently from each other, as transmitted in
  individual datagrams.
• Targeted primarily toward on-line commerce and
  financial transactions

107
Privacy Enhanced Mail (PEM)

• PEM - encryption technique for e-mail use on
  Internet used in association with SMTP (Single
  Mail Transport Protocol).
• PEM was designed to use both DES and RSA
  encryption techniques, but it would work with
  other encryption algorithms as well.

108
Pretty Good Privacy (PGP)

• An Internet e-mail specific encryption standard
  that also uses digital signature encryption to
  guarantee the authenticity, security, and message
  integrity
• PGP over-comes inherent security loopholes with
  public/private key security schemes by
  implementing Web of trust in which e-mail users
  electronically sign each others public keys to
  create an interconnected group of key users.

109
Secure Electronic Transactions (SET)

• SET - series of standards to assure
  confidentiality of electronic commerce
  transactions.
• Standards are becoming promoted by credit card
  giants VISA and MasterCard.
• A single SET compliant electronic transaction
  could require as many as six cryptographic
  functions, taking from one-third to one-half of
  second on high-powered UNIX workstation.
• An important aspect of SET standards is
  incorporation of digital certificates or DIgital
  IDs

110
Secure Multipurpose Internet Mail Extension
(S/MIME)

• S/MEME secures e-mail in e-mail applications that
  have been S/MEME enabled.
• S/MEME enables different e-mail systems to
  exchange encrypted messages and encrypt
  multimedia as well as text based e-mail.

111
Virtual Private Network (VPN) Security

• To provide virtual private networking
  capabilities using the Internet as an enterprise
  network backbone, specialized tunneling protocols
  needed to be developed that could establish
  private, secure channels between connected
  systems.
• Two rival standards are examples of such
  tunneling protocols
• Microsofts point-to-point tunneling protocol
  (PPTP)
• Ciscos layer two forwarding (L2F)

112
Virtual Private Network (VPN) Security, contd

• Unification of two rival standards is known as
  layer 2 tunneling protocol (L2TP).
• One shortcoming of proposed specification is that
  it does not deal with security issues such as
  encryption and authentication.
• Next slide illustrates use of tunneling protocols
  to build VPN using Internet as enterprise network
  backbone.

113
Tunneling Protocols Enable Virtual Private
Networks
114
Virtual Private Network (VPN) Security, contd

• IPsec - protocol that ensures encrypted
  communications across Internet via VPN through
  use of manually exchange.
• IPsec supports only IP-based communications.
• IPsec is standard that should enable
  interoperability between firewalls supporting
  protocol.

115
PPTP

• PPTP is essentially tunneling protocol that
  allows managers to choose whatever encryption or
  authentication technology they wish to hang off
  either end of the established tunnel.
• PPTP Microsoft tunneling protocol specific to
  Windows NT and remote access servers.
• PPTP concerned with secure remote access in that
  PPP-enabled clients would be able to dial into
  corporate network by Internet.

116
Enterprise Network Security

• To maintain proper security over widely
  distributed enterprise network, it is essential
  to be able to conduct certain security-related
  processes from single, centralized security
  management location.

117
Enterprise Network Security, contd

• Among these processes or functions are
• Single point of registration (SPR) allows
  network security manager to enter new user (or
  delete terminated user) from single centralized
  location and assign all associated rights,
  privileges, etc.
• Single sign-on (SSO) also sometimes known as
  secure single sign-on (SSSO), allows users to log
  into enterprise network and be authenticated from
  client PC location.

118
Enterprise Network Security, contd

• Single access control view allows users access
  from client workstation to only display resources
  user actually has access too.
• Security auditing and intrusion detection is able
  to track and identify suspicious behaviors from
  both internal employees and potential intruders.
  Detection and response to such events must be
  controlled from centralized security management
  location.

119
Government Impact

• Government agencies play major role in area of
  network security.
• Two primary functions of government agencies are
• Standards making organizations that set standards
  for the design, implementation, and certification
  of security technology and systems.
• Regulatory agencies that control export of
  security technology to companys international
  locations.