Title: NETWORK SECURITY
1NETWORK SECURITY
Source Wired
2Computer and Network Attack Taxonomy
Attackers Tools Access Access Access Access Results Results Objectives
Hackers User Command Implementation Vulnerability Unauthorized Access Process Files Corruption of Information Corruption of Information Challenge, Status
Spies Script or Program Design Vulnerability Unauthorized Use Data in Progress Disclosure of Information Disclosure of Information Political Gain
Terrorists Autonomous Agent Configuration Vulnerability Theft of Service Theft of Service Financial Gain
Corporate Raiders Toolkit Denial-of-Service Denial-of-Service Damage
Professional Criminals Distributed Tool
Vandals Data Tap
Time
Source Dissertation of John D. Howard, CMU, 1997
3Group Task
- Get together on groups of 3-5 people
- Discuss an attack that one of your group members
have experienced or heard about - For that attack, mark within which cells the
attack belongs - Five minutes
4Securing Resources
5Threats to Security
- Physical security
- Access Security
- Unauthorized access into a computer
- Tapping into a data communications line
- Personnel
- Misuse by authorized personnel
- Natural Disaster
- Computer Viruses, Worms, Logic Bombs.
- Denial of Service Attacks
6Security concepts/terminology
- Need to address following issues
- Secrecy/Privacy guarantee that information given
will not be misused - Authenticity data provided to user must be
authentic (i.e., is it really coming from X?) - Integrity data stored in system must not be
corrupted. - Non-repudiation A mechanism which prevents a
user from denying a legitimate, billable charge.
7Phishing
8Which one would YOU trust?
9Denial of Service -- UDP Flood Attack
Target System 1
Kai Larsen UDP Chargen TCP chargen server sends
a continual stream of characters until the client
terminates the connection UPD chargen servers
send a datagram containing a random number of
characters in response to each datagram sent by
a client
Hackers System
Target System 2
10Denial of Service DNS Flood
DNS
Kai Larsen UDP Chargen TCP chargen server sends
a continual stream of characters until the client
terminates the connection UPD chargen servers
send a datagram containing a random number of
characters in response to each datagram sent by
a client
Hackers System
Target System
11Denial of Service -- Smurf Attack
12What to do about DOS Attacks
- Implement router filters
- Install patches
- Disable any unused or unneeded network services.
- Observe your system performance and establish
baselines for ordinary activity. Use the baseline
to gauge unusual levels of disk activity, CPU
usage, or network traffic. - Maintain multiple IP addresses, and redundant and
fault tolerant network connections, and "hot
spares. - An excellent (and short) paper on DOS Attacks is
located here.
13User Identification and Authorization
- Passwords
- kept in encrypted file
- should be changed frequently
- automatic expiration
- Ultra-sensitive applications
- layered IDs (passwords at several levels)
- user profiles (restrictions on who can do what)
- access levels (read, write, execute, purge)
- combining menus and user profiles (let user see
only those options available to her)
14Time and Location Restrictions
- Establish time intervals during which transaction
is allowed - Certain transactions can run only from certain
locations - attach applications to terminals
- maintain terminal profile
- Additional precautions on switched ports with
dial-in access - call-back unit
- restricted hours
- safeguard telephone numbers
- manual authentication in high security
installations
15Other Methods
- Recognizing unauthorized access attempts
- after 3 failed attempts disallow log-in for 5
minutes - permit fake log-in after several failed attempts
- Automatic log-off
- log off anybody with no activity for 10 minutes
- authentication for every transaction
- Transaction logs
- every log-in is logged (date, time user id,
unsuccessful attempts, terminal id, location) - No method is foolproof. These are delaying
tactics.
16Securing Communications
Setting Europe Time 1940-45 How?
17Data Encryption
- Symmetric Key Cryptography
- Data encryption standard (DES), Bureau of
standards (based on symmetric key) - 56-bit encryption key (now available in longer
keys) - uses 16 iterations of rearrangement and
substitution combinations - Its 72-quadrillion combinations were broken in
1997 by a group using distributed computing
(14,000 computers) lead by Colorado programmer
Rocke Verser - Public Key cryptography
- (the other approach, covered later)
18- 31798603996994715581310583186337934867429744958612
19How much is?
1 Billion
30 bits (9 zeros)
Source http//www.kokogiak.com/ megapenny/default
.asp
20How much is?
10 Billion
40 bits (12 zeros)
21How much is?
1 Quadrillion
50 bits (15 zeros)
22How much is?
1 Quintillion
60 bits (18 zeros)
23How much is?
1 Octillion
128 bits (38 zeros)
Previous collection (enlarged for your benefit)
24How much is?
Number of pennies that can fit inside the Universe
300 bits (90 zeros)
Thanks to Alexander Voronovich for help with
calculation
25- RSA Laboratories currently recommends key sizes
of 1024 bits for corporate use and 2048 bits for
extremely valuable keys like the root key pair
used by a certifying authority
2048 bits (616 zeros)
Source http//www.rsasecurity.com/rsalabs/node.as
p?id2218 Downloaded 04/06/06
26Symmetric Key Encryption
Encrypted message DSPEZHKE
27Data encryption based on symmetric key (A very
old method)
- Divide plain text into groups of 8 characters.
Pad with blanks at end (if necessary) - Select an 8-character key
- Rearrange plain text by interchanging adjacent
characters (first with second, third with fourth) - Translate each character into a number (A-1, B-2,
C-3, ....., Z-26, blank-0) - Add the numbers of the key (Step 2) to the
results of above step.
28Data encryption based on symmetric key(contd.)
- Divide each sum by 27 and keep remainder
- Translate remainder back into character to yield
the cipher text. - At the receiving end
- Perform the reverse operation (i.e., the same
set of steps in reverse order) to restore the
original text.
29Example
- DATA _COM
- ADATC_MO rearrange characters
- 01 04 01 20 03 00 13 15
translate - 16 18 15 20 15 03 15 12
key vals. - 17 22 16 40 18 03 28 27
sum - 17 22 16 13 18 03 01 00
mod 27 - Q V P M R C A _
result
30PAP Direct Password (Password authentication
protocol)
Its me, and heres my PASSWORD.
Carrier Services
Remote LAN Access Server
LAN
- Simple password access
- Vulnerable to snooping
(Source Ascend Corp)
31CHAP Secured Password Exchange (Challenge
authentication protocol)
?
Carrier Services
- Uses challenge-based encrypted password
- Makes snooping much less effective
(Source Ascend Corp)
32Token
- 3. Token device
- generates one-
- time password
password
Token Device
- Several types of token systems
- Token generates exclusive one-time password
- Requires possession of token device and PIN
Source Ascend Corp.
33Kerberos
Kerberos
TGS
2
3
4
1
4
Server
Client
5
Description of Protocol Step 1. The Client
sends the Kerberos server a request for a ticket
to the Ticket Granting Service (TGS). Step
2. The Kerberos server returns a TGS ticket
encrypted with the user's password. If the user
types in the correct password, the ticket is
decrypted to get tickets from the TGS for various
services. Step 3. The Client sends a
request to the TGS for a ticket to a service such
as telnet on a particular host. Included in this
message is the Kerberos ticket establishing the
Client's identity. This message is encrypted
using a session key which is included in the TGS
ticket. Step 4. The TGS returns a session
key for use between the Client and the service as
well as a ticket which is used to convince the
Server that the Client is authorized to use this
service. The session key is also sent to the
Server. Step 5. Client uses the ticket and
the session key to communicate with the server.
34Public Key Cryptography (A brilliant idea
proposed in 1976)
35Generating Keys
Public Key
Private Key
36Example Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version
PGPfreeware 7.0.3 for non-commercial use
lthttp//www.pgp.comgt mQGiBDvxSuQRBADwvXMXRZBlJpz
ja9Dc3LVjxORM5tWsrPfQdVca2ATYXuFlq/d WdQzyvtc02e4R
pTBeeA/X3UCtAhDxKN1QxB08qosV0tQ4XLmwcbazBsZySJQRv2
S 0CygJiNltxZgCk4KVciZHQzXW3OU8UKU7fTsUHkw9qhu1dF
cXoVyqj1PQCg/5u 8zconmVM7z0ivM9y0us9zocD/j5/G2/t
b6b3n3S9KIEo7fTLXytsIp2bN53Kmxx DnIFhXTIb0i3k7JvvQ
i7v7akPbdrRrNmc49hYZsYzTIjLDoSzz/A516Rjpp3u/8 7DH
ZJp3XL60QRfVAYzUeq62PweBgEKcBBaHAe7ylS7ozqENdXe2l6
X8sNJjoLmbJ oiqSBADEEt4GRI5/jB5m9QyDBv6h2yTn/J3Ofb
6YXc6jlGdUMfCtJtE83EYxetJW qb306epyns6DhbjyR0wdOp9
bkt4gOOnDjx01Jcs4ZxaV73daLdnETxOWdTj6aNw5 WB4xnGB
Dd6pb2GFx37a29WtlciKqfCPq37gpYOH4tmpzrvP47QqS2FpIF
IuIFQu IExhcnNlbiA8a2FpLmxhcnNlbkBjb2xvcmFkby5lZHU
iQBYBBARAgAYBQI78Urk CAsDCQgHAgEKAhkBBRsDAAAAAAoJ
EOKthI8QozYkJf4An0dsntidqj/NcjtcQQwU 03ehxQDoAJ9k
tKDWo8s4OpVr2q4ZFXIqm8yerkCDQQ78UrkEAgA9kJXtwh/CBd
y orrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstD
qZSt90xkhkn4DIO9 ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSW
c39uK50T8X8dryDxUcwYc58yWb/Ffm7 /ZFexwGq01uejaClcj
rUGvC/RgBYKX0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yI sxx
8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEst
Sr/POGxKUAY EY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAk
bTCD1mpF1Bn5x8vYlLIhkmuqui XsNV6TILOwACAgf8DeWZPsT
T1hmXuDLNgq6ga2m3XDkyrn0D8Xo99GsK6Kcw40 phiat4Xp
jgrR9rWxV9F4lfdbp5TZgKrOjvkQ3LRUZW3joL8iuUgWxednC/
ZS2hQa YWgDUPSw1u76JbgocbwWyjMj/1Q/iehAZcMicPulPo4
vugTuOdEUNHAyhhxCDJSC TofJ0nvj5qOwdLiNU/73xrrckt5
QPTnn3Y9mYm3cFYnG2XhUp2PIzk8US0eUXL dhFVWVQRRa1Jt
sk5gOYLPB0H34DjT5CJ7a4ujy4wzR83Mxh1/mmzjVD6QqiIbU
w 8QJiXBcinwpf9B8/8LfC0eFEHTDU9QmeVDJIy4kATAQYEQIA
DAUCO/FK5AUbDAAA AAAKCRDirYSPEKM2JAgBAJ4wmc/dZOl7Q
CYiTHDM9nScqqymLgCg8/eca5JDodSE UqaAm5zi2diYKs
w3hs -----END PGP PUBLIC KEY BLOCK-----
Private key looks similar, but with different
information
37(No Transcript)
38Imagine a chest with two locks
now Imagine that you have the ability to
generate such chests at will, and that they all
react the same way to the keys belonging to itas
long as you have ONE key (either public or
private, you can generate the chest)
39So, you want to send a secret text to your
friend, Billy-Bob?
You
Billy-Bob
40Public Key Cryptography
- Sender encrypts message M into E(M) by applying
public key or encryption key (E) of receiver - Receiver decrypts E(M) by applying her private
key or decryption key (D) - i.e, D(E(M)) M
- Based on one-way (or trap door) functions which
are easy to compute in one direction but not in
the other. - E Encryption or public key
- D Decryption or private key
41But how do you prove to your friend, Billy-Bob
that you are YOU? (you already have his public
key)
Use your own Private Key to generate an empty
chest
You
Billy-Bob
42Electronic signatures(Another brilliant idea!)
- How do you convince your bank that you are
indeed the sender of a message? - Say Alice (A) is sending message to Bank (B)
- Alice applies her decryption key
- Alice applies banks encryption key
- Sends message to bank
- Bank applies its decryption key first
- Bank applies Alices encryption key
- Based on the idea that keys are commutative, ie.
43PGP (Pretty Good Privacy)(a.k.a. Phils pretty
good software)http//www.pgp.com
- Software written by Phil Zimmerman (of Boulder
fame!) - Implements public key cryptography
- Available in public domain (on most Unix
systems) - Basic commands
- pgp -h (for help)
- pgp -kg (to create your key)
- pgp -e text_file her_user_id (to encrypt with
recipients public key) - pgp ciphertextfile (to decrypt ciphertextfile)
- pgp -ka keyfile ( to add contents of a key
file to your key ring)
44Aircraft Downing in China
- The airplane is basically a really big flying
tape recorder - Virtually anything transmitted through the air
would be within reach - dozens of sensitive antennae pick up signals
from radar, radio, cell phones, perhaps even
e-mail - Source The Daily Camera, April 4th, 2001
EP-3E Source NYT, April 4th, 2001
45FIREWALLS
INTERNET
A firewall is a mechanism used to protect a
trusted network from an untrusted network. It
implements the site's security policy and is the
single point in your network through which all
communications between the trusted and untrusted
network must pass.
46Packet Filtering Firewalls
-- Incorporate packet filters in the router
software -- Reject/accept packets based on rules
Filter Action Internal Port
External Port Comment Rule
Host Host
1
block HACKER
deny access to
2 allow Mail 25
connect to
mail
gateway
-- Generally anything not expressly permitted
is prohibited.
47Application-Level Gateways (or Proxy Servers)
-- Use software applications to filter traffic
for various services. -- Program acts like a
gateway (or proxy server), and -- Logs traffic
and forwards only the legitimate traffic. -- Do
not need rules as with packet level filters,
but -- Need a specialized program for each
service (e.g. mail proxy, http proxy, etc.). --
Operates at higher layer of OSI protocol. --
WeaknessRuns on top of OS and subject to holes
in OS.
48Screened-host Gateway
This firewall combines the features of
packet-level filtering (through the router) and
application-level gateways.
49Internet Security Protocols
S-MIME Secure Multipurpose Internet Mail
Extensions. SSL Secure Socket Layer. SSL is a
protocol for transmitting encrypted data over
TCP/IP networks. S-HTTP Secure HTTP. Security
extension to HTTP to protect individual
transaction requests and responses. SET Secure
Electronic Transaction. Developed by Visa and
MasterCard to support bank card payments
involving multiple parties (card holder,
merchant, acquirer, issuer).
50Secure Web Transactions
Symmetric algorithms are faster than public key
algorithms, but public key algorithms are
required to maintain privacy during the exchange
of the faster symmetric keys. To preserve both
efficiency and privacy, secure Web transactions
begin with a public key exchange, followed by
the exchange of a session key that follows a
faster, symmetric algorithm.
51Digital Certificate
Is the cyberspace equivalent of a drivers
license. Way of authenticating yourself to other
party.
- SSL authentication is done by X.509 certificates.
- Certificates are issued by certification
authorities (CAs), e.g. Verisign, GTE
Cybertrust,etc., which act as trusted third
parties. - Each certificate contains
- information about the certificate's format.
- a unique serial number.
- information about the algorithm used to sign the
certificate. - the name of the CA which issued the certificate.
- the validity period of the certificate.
- identifying information about the "subject," or
the entity to whom the - certificate belongs,the subject's public key,
and the issuers signature.
52How SECURE ELECTRONIC TRANSACTIONS (SET) WORK
Card Issuer
Acquiring Bank
Customer
Merchant
53Problems with Encryption
- The Battle of Leyte Gulf (October 23-26 1944)
- American navy forces split into two, each
steaming to meet separate Japanese forces
(located far away from each other) - Task Force 38 and Task Force 34 (commanded by
Admiral Halsey) - Admiral Nimitz (in Pearl Harbor) was wondering
about Task Force 34s position, sent message
Where is Task Force 34? - Cryptographer stuffed message, and sent it as
- Turkey trots to water XX Where repeat where is
Task Force 34 XX The world wonders. - Halseys cryptographer, forgetting to remove all
the stuffing, sent the following message to the
bridge - Where repeat where is Task Force 34 XX The world
wonders.
54Tennysons The Charge of the Light Brigade
- Half a league, half a league, Half a league
onward,All in the valley of Death Rode the six
hundred."Forward, the Light Brigade!"Charge for
the guns!" he saidInto the valley of Death
Rode the six hundred.
55Tennysons The Charge of the Light Brigade
- Flash'd all their sabres bare,Flash'd as they
turn'd in air,Sabring the gunners
there,Charging an army, while All the world
wonder'd - Then they rode back, but not Not the six
hundred.
56Key Security Points
- High-level security consists of multiple system
components - User identification
- Access verification
- Security administration
- Combine multiple security mechanisms for
desired level of - security
- Both dial-up security and backbone security are
important. - Individual responsibility is essential!
Source Ascend Corp.
57Security Resources
- CERT Computer Emergency
- Response Team
- CSI Computer Security
- Institute
- ISSA Information Systems
- Security Association
- TruSecure Corporation
- (formerly National Computer
- Security Association)
- FIRST Forum of Incident
- Response and Security Teams
http//www.cert.org/ 1-412-268-7090 http//ww
w.gocsi.com 1-415-905-2626
http//www.issa-intl.org/ 1-708-699-6441
http//www.trusecure.com 1-717-258-1816
http//www.first.org
Source Ascend Corp.