Course review
Download
1 / 81

Lecture 13 - PowerPoint PPT Presentation


  • 236 Views
  • Uploaded on

Course Review. Examination Format. Two Sections: Section A: Compulsory (25%) : Generic areas Section B: Choose Three questions out of four questions (75%) Specialised areas such as: In-line encryptor, IPSEC, SSL/SET, Server side. Firewall, Policy NO Multiple Choice. Examination Content.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lecture 13' - Sharon_Dale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Course review l.jpg

Course Review

Y KChoi


Examination format l.jpg
Examination Format

  • Two Sections:

  • Section A: Compulsory (25%) : Generic areas

  • Section B: Choose Three questions out of fourquestions (75%) Specialised areas such as:

    • In-line encryptor, IPSEC, SSL/SET, Server side. Firewall, Policy

  • NO Multiple Choice

Y KChoi


Examination content l.jpg
Examination Content

  • Test your

    • General awareness: definition

    • Understanding: description, calculation, drawing

    • In-depth knowledge : application

    • In-depth skill: problem solving

Y KChoi


Examination hour l.jpg
Examination Hour

  • 2 hours: 120 minutes

  • Time management:

    • 100 minutes to work out your questions

    • 20 minutes: to review your work and read questions

    • Please note that 1 minute == 1 mark

Y KChoi


Examination techniques l.jpg
Examination Techniques

  • State or define: give the definition only, no need to say anything that is not relevant. For example, state the definition of security, no need to mention security is important to the Internet, pad lock is used to protect door etc.

  • Briefly describe or list: simply list out the points, no need to comment. For example, list two means to physically protect your server room. Install a pad lock and security alarm, no need to say that digital lock is better etc.

  • Compare: write sown the similarities and differences. For example, compare the pad lock and digital lock, you should write down the similarity : to protect the system, the difference: the former is to use a key while the latter is to use a password etc.

Y KChoi


Examination techniques6 l.jpg
Examination Techniques

  • Draw/sketch: draw a block diagram.

  • Suggest/give a solution: write down solution together with at least one sentence to explain why it works.

  • Determine/calculate: compute the values.

  • Describe: put down your detailed explanation.

Y KChoi


Suggestion for your review l.jpg
Suggestion for your review

1) Go through each lecture

2) Work out the on-line questions

3) Go through the materials from the textbook or additional information on the web

4) repeat 1 to 3, unless you finish all lectures

5) review the examination techniques

6) attempt the examination specimen to see whether you know how to do it.

Y KChoi


What is computer security l1 l.jpg
What is Computer Security? – L1

Computer security is a protection that is afforded to an information system in order to attain the applicable objectives or preserving the integrity, availabilityandconfidentiality of information system resources. The information resources include hardware, software, information and data.

Computer security

Three objectives

Y KChoi


Three layers on security l.jpg
Three layers on Security

  • Physical security

  • Layer 2 – in line encryptor, point to point

  • Layer 3 – IPSEC

  • Layer 4 – SSL/SET

  • PKI, symmetric key

  • Server

  • Firewall

  • Contents and Language, Java

Technology

Procedure or Policy

Law

Y KChoi


Areas of vulnerability l.jpg
Areas of Vulnerability

There are four basic items

  • Hardware: physical devices

  • Software: without the OS, applications and network, it cannot run

  • Data: the essence of computer systems

  • People: can cause a great deal of damage

Y KChoi


People computer criminals l.jpg
People – Computer Criminals

Four areas of computer crime

  • Theft of computer time: common practice to remote log into the system (not common in the Internet). This includes the time it takes to repair the computer system after infected by virus, bomb etc.

  • Theft of data: physical remove data from files

  • Manipulation of computer programs: change or insert/delete program

  • Software piracy: illegal copying of software

Y KChoi


Threats to security l.jpg
Threats to security

  • Natural disasters: such as fire, floods, windstorms, earthquakes etc. We can do little to prevent natural disasters

  • Malfunctions: It cause much less damage, but occur frequently such as power surges, stray electrical forces, dust, operation error etc.

Y KChoi


Security measures l.jpg
Security Measures

  • Passwords: the most common means of user authentication. Generally used. Rules of choosing password:

  • Encryption: Encrypt the data. There are many standards such as Data Encryption Standard (DES) by IBM

  • Control: from planning to final implementation. This involves the progress review and acceptance test, post-installation review and periodic audits

  • Contingency planning: It is the backup plan in case an event my or may not occur. For example, if the application cannot operate, what should you do? (go back to manual system)

Y KChoi


Physical protection l2 l.jpg

Physical Protection – L2

Identify the natural disasters that threaten systems

Determine the damage assessment and reconstruction techniques

Design and select the physical location of a computer servers

Measure the air conditioning and power supply sources for computer center, servers and communication equipment

Describe the various access control mechanisms

Y KChoi


Type of natural disasters in hong kong l.jpg
Type of Natural Disasters in Hong Kong

Storms

Radiation

Fire

Floods

Y KChoi


Computer room l.jpg
Computer Room

  • A typical computer room with protection

Y KChoi


Web security l3 l.jpg

Web Security – L3

From ordinary users: it means the ability to browse the web in peace

For advanced users: it means the ability to conduct commercial transaction safely. For example, you are buying a toy over the Internet and is entering your visa number. You don’t want this information to be tapped by unauthorized persons.

Y KChoi


Three parts of web security l.jpg
Three Parts of Web security

Browser

  • Web browser

  • The internet

  • Server

Browser

Internet

Server

Y KChoi


Web security three parts l.jpg
Web security – three parts

  • Client-side security – To protect users’ privacy and integrity of his/her computer (browser)

  • Server-side security – To protect the server from break-ins and denial-of-service (sends huge garbage to make it unavailable)

  • Document confidentiality – To protect private information from being disclosed to third parties. .

Y KChoi



Risk to the web server three types l.jpg
Risk to the Web server – three types

  • Webjacking – The website is redirected to other location or the content is modified. The term is similar hi-jacking.

  • Server break-ins – The server is broken by intruders. You can use firewall to protect your server.

  • Denial-of-service (Dos) attack – A hacker cannot break your site but can send a huge garbage to make your site unavailable.

Y KChoi


What is cryptography l3 l.jpg
What is Cryptography? (L3)

  • The word comes from the Greek. It means “secret writing”.

Y KChoi


Four basic parts l.jpg
Four basic parts

DES

Algorithm

How are you?

IUt670,.

Plaintext

Ciphertext

1234

Key

Y KChoi


How to crack means break 1 l.jpg
How to Crack? (means break) (1)

  • Cryptanalysis: try to analyse the ciphertext to guess the meaning. For example, if the plaintext” How are you?” is converted to “uyi89rty89qwe89=“, we understand that “89” is used to replace the “space”. Of course, most of them are complicate and cannot be analyzed in this way.

  • Brute-force attack:Guess the key

Y KChoi


How to crack l.jpg
How to Crack?

  • If the key is two-digit number from 00 to 99, we can try 100 times, then we know the key. The average attempt is 100/2 = 50 times, as the key might be 12 or 86, we don’t need to try all of them. (In this case, the lock is an algorithm.)

  • An example, a numerical lock consists of three digits and you take 3 seconds to attempt one combination. How long you think you can break this lock? 3 x 1000/2 = 1500s = 25 minutes

Y KChoi


Types of cryptography l.jpg
Types of Cryptography

  • Symmetric: use the same key to encrypt and decrypt the message

  • Asymmetric: sender uses recipients’ public key to encrypt and the recipient uses private key to decrypt.

Y KChoi



Asymmetric cryptography l.jpg
Asymmetric Cryptography

  • It is also called public key cryptography.

  • It uses two keys separately to encrypt and decrypt message which is safer than symmetric cryptography as the key cannot be reproduced.

Y KChoi


Digital signature l.jpg
Digital Signature

  • The reversal of public key encryption

  • It uses sender’s private and public key rather than recipients’ public and private key.

Y KChoi


Example encryption l.jpg
Example - encryption

  • Assume the plaintext is 1 1 0 0

  • And the key is 1 0 1 0

  • The encrypted message (ciphertext) using exclusive-or is:

    1 1 0 0 (plaintext)

    1 0 1 0 (key)

    0 1 1 0 (Ciphertext)

Y KChoi


Type of ciphers l.jpg
Type of Ciphers

  • Stream cipher:

    • It is designed to accept a crypto key and a steam of plaintext to produce a stream of ciphertext

  • Block cipher

    • It is designed to take a block of a particular size, encrypt them with a key of a particular size and yield a block of cipertext block that is the same size of he plaintext block.

Y KChoi






Message digest functions l.jpg
Message Digest Functions

  • Message digest mean: Authentication without Encryption

    • Some times we only want authentication, but do not care about whether has been encrypted or not.

    • e.g., Message broadcast from authorized source (from Mr. Tung of SAR)

Y KChoi


Digital envelope l.jpg
Digital Envelope

Send both the ciphertext and digital envelope

Y KChoi


Certifying authorities and the public key infrastructure l.jpg
Certifying Authorities and the Public Key Infrastructure

  • The public key cryptography works well only the sender knows the recipient’s public key.

  • You can image the problem. If you have 100 recipients, you have to keep a small database of the 100’s public keys in your PC or ask the recipient to send you the public key.

Y KChoi


How you handle a signed certificate l.jpg
How you handle a signed certificate

  • Before the sender sends a secure message, the sender ask the recipients to present a signed certificate. (This has been certified by CA)

  • The sender decrypts the signed hash with the CA’s known public key to verify that the public key, name, and other identifying information.

  • The sender now uses the public key to send a message with confidence that it is the correct one.

Y KChoi


Link encryption l5 l.jpg

Link Encryption (L5)

What is Link Security?

Link security objectives by link encryption

In-line encryptor hardware

Point to point deployment

IP-routed development

Y KChoi


What is link security protocol l.jpg
What is link security protocol?

  • Designed to hide secrets

  • Development to protect data against forgery (false data).

  • Can simply fit into existing Internet applications.

  • In Data link layer (layer 2)

Y KChoi




How to solve this l.jpg
How to solve this?

  • Each plaintext message must have an extra information such as message number.

Y KChoi


Example of rewrite l.jpg
Example of Rewrite

  • Here, the encrypted message is modified via a switcher.

Y KChoi


Deployment point to point l.jpg
Deployment – Point to point

  • This deployment uses a pair of trusted lines between a pair of hosts.

  • There is no need to connect to the Internet.

  • For example, you can apply for a leased line via Pacific Century Cyber Work (PCCW) between two computers (example from Central to Kowloon Tong) or use VPN

Y KChoi


Point to point connection l.jpg
Point to point – Connection

  • Each host’s data link is connected to the plaintext port of in-line encryptor. It is commonly used in military applications.

Protect

Y KChoi



Site protection unsafe arrangement l.jpg
Site Protection – Unsafe arrangement

  • The workstation out of physical protection is unsafe.

Y KChoi


Ipsec security at the ip layer l6 l.jpg
IPSec (Security at the IP Layer) L6

  • Security Objectives and issues associated with IPSEC

  • Overview of Network-Layer IP security

  • Cryptographic checksums for message integrity protection

  • IPSEC encryption and authentication headers

Y KChoi


Security objectives l.jpg
Security Objectives

  • Security at the IP layer, called IPSEC, is a set of general purpose protocols for Protecting the TCP/IP communications in the Internet.

Y KChoi


Example l.jpg
Example

Y KChoi


Example message consists of data and crypto checksum l.jpg
Example – message consists of data and Crypto checksum

Y KChoi


Example the message has been modified l.jpg
Example – the message has been modified

Y KChoi


Modifying a message protected with a cryptographic checksum l.jpg
Modifying a Message protected with a cryptographic checksum

  • What happens if the hacker modifies the data such that the plaintext checksum is the same.

Y KChoi



Replay attacks l.jpg
Replay Attacks

  • The TCP/IP protocols are not explicitly designed to identify and reject packets that are cleverly collected and replayed.

  • TCP/IP protocols are designed to operate correctly even if data packets are transmitted.

  • There is no replay protection.

    • It does not mean that replay attack is not a risk. It is difficult to differentiate the duplicated packet or malicious replay.

Y KChoi


Ipsec key management l.jpg
IPSEC Key Management

  • There are four types:

    • Manual Keying

    • Simple Key Interchange Protocol

    • Inter Security Association and Key Management Protocol

    • Photuris

Y KChoi


Slide59 l.jpg
SSL

  • Secure Sockets Layer (SSL) is the dominant protocol for encrypting general communications between browser and server

Y KChoi


Set secure electronic transactions l.jpg
SET (Secure Electronic Transactions)

  • It is a specialised protocol for safeguarding credit-card-based transaction.

Y KChoi


Ssl characteristics l.jpg
SSL Characteristics

  • It is a flexible, general-purpose encryption system.

  • SSL protocol operates at TCP/IP transport layer.

  • One layer below application

  • This gives SSL flexibility and protocol independence

Y KChoi



Credit card and its relationship l.jpg
Credit Card and its relationship

Merchant

Customer

product

Pay

Pay

Money

Card issued bank

Merchant’s bank

Y KChoi


Overview l9 l.jpg
Overview – L9

  • Active Content (not passive document)

    • Java and JavaScript

    • Browser as a security hole

  • Web privacy

    • Server logs

    • Cookies

    • Advices for users and Webmasters

Y KChoi


Bad program by design or accident l.jpg
Bad Program by design or accident

  • We have to distinguish the programs that are designed to inflict harm (virus) or those that are well developed but still contains bugs.

  • Purposefully bad programs are more harmful. Example is Chaos Computer clubs’ malicious Active X control

  • Sometimes, it is difficult to distinct between software that is bad by intention and bad by accidents.

Y KChoi


Proxy server l.jpg
Proxy Server

  • The proxy system is a system that help internet user to cache up the content they visited.

  • It simply stores the content that the users have visit and if later there are any user request the same content, it will provide the stored content to them.

  • The user will then get the content without really go out to the network.

Y KChoi


Location of proxy server l.jpg
Location of proxy server

  • The trend is to integrate packet filtering and proxy system in firewall technology

Y KChoi


Server site security l10 l.jpg

Server Site Security – L10

Why are Web sites Vulnerable (easily attacked)

Common questions about web site security

Steps to create a secure web site

Y KChoi


Security policy l.jpg
Security Policy

If there is no security policy, you are not sure whether your site is secure.

It is a list of what is and is not permissible.

For example, in the lab, you are not allowed to install illegal software.

Note that a security system consists of:

Technology, Policy and Law

Y KChoi


Unix web servers l.jpg

Unix Web Servers

Hardening a Unix Web server (means make it more secure)

Configuring the Web server

Monitoring logs

Y KChoi


Hardening a unix web server l.jpg
Hardening a Unix Web server

  • Unix is a multi-user system.

  • It supports over hundreds of users with different directories and environments.

  • A user cannot modify or read a particular resources.

  • Users are grouped. (user: group:system) right

  • It is a general purpose system and is insecure. That is why we need to harden a Unix.

Y KChoi


Summary l.jpg
Summary

  • Unix is not a perfect OS, we need to harden this by: downloading the latest patch, disable unnecessary services, minimise the number of users, etc.

  • Configure the Web server: minimise the use of privileged user, limit DOS

  • Monitor the logs: Unix system logs, server log and error log

Y KChoi


Server security checklist 1 l.jpg
Server Security Checklist (1)

  • Have you installed all security-related patches?

  • Have you disabled all unnecessary services?

  • Have you run a security scanner on your system?

  • Does the server do double duty as a user workstation?

  • Do the Web server’s file permissions reasonable?

Y KChoi


Server security checklist 2 l.jpg
Server Security Checklist (2)

  • Is the Web server running as root?

  • Is the Web server running any unnecessary features?

  • Have you established the limit of users?

  • Do you monitor system and web pages logs?

  • Do you monitor the integrity of the host?

  • Do you backup your system?

Y KChoi


What is a firewall l.jpg
What is a firewall?

  • In a traditional LAN system, all workstations can access the Internet with a result of equal attack from the outside.

Y KChoi


The location of a firewall l.jpg
The location of a firewall

  • All traffic must go through the proxy server which then decides to accept or reject the traffic.

Y KChoi


Two basic firewall systems l.jpg
Two basic Firewall Systems

There are two basic implementations for firewalls.

  • Dual home gateway firewall, the gateway machine has two network interface cards each of them is connected to the LAN (inter network) and the Internet (Outer network)

  • Screened-host gateway uses a router to forward all the traffic from/to the outer and inner networks.

Y KChoi


Dual home gateway firewall l.jpg
Dual-home gateway firewall

  • By default, the two networks are isolated.

  • However, there is a need to communicate between the inner and outer networks through the specialised programs called proxy (or proxies,many programs)

Y KChoi


Screen hosted gateway l.jpg
Screen-hosted gateway

In fact, there is no effective difference between dual-home and screen-host

  • A network router is used to control access to the inner network. The router restricts communication between the outer and inner networks.

  • It ensures that the packets from the Internet can reach the well secured proxy which then examines the data.

Y KChoi


Law and policy l.jpg
Law and Policy

  • Policy procedure – to write something so that the users can follow

Y KChoi


Slide81 l.jpg

Good Luck

Work Hard

Y KChoi


ad