SlideShare a Scribd company logo

ANS_Ch_04_Handouts.pdf

M
MeymunaMohammed1

Network mangement

Technology
1 of 59
Download to read offline
School of Computing & Informatics M. Sc in Computer Science & Networking By Chapter-04 Dr. Ananda Kumar K S M.Tech, Ph.D Associate Professor, School of Comp & Info Email: anandgdk@du.edu.et COET, Dilla University 1 Course Number CN6122 Course Title Advanced Network Security
CHAPTER-04 4.1 Fire walls 4.2 Access Methods 4.3 Security Attacks 4.4 Security Mechanisms 4.5 Secure Network Protocols-SSL & TLS COET, Dilla University 2
 A firewall is, in essence, a barrier between your network and the outside world.  At a minimum, it will filter incoming packets based on certain parameters such as packet size, source IP address, protocol, and destination port.  Linux and Windows (beginning with Windows XP and in all subsequent Windows versions) ship with a simple firewall.  For Windows, the firewall in Windows 7 was expanded to handle filtering both inbound and outbound traffic. COET, Dilla University 3
 In an organizational setting, need a dedicated firewall between your network and the outside world.  This might be a router that also has built-in firewall capabilities. (Cisco Systems is one company that is well known for high-quality routers and firewalls.) Or, it might be a server that is dedicated solely to running firewall software.  A firewall protects your computer by examining each information packet that travels over the network. Clues to a packet’s purpose can be read from its destination address. Firewalls contain a list of allowed and disallowed destinations and functions COET, Dilla University 4
A firewall filters packets flowing between a site and the rest of the Internet 5 COET, Dilla University
[BELL94b] lists the following design goals for a firewall:  All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall.  Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies  The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. Trusted computer systems are suitable for hosting a firewall and often required in government applications. COET, Dilla University 6
7  Firewalls can be set up to offer security services to many TCP/IP layers. The many types of firewalls are classified based on the network layer it offers services in and the types of services offered. They include: ◦ Packet Inspection Firewalls - are routers that inspects the contents of the source or destination addresses and ports of incoming or outgoing TCP,UDP, ICMP(Internet Control Message Protocol) packets being sent between networks and accepts or rejects the packet based on the specific packet policies set in the organization’s security policy. COET, Dilla University
8 Application Proxy Server: ◦ Filtering Based on Known Services - is a machine server that sits between a client application and the server offering the services the client application may want. ◦ It behaves as a server to the client and as a client to the server, hence a proxy, providing a higher level of filtering than the packet filter server by examining individual application packet data streams. COET, Dilla University
9 Virtual Private Network (VPN) Firewalls  A VPN, is a cryptographic system including Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IPSec that carry Point-to-Point Protocol (PPP) frames across an Internet with multiple data links with added security.  The advantages of a VPN over non-VPN connections like standard Internet connections are:  VN technology encrypts its connections  Connections are limited to only machines with specified IP addresses. COET, Dilla University
10 ◦ Small Office or Home (SOHO) Firewalls  A SOHO firewall is a relatively small firewall connecting a few personal computers via a hub, switch, a bridge, even a router on one side and connecting to a broadband modem like DSL or cable on the other. ◦ NAT Firewalls (Network Address Translation)  In a functioning network, every host is assigned an IP address.  In a fixed network where these addresses are static, it is easy for a hacker to get hold of a host and use it to stage attacks on other hosts within and outside the network.  To prevent this from happening, a NAT filter can be used. It hides all inside host TCP/IP information.  A NAT firewall actually functions as a proxy server by hiding identities of all internal hosts and making requests on behalf of all internal hosts on the network.  This means that to an outside host, all the internal hosts have one public IP address, that of the NAT. COET, Dilla University
 In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links.  To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual. Access Control Methods:  An interesting problem with security is that not only must information be protected from outsiders, it must sometimes be protected from insiders as well. COET, Dilla University 11
The term Access Control actually refers to the control over access to system resources after a user's account credentials and identity have been authenticated and access to the system granted. Various methods that control access to network environments are described in the following sections.  Discretionary access control (DAC)  Role-based access control (RBAC)  Mandatory access control (MAC)  Attribute Based Access Control (ABAC) COET, Dilla University 12
 Mandatory Access Control (MAC) is the strictest of all levels of control.  The design of MAC was defined, and is primarily used by the government.  MAC takes a hierarchical approach to controlling access to resources. Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator.  As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings.  It is not possible under MAC enforcement for users to change the access control of a resource. COET, Dilla University 13
 Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data.  DAC is typically the default access control mechanism for most desktop operating systems.  Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it.  An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. COET, Dilla University 14
 Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control.  Access under RBAC is based on a user's job function within the organization to which the computer system belongs.  Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role.  For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system.  Similarly, a software engineer might be assigned to the developer role. COET, Dilla University 15
 Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization.  Additionally, there is no way to provide individual users additional permissions over and above those available for their role.  The accountant described above gets the same permissions as all other accountants, nothing more and nothing less. COET, Dilla University 16
 In recent years, the ABAC has become increasingly significant due to the growing popularity of large distributed systems.  One of the main drawbacks of RBAC is the difficulty of assigning privileges to an individual. ABAC provides an effective solution since user attributes are the criteria used to determine user authorization.  This access policy improves upon RBAC in the following areas: delegation of attribute authority, decentralization of attributes, and interference of attributes.  To protect the sensitivity of credentials, ABAC contains several policies for maintaining user confidentiality and data integrity. COET, Dilla University 17
COET, Dilla University 18
 In general, there is a flow of data from a source (e.g., host, file, memory) to a destination (e.g., remote host, other file, user) over a communication channel (e.g., wire, data bus).  The task of the security system is to restrict access to this information to only those parties (persons or processes) that are authorized to have access according to the security policy in use.  In the case of an automation system that is remotely connected to the Internet, the information flow is from/to a control application that manages sensors and actuators via communication lines of the public Internet and the network of the automation system (e.g., a field-bus). COET, Dilla University 19
COET, Dilla University 20
COET, Dilla University 21
1. Interruption:  An asset of the system gets destroyed or becomes unavailable.  This attack targets the source or the communication channel and prevents information from reaching its intended target (e.g., cut the wire, overload the link so that the information gets dropped because of congestion).  Attacks in this category attempt to perform a kind of denial-of-service(DOS). 2. Interception: An unauthorized party gains access to the information by eavesdropping (secretly listen to a conversation) into the communication channel (e.g., wiretapping). COET, Dilla University 22
3.Modification:  The information is not only intercepted, but modified by an unauthorized party while in transit from the source to the destination.  By tampering with the information, it is actively altered (e.g., modifying message content). (Attack on Integrity) 4. Fabrication:  In this type of attack a fake message is inserted into the network by an unauthorized user as if it is a valid user.  This results in the loss of confidentiality, authenticity and integrity of the message. (Attack on Authenticity) COET, Dilla University 23
 Different security mechanisms can be used to enforce the security properties defined in a given security policy.  Depending on the anticipated attacks, different means have to be applied to satisfy the desired properties.  Divide these measures against attacks into three different classes: attack prevention, attack avoidance, attack detection COET, Dilla University 24
 Attack Prevention  Attack Avoidance  Secret Key Cryptography( Symmetric Encryption)  Public Key Cryptography (Asymmetric Encryption)  Authentication  Digital Signatures  Attack and Intrusion Detection COET, Dilla University 25
 Attack prevention is a class of security mechanisms that contains ways of preventing or defending against certain attacks before they can actually reach and affect the target.  An important element in this category is access control, a mechanism that can be applied at different levels such as the operating system, the network, or the application layer. COET, Dilla University 26
 The most common form of access control used in multi-user computer systems are access control lists for resources that are based on the user identity of the process that attempts to use them.  When an attacker compromises a server machine behind a single firewall, all other machines can be attacked from this new base without restrictions.  To prevent this, one can use two firewalls and the concept of a demilitarized zone (DMZ) COET, Dilla University 27
COET, Dilla University 28
 Security mechanisms in this category assume that an intruder may access the desired resource but the information is modified in a way that makes it unusable for the attacker.  The information is preprocessed at the sender before it is transmitted over the communication channel and post processed at the receiver.  While the information is transported over the communication channel, it resists attacks by being nearly useless for an intruder. COET, Dilla University 29
 The most important member in this category is cryptography, which is defined as the science of keeping messages secure.  It allows the sender to transform information into a random data stream from the point of view of an attacker but to have it recovered by an authorized receiver.  The transformation rules are described by a cryptographic algorithm. COET, Dilla University 30
 The function of this algorithm is based on two main principles: substitution and transposition.  In the case of substitution, each element of the plain text (e.g., bit, block) is mapped into another element of the used alphabet.  Transposition describes the process where elements of the plain text are rearranged.  Most systems involve multiple steps (called rounds) of transposition and substitution to be more resistant against cryptanalysis. COET, Dilla University 31
 Attack Detection Systems for secure computer systems are an approach to enhancing the security of a computer system.  In the past, they aimed at only providing a trail which could be useful in determining how a system was breached and who was responsible for this breach.  More recently, attack detection systems have become automated tools which analyse audit data captured from a system, detect attacks as they take place and take measures to prevent further damage to the target system. COET, Dilla University 32
 Attack detection assumes that an attacker can obtain access to his desired targets and is successful in violating a given security policy.  Mechanisms in this class are based on the optimistic assumption that most of the time the information is transferred without interference.  When undesired actions occur, attack detection has the task of reporting that something went wrong and then to react in an appropriate way. COET, Dilla University 33
 In addition, it is often desirable to identify the exact type of attack. An important facet of attack detection is recovery.  Often, it is enough to just report that malicious activity has been found, but some systems require that the effect of the attack has to be reverted or that an ongoing and discovered attack is stopped.  Intrusion Detection is the process of identifying and responding to malicious activities targeted at computing and network resources. COET, Dilla University 34
 An IDS basically monitors and collects data from a target system that should be protected, processes and correlates the gathered information, and initiate responses, when evidence for an intrusion is detected.  IDS are traditionally classified as anomaly- or signature- based.  Signature-based systems act similar to virus scanners and look for known, suspicious patterns in their input data.  Anomaly-based systems watch for deviations of actual from expected behavior and classify all ―abnormal‖ activities as malicious. COET, Dilla University 35
COET, Dilla University 36
COET, Dilla University 37
 Anomaly Based Monitors network traffic Keeps track of patterns of traffic and information to obtain baseline If deviation in network behavior is detected, IDS will assume an attack  Signature Based Attack Signature database is maintained Compare traffic to the database If match is found, alert is sent Requires constant updates
 Eliminate the need to shut down a network when an attack occurs  Allows user to observe the type of attack and methods used by the attack to prevent future attacks  The security baseline defines the criteria such as used bandwidth, protocols, ports, and the types of devices that can be connected to each-other.
 Commercial use of the Web continues to grow at an astonishing pace, and securing Web transactions has become increasingly critical to businesses, organizations, and individual users.  Fortunately, an extremely effective and widely deployed communications protocol provides exactly that security. It is the Secure Sockets Layer protocol, more commonly known simply as SSL. The SSL protocol— along with its successor, the Transport Layer Security (TLS) protocol. COET, Dilla University 40
 The idea of secure network protocols is to create an additional layer between the application and the transport/network layer to provide services for a secure end-to-end communication channel.  TCP/IP are almost always used as transport/network layer protocols on the Internet and their task is to provide a reliable end-to-end connection between remote tasks on different machines that intend to communicate. COET, Dilla University 41
 The services on that level are usually directly utilized by application protocols to exchange data, for example, Hypertext Transfer Protocol (HTTP) for web services.  Unfortunately, the network layer transmits these data unencrypted, leaving it vulnerable to eavesdropping or tampering attacks.  In addition, the authentication mechanisms of TCP/IP are only minimal, thereby allowing a malicious user to hijack connections and redirect traffic to his machine as well as to impersonate legitimate services. COET, Dilla University 42
 These threats are mitigated by secure network protocols that provide privacy and data integrity between two communicating applications by creating an encrypted and authenticated channel. Separate Security Protocol:  The designers of the Secure Sockets Layer decided to create a separate protocol just for security.  In effect, they added a layer to the Internet’s protocol architecture. COET, Dilla University 43
COET, Dilla University 44
 SSL adds security by acting as a separate security protocol, inserting itself between the http application and tcp.  By acting as a new protocol, SSL requires very few changes in the protocols above and below. COET, Dilla University 45
 In addition to requiring minimal changes to existing implementations, this approach has another significant benefit: It allows SSL to support applications other than HTTP.  The main motivation behind the development of SSL was Web security, but, as figure 1-5 shows, SSL is also used to add security to other Internet applications, including those of the Net News Transfer Protocol (NNTP) and the File Transfer Protocol (FTP). COET, Dilla University 46
 Although the designers of SSL choose a different strategy, it is also possible to add security services directly in an application protocol.  Indeed, standard HTTP does include some extremely rudimentary security features; however, those security features don’t provide adequate protection for real electronic commerce.  At about the same time Netscape was designing SSL, another group of protocol designers was worked on an enhancement to http known as Secure http. COET, Dilla University 47
COET, Dilla University 48
 The separate protocol approach of SSL can be taken one step further if security services are added directly to a core networking protocol.  That is exactly the approach of the ip security (ipsec) architecture; full security services become an optional part of the Internet Protocol itself.  In most cases, the application does not need to change at all to take advantage of ipsec. COET, Dilla University 49
 Figure 1-7 illustrates the ipsec architecture.  The ipsec architecture has many of the same advantages as SSL. It is independent of the application protocol, so any application may use it. COET, Dilla University 50
 TCP: provides a reliable end-to-end service.  TCP & SSL: provides a reliable & secure end-to- end service.  HTTPS: HTTP over SSL (or TLS)  Typically on port 443 (regular http on port 80)  SSL originally developed by Netscape  subsequently became Internet standard known as TLS (Transport Layer Security)
 SSL Record Protocol provides two services.  Message integrity ◦ using a MAC( Message Authentication Code) with a shared secret key ◦ similar to HMAC(Hash based Message Authentication Code) but with different padding ◦ hash functions: MD5(Message Digest), SHA- 1(Secure Hash Algorithm)  Message confidentiality ◦ Using symmetric encryption with a shared secret key. ◦ Encryption algorithms: AES, DES, 3DES, RC4.
(optional; default: null) ≤ 214 bytes
SSL Roles:  The Secure Sockets Layer protocol defines two different roles for the communicating parties.  One system is always a client, while the other is a server.  The distinction is very important, because SSL requires the two systems to behave very differently.  The client is the system that initiates the secure communications; the server responds to the client’s request.  In the most common use of SSL, secure Web browsing, the Web browser is the SSL client and the Web site is the SSL server. COET, Dilla University 55
 SSL 1.0 ◦ Internal Netscape design, early 1994? ◦ Lost in the mists of time  SSL 2.0 ◦ Published by Netscape, November 1994 ◦ Badly broken  SSL 3.0 ◦ Designed by Netscape and Paul Kocher, November 1996  TLS 1.0 ◦ Internet standard based on SSL 3.0, January 1999
if it has one SOURCE: WEB SECURITY SYMMETRIC SYMMETRIC ASYMMETRIC ASYMMETRIC SECURE TRANSMISSION BEGINS HERE
Reference Text Books: 1. W. Stallings, Network Security Essentials – Applications & Standards , 4th edition, Prentice Hall, 2003. 2. C.Easttom, Computer Security Fundamentals, Prentice Hall, May 2005. 3. D. Russell and G.T. Gangemi, Computer Security Basics, OReilly& Associates, 1991. 4. M. Bishop, Computer Security: Art and Science, Addison-Wesley, 2002. 5. S. A. Thomas, SSL and TLS Essentials: Securing the Web, Wiley, 2000. COET, Dilla University 58
THANK YOU COET, Dilla University 59

Recommended

Firewalls
FirewallsFirewalls
Firewalls
Dr.Florence Dayana
 
Firewalls
FirewallsFirewalls
Firewalls
Deevena Dayaal
 
Firewall
FirewallFirewall
Firewall
trilokchandra prakash
 
Fire walls
Fire wallsFire walls
Fire walls
Smit Panchal
 
Computer network 6
Computer network 6Computer network 6
Computer network 6
MDHASNAIN23
 
Web security
Web securityWeb security
Web security
Himanshu Tyagi
 
Network security
Network securityNetwork security
Network security
Sidiq Dwi Laksana
 
Firewall
Firewall Firewall
Firewall
Amuthavalli Nachiyar
 

Recommended

Firewalls
FirewallsFirewalls
Firewalls
Dr.Florence Dayana
 
Firewalls
FirewallsFirewalls
Firewalls
Deevena Dayaal
 
Firewall
FirewallFirewall
Firewall
trilokchandra prakash
 
Fire walls
Fire wallsFire walls
Fire walls
Smit Panchal
 
Computer network 6
Computer network 6Computer network 6
Computer network 6
MDHASNAIN23
 
Web security
Web securityWeb security
Web security
Himanshu Tyagi
 
Network security
Network securityNetwork security
Network security
Sidiq Dwi Laksana
 
Firewall
Firewall Firewall
Firewall
Amuthavalli Nachiyar
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
VC Infotech
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
Hem Pokhrel
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptx
saad504633
 
Ii2514901494
Ii2514901494Ii2514901494
Ii2514901494
IJERA Editor
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
ezoicxcom
 
Ch20 book
Ch20 bookCh20 book
Ch20 book
amitnitttr
 
Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System Security
Amber Wheeler
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
Firas Alsayied
 
CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session
Joseph Holbrook, Chief Learning Officer (CLO)
 
J1087181
J1087181J1087181
J1087181
IJERD Editor
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
IJERD Editor
 
Network security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdfNetwork security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdf
aquazac
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
Editor IJARCET
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
haq107457
 
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
FahmiOlayah
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing report
Kiran Girase
 
Advance Technology
Advance TechnologyAdvance Technology
Advance Technology
Export Promotion Bureau
 
Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)
Amare Kassa
 
Chapter 6-Synchronozation2.ppt
Chapter 6-Synchronozation2.pptChapter 6-Synchronozation2.ppt
Chapter 6-Synchronozation2.ppt
MeymunaMohammed1
 
Distributed system.pptx
Distributed system.pptxDistributed system.pptx
Distributed system.pptx
MeymunaMohammed1
 

More Related Content

Similar to ANS_Ch_04_Handouts.pdf

what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
ezoicxcom
 
Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System Security
Amber Wheeler
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
Firas Alsayied
 
Network security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdfNetwork security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdf
aquazac
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Access control3
Access control3Access control3
Access control3
Awhydot
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
Editor IJARCET
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
haq107457
 

Similar to ANS_Ch_04_Handouts.pdf (20)

Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptx
 
Ii2514901494
Ii2514901494Ii2514901494
Ii2514901494
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
 
Ch20 book
Ch20 bookCh20 book
Ch20 book
 
Application Of An Operating System Security
Application Of An Operating System SecurityApplication Of An Operating System Security
Application Of An Operating System Security
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session
 
J1087181
J1087181J1087181
J1087181
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Network security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdfNetwork security architecture is the planning and design of the camp.pdf
Network security architecture is the planning and design of the camp.pdf
 
Access control3
Access control3Access control3
Access control3
 
Access control3
Access control3Access control3
Access control3
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
 
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
 
Achieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing reportAchieving Secure, sclable and finegrained Cloud computing report
Achieving Secure, sclable and finegrained Cloud computing report
 
Advance Technology
Advance TechnologyAdvance Technology
Advance Technology
 
Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)
 

More from MeymunaMohammed1

More from MeymunaMohammed1 (11)

Chapter 6-Synchronozation2.ppt
Chapter 6-Synchronozation2.pptChapter 6-Synchronozation2.ppt
Chapter 6-Synchronozation2.ppt
 
Distributed system.pptx
Distributed system.pptxDistributed system.pptx
Distributed system.pptx
 
ANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdfANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdf
 
Seminar Course instruction .ppt
Seminar Course instruction .pptSeminar Course instruction .ppt
Seminar Course instruction .ppt
 
M.Sc Mobile computing.pptx
M.Sc Mobile computing.pptxM.Sc Mobile computing.pptx
M.Sc Mobile computing.pptx
 
Cloud_Ch_01_Handouts(1).pdf
Cloud_Ch_01_Handouts(1).pdfCloud_Ch_01_Handouts(1).pdf
Cloud_Ch_01_Handouts(1).pdf
 
ANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdfANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdf
 
ANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdfANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdf
 
Chapter 3-Processes2.pptx
Chapter 3-Processes2.pptxChapter 3-Processes2.pptx
Chapter 3-Processes2.pptx
 
Chapter 2-Architectures23.ppt
Chapter 2-Architectures23.pptChapter 2-Architectures23.ppt
Chapter 2-Architectures23.ppt
 
Chapter 2-Architectures2.ppt
Chapter 2-Architectures2.pptChapter 2-Architectures2.ppt
Chapter 2-Architectures2.ppt
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 

ANS_Ch_04_Handouts.pdf

  • 1. School of Computing & Informatics M. Sc in Computer Science & Networking By Chapter-04 Dr. Ananda Kumar K S M.Tech, Ph.D Associate Professor, School of Comp & Info Email: anandgdk@du.edu.et COET, Dilla University 1 Course Number CN6122 Course Title Advanced Network Security
  • 2. CHAPTER-04 4.1 Fire walls 4.2 Access Methods 4.3 Security Attacks 4.4 Security Mechanisms 4.5 Secure Network Protocols-SSL & TLS COET, Dilla University 2
  • 3.  A firewall is, in essence, a barrier between your network and the outside world.  At a minimum, it will filter incoming packets based on certain parameters such as packet size, source IP address, protocol, and destination port.  Linux and Windows (beginning with Windows XP and in all subsequent Windows versions) ship with a simple firewall.  For Windows, the firewall in Windows 7 was expanded to handle filtering both inbound and outbound traffic. COET, Dilla University 3
  • 4.  In an organizational setting, need a dedicated firewall between your network and the outside world.  This might be a router that also has built-in firewall capabilities. (Cisco Systems is one company that is well known for high-quality routers and firewalls.) Or, it might be a server that is dedicated solely to running firewall software.  A firewall protects your computer by examining each information packet that travels over the network. Clues to a packet’s purpose can be read from its destination address. Firewalls contain a list of allowed and disallowed destinations and functions COET, Dilla University 4
  • 5. A firewall filters packets flowing between a site and the rest of the Internet 5 COET, Dilla University
  • 6. [BELL94b] lists the following design goals for a firewall:  All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall.  Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies  The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. Trusted computer systems are suitable for hosting a firewall and often required in government applications. COET, Dilla University 6
  • 7. 7  Firewalls can be set up to offer security services to many TCP/IP layers. The many types of firewalls are classified based on the network layer it offers services in and the types of services offered. They include: ◦ Packet Inspection Firewalls - are routers that inspects the contents of the source or destination addresses and ports of incoming or outgoing TCP,UDP, ICMP(Internet Control Message Protocol) packets being sent between networks and accepts or rejects the packet based on the specific packet policies set in the organization’s security policy. COET, Dilla University
  • 8. 8 Application Proxy Server: ◦ Filtering Based on Known Services - is a machine server that sits between a client application and the server offering the services the client application may want. ◦ It behaves as a server to the client and as a client to the server, hence a proxy, providing a higher level of filtering than the packet filter server by examining individual application packet data streams. COET, Dilla University
  • 9. 9 Virtual Private Network (VPN) Firewalls  A VPN, is a cryptographic system including Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IPSec that carry Point-to-Point Protocol (PPP) frames across an Internet with multiple data links with added security.  The advantages of a VPN over non-VPN connections like standard Internet connections are:  VN technology encrypts its connections  Connections are limited to only machines with specified IP addresses. COET, Dilla University
  • 10. 10 ◦ Small Office or Home (SOHO) Firewalls  A SOHO firewall is a relatively small firewall connecting a few personal computers via a hub, switch, a bridge, even a router on one side and connecting to a broadband modem like DSL or cable on the other. ◦ NAT Firewalls (Network Address Translation)  In a functioning network, every host is assigned an IP address.  In a fixed network where these addresses are static, it is easy for a hacker to get hold of a host and use it to stage attacks on other hosts within and outside the network.  To prevent this from happening, a NAT filter can be used. It hides all inside host TCP/IP information.  A NAT firewall actually functions as a proxy server by hiding identities of all internal hosts and making requests on behalf of all internal hosts on the network.  This means that to an outside host, all the internal hosts have one public IP address, that of the NAT. COET, Dilla University
  • 11.  In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links.  To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual. Access Control Methods:  An interesting problem with security is that not only must information be protected from outsiders, it must sometimes be protected from insiders as well. COET, Dilla University 11
  • 12. The term Access Control actually refers to the control over access to system resources after a user's account credentials and identity have been authenticated and access to the system granted. Various methods that control access to network environments are described in the following sections.  Discretionary access control (DAC)  Role-based access control (RBAC)  Mandatory access control (MAC)  Attribute Based Access Control (ABAC) COET, Dilla University 12
  • 13.  Mandatory Access Control (MAC) is the strictest of all levels of control.  The design of MAC was defined, and is primarily used by the government.  MAC takes a hierarchical approach to controlling access to resources. Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator.  As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings.  It is not possible under MAC enforcement for users to change the access control of a resource. COET, Dilla University 13
  • 14.  Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data.  DAC is typically the default access control mechanism for most desktop operating systems.  Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it.  An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. COET, Dilla University 14
  • 15.  Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control.  Access under RBAC is based on a user's job function within the organization to which the computer system belongs.  Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role.  For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system.  Similarly, a software engineer might be assigned to the developer role. COET, Dilla University 15
  • 16.  Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization.  Additionally, there is no way to provide individual users additional permissions over and above those available for their role.  The accountant described above gets the same permissions as all other accountants, nothing more and nothing less. COET, Dilla University 16
  • 17.  In recent years, the ABAC has become increasingly significant due to the growing popularity of large distributed systems.  One of the main drawbacks of RBAC is the difficulty of assigning privileges to an individual. ABAC provides an effective solution since user attributes are the criteria used to determine user authorization.  This access policy improves upon RBAC in the following areas: delegation of attribute authority, decentralization of attributes, and interference of attributes.  To protect the sensitivity of credentials, ABAC contains several policies for maintaining user confidentiality and data integrity. COET, Dilla University 17
  • 19.  In general, there is a flow of data from a source (e.g., host, file, memory) to a destination (e.g., remote host, other file, user) over a communication channel (e.g., wire, data bus).  The task of the security system is to restrict access to this information to only those parties (persons or processes) that are authorized to have access according to the security policy in use.  In the case of an automation system that is remotely connected to the Internet, the information flow is from/to a control application that manages sensors and actuators via communication lines of the public Internet and the network of the automation system (e.g., a field-bus). COET, Dilla University 19
  • 22. 1. Interruption:  An asset of the system gets destroyed or becomes unavailable.  This attack targets the source or the communication channel and prevents information from reaching its intended target (e.g., cut the wire, overload the link so that the information gets dropped because of congestion).  Attacks in this category attempt to perform a kind of denial-of-service(DOS). 2. Interception: An unauthorized party gains access to the information by eavesdropping (secretly listen to a conversation) into the communication channel (e.g., wiretapping). COET, Dilla University 22
  • 23. 3.Modification:  The information is not only intercepted, but modified by an unauthorized party while in transit from the source to the destination.  By tampering with the information, it is actively altered (e.g., modifying message content). (Attack on Integrity) 4. Fabrication:  In this type of attack a fake message is inserted into the network by an unauthorized user as if it is a valid user.  This results in the loss of confidentiality, authenticity and integrity of the message. (Attack on Authenticity) COET, Dilla University 23
  • 24.  Different security mechanisms can be used to enforce the security properties defined in a given security policy.  Depending on the anticipated attacks, different means have to be applied to satisfy the desired properties.  Divide these measures against attacks into three different classes: attack prevention, attack avoidance, attack detection COET, Dilla University 24
  • 25.  Attack Prevention  Attack Avoidance  Secret Key Cryptography( Symmetric Encryption)  Public Key Cryptography (Asymmetric Encryption)  Authentication  Digital Signatures  Attack and Intrusion Detection COET, Dilla University 25
  • 26.  Attack prevention is a class of security mechanisms that contains ways of preventing or defending against certain attacks before they can actually reach and affect the target.  An important element in this category is access control, a mechanism that can be applied at different levels such as the operating system, the network, or the application layer. COET, Dilla University 26
  • 27.  The most common form of access control used in multi-user computer systems are access control lists for resources that are based on the user identity of the process that attempts to use them.  When an attacker compromises a server machine behind a single firewall, all other machines can be attacked from this new base without restrictions.  To prevent this, one can use two firewalls and the concept of a demilitarized zone (DMZ) COET, Dilla University 27
  • 29.  Security mechanisms in this category assume that an intruder may access the desired resource but the information is modified in a way that makes it unusable for the attacker.  The information is preprocessed at the sender before it is transmitted over the communication channel and post processed at the receiver.  While the information is transported over the communication channel, it resists attacks by being nearly useless for an intruder. COET, Dilla University 29
  • 30.  The most important member in this category is cryptography, which is defined as the science of keeping messages secure.  It allows the sender to transform information into a random data stream from the point of view of an attacker but to have it recovered by an authorized receiver.  The transformation rules are described by a cryptographic algorithm. COET, Dilla University 30
  • 31.  The function of this algorithm is based on two main principles: substitution and transposition.  In the case of substitution, each element of the plain text (e.g., bit, block) is mapped into another element of the used alphabet.  Transposition describes the process where elements of the plain text are rearranged.  Most systems involve multiple steps (called rounds) of transposition and substitution to be more resistant against cryptanalysis. COET, Dilla University 31
  • 32.  Attack Detection Systems for secure computer systems are an approach to enhancing the security of a computer system.  In the past, they aimed at only providing a trail which could be useful in determining how a system was breached and who was responsible for this breach.  More recently, attack detection systems have become automated tools which analyse audit data captured from a system, detect attacks as they take place and take measures to prevent further damage to the target system. COET, Dilla University 32
  • 33.  Attack detection assumes that an attacker can obtain access to his desired targets and is successful in violating a given security policy.  Mechanisms in this class are based on the optimistic assumption that most of the time the information is transferred without interference.  When undesired actions occur, attack detection has the task of reporting that something went wrong and then to react in an appropriate way. COET, Dilla University 33
  • 34.  In addition, it is often desirable to identify the exact type of attack. An important facet of attack detection is recovery.  Often, it is enough to just report that malicious activity has been found, but some systems require that the effect of the attack has to be reverted or that an ongoing and discovered attack is stopped.  Intrusion Detection is the process of identifying and responding to malicious activities targeted at computing and network resources. COET, Dilla University 34
  • 35.  An IDS basically monitors and collects data from a target system that should be protected, processes and correlates the gathered information, and initiate responses, when evidence for an intrusion is detected.  IDS are traditionally classified as anomaly- or signature- based.  Signature-based systems act similar to virus scanners and look for known, suspicious patterns in their input data.  Anomaly-based systems watch for deviations of actual from expected behavior and classify all ―abnormal‖ activities as malicious. COET, Dilla University 35
  • 38.  Anomaly Based Monitors network traffic Keeps track of patterns of traffic and information to obtain baseline If deviation in network behavior is detected, IDS will assume an attack  Signature Based Attack Signature database is maintained Compare traffic to the database If match is found, alert is sent Requires constant updates
  • 39.  Eliminate the need to shut down a network when an attack occurs  Allows user to observe the type of attack and methods used by the attack to prevent future attacks  The security baseline defines the criteria such as used bandwidth, protocols, ports, and the types of devices that can be connected to each-other.
  • 40.  Commercial use of the Web continues to grow at an astonishing pace, and securing Web transactions has become increasingly critical to businesses, organizations, and individual users.  Fortunately, an extremely effective and widely deployed communications protocol provides exactly that security. It is the Secure Sockets Layer protocol, more commonly known simply as SSL. The SSL protocol— along with its successor, the Transport Layer Security (TLS) protocol. COET, Dilla University 40
  • 41.  The idea of secure network protocols is to create an additional layer between the application and the transport/network layer to provide services for a secure end-to-end communication channel.  TCP/IP are almost always used as transport/network layer protocols on the Internet and their task is to provide a reliable end-to-end connection between remote tasks on different machines that intend to communicate. COET, Dilla University 41
  • 42.  The services on that level are usually directly utilized by application protocols to exchange data, for example, Hypertext Transfer Protocol (HTTP) for web services.  Unfortunately, the network layer transmits these data unencrypted, leaving it vulnerable to eavesdropping or tampering attacks.  In addition, the authentication mechanisms of TCP/IP are only minimal, thereby allowing a malicious user to hijack connections and redirect traffic to his machine as well as to impersonate legitimate services. COET, Dilla University 42
  • 43.  These threats are mitigated by secure network protocols that provide privacy and data integrity between two communicating applications by creating an encrypted and authenticated channel. Separate Security Protocol:  The designers of the Secure Sockets Layer decided to create a separate protocol just for security.  In effect, they added a layer to the Internet’s protocol architecture. COET, Dilla University 43
  • 45.  SSL adds security by acting as a separate security protocol, inserting itself between the http application and tcp.  By acting as a new protocol, SSL requires very few changes in the protocols above and below. COET, Dilla University 45
  • 46.  In addition to requiring minimal changes to existing implementations, this approach has another significant benefit: It allows SSL to support applications other than HTTP.  The main motivation behind the development of SSL was Web security, but, as figure 1-5 shows, SSL is also used to add security to other Internet applications, including those of the Net News Transfer Protocol (NNTP) and the File Transfer Protocol (FTP). COET, Dilla University 46
  • 47.  Although the designers of SSL choose a different strategy, it is also possible to add security services directly in an application protocol.  Indeed, standard HTTP does include some extremely rudimentary security features; however, those security features don’t provide adequate protection for real electronic commerce.  At about the same time Netscape was designing SSL, another group of protocol designers was worked on an enhancement to http known as Secure http. COET, Dilla University 47
  • 49.  The separate protocol approach of SSL can be taken one step further if security services are added directly to a core networking protocol.  That is exactly the approach of the ip security (ipsec) architecture; full security services become an optional part of the Internet Protocol itself.  In most cases, the application does not need to change at all to take advantage of ipsec. COET, Dilla University 49
  • 50.  Figure 1-7 illustrates the ipsec architecture.  The ipsec architecture has many of the same advantages as SSL. It is independent of the application protocol, so any application may use it. COET, Dilla University 50
  • 51.  TCP: provides a reliable end-to-end service.  TCP & SSL: provides a reliable & secure end-to- end service.  HTTPS: HTTP over SSL (or TLS)  Typically on port 443 (regular http on port 80)  SSL originally developed by Netscape  subsequently became Internet standard known as TLS (Transport Layer Security)
  • 52.
  • 53.  SSL Record Protocol provides two services.  Message integrity ◦ using a MAC( Message Authentication Code) with a shared secret key ◦ similar to HMAC(Hash based Message Authentication Code) but with different padding ◦ hash functions: MD5(Message Digest), SHA- 1(Secure Hash Algorithm)  Message confidentiality ◦ Using symmetric encryption with a shared secret key. ◦ Encryption algorithms: AES, DES, 3DES, RC4.
  • 55. SSL Roles:  The Secure Sockets Layer protocol defines two different roles for the communicating parties.  One system is always a client, while the other is a server.  The distinction is very important, because SSL requires the two systems to behave very differently.  The client is the system that initiates the secure communications; the server responds to the client’s request.  In the most common use of SSL, secure Web browsing, the Web browser is the SSL client and the Web site is the SSL server. COET, Dilla University 55
  • 56.  SSL 1.0 ◦ Internal Netscape design, early 1994? ◦ Lost in the mists of time  SSL 2.0 ◦ Published by Netscape, November 1994 ◦ Badly broken  SSL 3.0 ◦ Designed by Netscape and Paul Kocher, November 1996  TLS 1.0 ◦ Internet standard based on SSL 3.0, January 1999
  • 57. if it has one SOURCE: WEB SECURITY SYMMETRIC SYMMETRIC ASYMMETRIC ASYMMETRIC SECURE TRANSMISSION BEGINS HERE
  • 58. Reference Text Books: 1. W. Stallings, Network Security Essentials – Applications & Standards , 4th edition, Prentice Hall, 2003. 2. C.Easttom, Computer Security Fundamentals, Prentice Hall, May 2005. 3. D. Russell and G.T. Gangemi, Computer Security Basics, OReilly& Associates, 1991. 4. M. Bishop, Computer Security: Art and Science, Addison-Wesley, 2002. 5. S. A. Thomas, SSL and TLS Essentials: Securing the Web, Wiley, 2000. COET, Dilla University 58
  • 59. THANK YOU COET, Dilla University 59