2. INTRODUCTION
Network is two devices connected across some
medium by hardware and software that complete the
communications (simple definition of network).
User (Client)
Host
Server
Communication medium
Simple View of Network
3. Introduction
A network is normally not just single client to a
single server; typically many clients interact with
many servers.
User (Client) Host Server
User (Client)
User (Client)
User (Client)
Host Server
User (Client)
User (Client)
User (Client)
System A
System B
4. Network Security Issues
Network have security problems for the following reasons:
Sharing – resources and workload sharing
Complexity of system
Unknown parameter – expandability of a network also implies
uncertainty about the network boundary
Many points of attack – file may past through many host before
reaching the destination
Anonymity – attacker can mount an attack with touching the
system
Unknown path – there may be many path from one host to
another.
5. Possible Network Security Threats
Wiretapping
Impersonation
Message confidence violations
Message integrity violations
Hacking
Denial of Service (DoS)
6. Possible Network Security Threats
Wiretapping
Wiretap means to intercept communications.
Passive / Active Wiretapping
Packet sniffer can retrieve all packets on the net.
“Inductance” is a process where an intruder can tap a
wire without making physical contact with the cable.
Microwave and satellite – higher possibility of
interception due to wider broadcasting.
7. Possible Network Security Threats
Wiretapping
Optical fiber offers two significant security
advantages:
The entire optical network must be tuned carefully each
time a new connection is made. Therefore, no one can tap
an optical system without detection.
Optical fiber carries light energy, not electricity. Light
does not emanate a magnetic field as electricity does.
Therefore an inductive tap is impossible on an optical
fiber cable.
8. Possible Network Security Threats
Wiretapping
However, optical fiber also has weaknesses
where wiretappers will try to tap at the
repeaters, splices and other equipments that
connects to the fiber optic and thus creates
vulnerabilities.
9. Possible Network Security Threats
Impersonation
Pretend to be someone (personnel) or something
(process).
In an impersonation, the attacker has several choices:
Guess the identity and authentication details of the target
Pick up the identity and authentication details of the target
from a previous communication
Circumvent or disable the authentication mechanism at
the target computer
Use a target that will not be authenticated
Use a target whose authentication data is known
11. Possible Network Security Threats
Message Integrity Violations
Falsification of Messages
Change the content of a message
Change any part of the content of a message
Replace a message entirely
Redirect a message
Destroy or delete the message
Noise – unintentional interference
12. Possible Network Security Threats
Hacking
A source of threat to security in computer
communication.
Hacker is considered as a separate threat because a
hacker can develop tools to search widely and
quickly for particular weaknesses and move swiftly
to exploit weaknesses.
In this way, hacker has unlimited time to analyze,
plan, code, simulate and test for future attack.
In reviewing the effects of this attack ; if it succeeds,
what additional capability would that give the hacker
for future attacks?
13. Possible Network Security Threats
Denial of Service
Result of any action or series of actions that
prevents any part of a telecommunications
system from functioning.
Connectivity
Flooding
Routing problems
Disruption of Service
14. Network Security Control
Encryption – link encryption, end-to-end encryption
Link Encryption:
Data is encrypted just before the system places it on the
physical communication links.
Decryption occurs just as the communication enters the
receiving computer.
18. Network Security Control
Link Encryption versus End-to-end Encryption:
Link Encryption End-to-end Encryption
Security Within Hosts
Message exposed in the sending host
Message expose in intermediate nodes
Security Within Hosts
Message encrypted in sending host
Message encrypted in intermediate nodes
Role of User
Applied by sending host
Invisible to user
Host maintains encryption
Can be done in hardware
All or no messages encrypted
Role of User
Applied by sending process
User applies encryption
User must find algorithm
Software implementation
User chooses to encrypt or not, for each
message
19. Authentication Issues in Distributed System
There are two main concern regarding authentication
issue in distributed system which are:
(1) How to ensure the authenticity of the communicating
hosts?
(2) How to ensure authenticity of users who are using the
hosts?
20. Authentication Issues in Distributed System
That is by using:
Digital Distributed Authentication
DCE (Distributed Computer Environment)
Kerberos
SESAME
CORBA
21. Authentication Issues in Distributed System
Kerberos
Is a system that supports authentication in distributed
systems.
Was designed at Massachusetts Institute of
technology.
The basis of kerberos is a central server that provides
authenticated tokens called tickets to requesting
applications.
25. Authentication Issues in Distributed System
Kerberos was carefully designed to withstand attacks in
distributed environments:
No password communicated on the network
Cryptographic protection against spoofing
Limited period of validity
Time stamps to prevent replay attacks
Mutual authentication
26. Authentication Issues in Distributed System
Kerberos is not a perfect answer to security problems
in distributed systems because:
Kerberos requires continuous availability of a trusted
ticket granting server.
Authenticity of servers requires a trusted relationship
between the ticket granting server and every server
Kerberos requires timely transactions
A subverted workstation can save and later replay user
passwords
27. Authentication Issues in Distributed System
Kerberos is not a perfect answer to security
problems in distributed systems because:
Password guessing works
Kerberos does not scale well
Kerberos is not a complete solution
28. Privacy Enhanced Electronic Mail (PEM)
The basis of PEM is encryption.
In order to send a PEM message the sender
must have a certificate for the receiver.
32. Privacy Enhanced Electronic Mail (PEM)
The major problem with PEM is key management.
Therefore PGP was designed to overcome this
problem.
33. Pretty Good Privacy (PGP)
Was designed by Phil Zimmerman to offer a reasonable
degree of privacy for email.
It uses a message structuring scheme similar to PEM.
The key management for PGP is ad hoc.
Each user has a set of people he or she knows and trusts.
The user exchanges public keys with those friends, exactly as
one might swap business card at meeting.
Some people accept not just the friends’ public key but also
all public keys their friends have.
34. Pretty Good privacy (PGP)
The assumption here is that any friend of yours is a
friend of mine.
A PGP user builds a key ring which is the set of all
public keys that person possesses.
In that way, when an encrypted messages arrives, the
person can decrypt it if the key is on that person’s
key ring.
35. Firewalls
A firewall is a process that filters all traffic between
a protected or “inside” network and a less
trustworthy or “outside” network.
There are three types of firewall:
Screening Routers
Proxy gateways
Guards
36. Firewalls
Screening Router
Is the simplest and in some situations the most effective type
of firewall.
Hosts tend not to be connected directly to a wide area
network; more often hosts are connected to a router.
39. Firewalls
Screening Router
Router will only see the header of the message.
Header will contain information on:
The sender/receiver address
Protocol
Port
Length of a packet
It can also control the traffic based on application – by using
port numbers (eg: 21 for FTP and 25 for SMTP)
It can also decide which application is acceptable and not
acceptable.
It can also determine the authentication of an inside address.
40.
41. Firewalls
Proxy Gateway
Is also called a bastion host.
Is a firewall that simulates the (proper) effects
of an application so that the application will
receive only requests to act properly.
42. Firewalls
Proxy Gateway
To understand the real purpose of a proxy
gateway, we consider some examples:
A company wants to set up an online lists so that
outsiders can see the products and prices offered.
It wants to be sure that no outsider can change the
prices or product list and that outsiders can access
only the price list not any of the more sensitive
files stored inside.
43.
44. Firewalls
Guard
A guard is a sophisticated proxy firewall.
The guard decides what services to perform on the
user’s behalf based on its available knowledge such
as whether it can reliably know of the (outside)
user’s identity, previous interactions and so forth.
45. Firewalls
Guard
Here are some more sophisticated examples of guard
activities:
A university wants to allow its students to use email up to
a limit of so many messages or so many characters of
email in the last so many days. Although this result could
be achieved by modifying email handlers it is more easily
done by monitoring the common point through which all
email flows (the mail transfer protocol).
A school wants its students to be able to access the WWW
but because of the slow speed of its connection to the
Web it will allow only so many characters per download
image.
46. Firewalls
Firewalls are not complete solutions to all
computer security problems.
Firewalls can protect an environment only if the firewalls
control the entire perimeter.
Firewall do not protect data outside the perimeter.
Firewall are the most visible part of an installation to the
outside and therefore is the most attractive point of attack.
Firewalls are targets of penetrators.
Firewalls must be correctly configured.
Firewalls exercise only minor control over the content
admitted to the inside – inaccurate data or malicious code
must be controlled inside the perimeter.