Network and Information Security Lecture 2 - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Network and Information Security Lecture 2

Description:

Title: Public Key Cryptosystems Author: B Srinivasan Last modified by: pdle Created Date: 2/23/1996 1:12:16 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:216
Avg rating:3.0/5.0
Slides: 35
Provided by: bsrini
Category:

less

Transcript and Presenter's Notes

Title: Network and Information Security Lecture 2


1
Network and Information SecurityLecture 2
2
Layout
  • Look at possible network connections and
    information security concerns
  • Discuss general network and information security
    model and the trade-off between security and
    services
  • Study computer networks and communications models
    (you need to know computer network structure to
    understand network security)
  • Discuss network and information security issues
  • Authentication, Access control, confidentiality,
    integrity, non-repudiation and availability
  • Discuss network security approaches to resolve
    the above issues
  • Which part of network structure can we enforce
    security?
  • How can we do it efficiently?

3
Model for information and network security
Trusted Third party
Principal
Principal
Message
Gate Keeper
Message
Information channel
Secret Info.
Secret Info.
Opponent security threads and possible attacks
Borrowed from Stallings
4
Security Business Services
1
Security -------------------------------------
Convenience (Services)
5
Services and security
  • How do you secure computer networks with
  • Web servers
  • Email servers
  • FTP servers
  • Web and email servers
  • Web, email and FTP servers
  • Modem servers
  • Web, email, FTP and modem servers
  • Web, email, file servers
  • Etc.

6
Possible networks and information security issues
  • How do you secure
  • A computer connected to the internet via ISP
    (using modem or leased cable)
  • A client machine
  • A server machine
  • An Intranet connected to the Internet via ISP
    (using leased cable)
  • A LAN connected to the Internet
  • A computer or a network connected to a company
    computer system
  • Multiple LANS and WANS connected to the Internet
  • A wireless LAN connected to a wired network that
    connected to the internet

7
Possible connections Security?
Wired Stranger
Firewall (optional)
Wireless Stranger
8
Possible connections Security?
Your systems
Wired stranger
firewall
Production Servers
Wireless stranger
9
Possible connections Security?
Your systems
Wired stranger
firewall
Production Servers
10
Possible connections Security?
Lan/ Wan
Web Servers
Lan/ Wan
Lan/ Wan
firewall
Back end Data Servers
Lan/ Wan
11
Possible connections Security?
Lan/ Wan
Web Servers
Business Integration systems
firewall
Lan /Wan
Back end Data Servers
Business Applications
Mobile users
12
What are the main security concerns?
  • How can authentication be done?
  • Do you allow all possible connections?
  • How can information be secured during
    transmission?
  • What can happen to your information during
    transmission?
  • How can stored data be secured before it can be
    retrieved?
  • How can authorisation be enforced?
  • Who can access to what objects?
  • How do you make sure either the sender or
    receiver not to deny a transmitted message?
  • Can the system be attacked from outside even if
    you have firewalls?
  • Who can compromise your system from outside and
    inside?
  • Etc.

13
Network CommunicationOSI Reference Model
Application programs that use the network
Application related services
Application (7)
Standardise data rep. to application layer
Presentation(6)
Manage sessions between applications
Session(5)
Provide end-to-end error detection and correction
Transport(4)
Network related services
Network(3)
Manage connections across network
Data Link(2)
Provide reliable delivery across physical links
Physical(1)
Define characteristics of media
14
Generic Message Format
Recipient Identity
Message Length
Sender Identify
Message Data
15
Internet TCP/IP Model
Programs X window, mobile agents, Web
applications, Email
Application
Sockets
Table of addresses, data and algorithms to
perform reliable check
Transport (TCP, UDP)
Table of addresses and algorithms for handling
the routing of data
Network (IP)
Data Link
Packets of some length algorithms
Physical
Digital signal (0,1)
16
Network Layer IP Datagram format (for reference)
4-bit 4-bit 8 bit
16-bit
Version header length type of
service Total Length

16 bit
3 bit
13 bit
Identification
flags fragment offset
8-bit 8-bit
16-bit
time to live protocol
header checksum
17
TCP segment (for reference)
16-bit
16-bit
Source port number
Destination port number
32-bit Sequence number
32 bit acknowledgement number
4-bit 6-bit 6-bit
16-bit Header
length Reserved Flags
Window Size
16-bit
16-bit TCP
Checksum
Urgent pointer
Options(if any) and padding
Data (variable length)
18
UDP datagram (for reference)
16- bit
16-bit Source Port Number
Destination Port Number
16-bit
16-bit Length
Checksum
Data (variable length, if any)
19
Protocol enveloping
  • To allow communications, two systems must follow
    the same protocol.
  • Each layer in a protocol stack of a system uses a
    unique and well-defined message format for
    communicating with its peer layer on other
    system.
  • As message gets passed down from one layer to the
    next, it is enveloped inside of another message.
    A new envelop is added at each step.
  • After transmission across the network, the
    protocol layers on the receiving system strip off
    their respective envelopes (among other tasks).
  • The original message is passed to the highest
    layer.

20
TCP/IP (e.g)
  • To communicate with a particular service using
    TCP/IP,
  • e.g telnet, at some machine at IP address X, we
    know that telnet uses TCP, is always assigned to
    port 23.
  • So in the IP header youd specify X as the
    destination address, and 6 which means TCP- as
    the protocol type.
  • In the TCP header, youd specify port 23 as
    destination port (Your process on your machine
    would be at a dynamically assigned port )

21
TCP Connection abstraction (e.g)
TCP uses the connection as its fundamental
abstraction connections are identified by a pair
of endpoints
(123.23.4.99, 2343)
(128.34.2.1, 80)
Connection 1
IP - port
server
Clients
Connection 2
(130.194.3.99, 3333)
Because TCP identifies a connection by a pair of
endpoints, a given TCP port number can be shared
by multiple connections on the same host
22
Network Security Issues
  • Authentication How can we make sure that a
    communication is authentic?
  • Access Control make sure that provided objects
    are accessed by authorized entities. How?
  • Confidentiality Protect data from passive
    attack or traffic analysis. How?
  • Integrity Assure messages are received as sent.
    How?
  • Non-repudiation Prevent either sender or
    receiver from denying a transmitted message. How?
  • Availability Keep services continually
    operational. How?

23
Network security issues (e.g)
  • Authentication
  • Who are you? Provide your username password
  • Where are you from? MARS? VENUS? Is your machine
    allowed to talk to mine? Your IP, please!
  • Access control
  • Who can access what objects/services?
  • Sorry! I cannot let your Java applets vandalize
    my site
  • Sorry! This ftp site is for read only
  • Sorry! You do not have privilege to run this
    program
  • Sorry! You cannot read the shadow file
  • How are objects be accessed? Remotely/locally
  • Which parts of the systems need more restrict
    access?

24
Network security issues (e.g)
  • Integrity A message or file that traverses the
    network at risk of having data added, removed, or
    modified along the way.
  • Consider the following message
  • From root_at_temple.csse.monsah.edu.au To
    root_at_beast.csse.monash.edu.au,
    root_at_pluto.csse.monash.edu.au Subject
    hackers temple.csse has been hacked by
    intruders. I am working to resolve this
    problem. Please check your systems for possible
    intrusion.
  • As a by-product of this email message, the
    attacker of temple.csse has also compromised an
    email server at this site and can modify the
    message, access other machines, etc.

25
Network security issues (e.g)
  • Confidentiality
  • You might not really care if a few postal
    employees read a postcard or two, but would you
    care if every piece of mail you received were
    paraded in plain view past each person that lives
    between post office and your home?
  • On internetworking, email, data transfer via FTP
    and www requests may be handled by intervening
    networks and devices and anyone with access to
    them, authorized or not, can read the
    data/messages.

26
Network security issues (e.g)
  • Non-repudiation
  • Hey, why did you charge me this?
  • Did you send me this order?
  • No! No! absolutely not! I am not silly to order
    that stuff!
  • Is this your digital signature?
  • OhMaybe it is mine!!

27
Network security issues (e.g)
  • Availability
  • Call ISP Hey, I will not use your ISP from next
    month! I am sick of it!
  • ISP reply Would you kindly tell me why?
  • People cannot access my webpage, it has good
    stuff!!
  • Check.. CheckIt is O.K, I can access it now.
  • You can access it now, but I tried it heaps of
    times yesterday and always got timeout!
  • OhSorry! Our system got Ping of Dead
    yesterday! Please do stay with us, I promise it
    wont happen again.

28
Where should we start?
  • Many network functionalities are built in the OS
  • The TCP and lower are implemented in the OS
  • Others above TCP are implemented in user
    processes
  • When you are using your computer, you are
    interacting with the OS and most applications are
    running as user processes on the top of TCP
  • The traditional network model was not created
    with good security
  • E.g the IP layer was only able to tell the
    application what IP address it is talking to, but
    not what user is on the other side
  • Should we modify the OS and not change
    applications to enhance security? OR
  • Should we change the already-built applications
    to enhance security and not change the OS?

29
TCP/IP Possible Security Enhancement
Kerboros, HTTPS, SMINE, PGP
SSL, TLS
IP Sec
Encrypting packets
Physical
Hardware chip for Encryption
30
Why deploy Security at IP Layer?
  • Security at the IP layer is related to the
    layers function of end-to-end datagram delivery.
  • The security weakness are
  • Network snoofing e.g one machine can
    masquerade as another machine temporarily
  • Message replay
  • Authentication issues
  • Etc.
  • Benefit? Implementing IP security within the OS
    automatically causes all applications to be
    protected do not have to change the applications

31
Aside - IP
  • Internet Control Message Protocol (ICMP)
    influences and somewhat controls the behavior of
    the IP layer, while actually using IP services to
    perform its tasks.
  • ICMP monitors and communicates network control
    information between network participants.
  • The IP layer also is impacted by special routing
    protocols like Routing Information Protocol
    (RIP), Internet Group Management Protocol (IGMP),
    Open Shortest Path First (OSPF) and Border
    Gateway Protocol (BGP).

32
Why deploy security at Transport Layer?
  • Applications at higher layers are normally based
    on socket communications, therefore security can
    be achieved with
  • SSL (Secure Socket Layer)
  • TLS (Transport Layer Security)
  • Benefit? No need to change OS.

33
Can we also implement security at Application
Layer?
  • There are many different applications at The
    Application Layer -gt need different ways to
    secure each type of applications
  • Secure Mobile Agents
  • Secure Email (PGP, S/MINE),
  • Secure Web (HTTPS)
  • Security with Kerboros

34
What else can we do?
  • Beside SSL and security enhancement at the
    Application Layer
  • What else can we do to secure computer systems
    without having to change the OS?
  • How about building a wrapper for a software to
    make it behave the way we want?
  • Discuss more later if you wish to!
Write a Comment
User Comments (0)
About PowerShow.com