Topic 10: Network Security Management
Download
1 / 88

Business Data Communications 4e - PowerPoint PPT Presentation


  • 312 Views
  • Updated On :

Topic 10: Network Security Management - Chapter 18: Doing Business on the Internet - Chapter 20: Network Security Business Data Communications, 4e Why Networks Need Security

Related searches for Business Data Communications 4e

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Business Data Communications 4e' - benjamin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Topic 10: Network Security Management- Chapter 18: Doing Business on the Internet- Chapter 20: Network Security

Business Data Communications, 4e


Why networks need security l.jpg
Why Networks Need Security

In recent years, organizations have become increasingly dependent on the data communication networks for their daily business communications, database retrieval, distributed data processing, and the internetworking of LANs.

The losses associated with security failures can be huge.

More important than direct theft losses are the potential losses from the disruption of applications systems that run on computer networks.

Business Data Communications, 4e


Loss from hack attacks l.jpg
Loss from Hack Attacks

The cost of cyberattacks to U.S. businesses doubled to $10 billion in 1999, according to estimates from the Computer Security Institute (CSI). The research group today is releasing the results of its survey of 643 large organizations, showing estimated losses of $266 million in 1999 from cybercrime, which is more than twice the amount lost in 1998.

- Los Angeles Times (03/22/00) P. C1; Piller, Charles

Business Data Communications, 4e


A hacker s story l.jpg
A Hacker’s Story

  • Kevin Mitnick - a famous hacker

    • arrested At 1:30 a.m., February 15, 1995

    • released on January 21, 2000

  • What has he done?

    • Broke into LA Unified School District’s main computers when he was in high school.

    • Accessed North American Air Defense Command computers

    • He is referred to as “electronic terrorist” for many computer break-ins he has committed.

  • More stories

Business Data Communications, 4e


A true story of linux hacking l.jpg
A True Story of Linux Hacking

  • How the hacker did?

    • Got the login for admin account

    • Delete netlog directory to prevent discovery

    • Load a DoS software bomb

    • Attack other computers using the bomb

  • How it is discovered?

    • When it attacks someone caught it

    • A complaint is sent to Tech

Business Data Communications, 4e


A true story of linux hacking6 l.jpg
A True Story of Linux Hacking

From: roger rick [mailto:[email protected]]

Sent: Sunday, February 04, 2001 2:32 PM

To: [email protected]; [email protected]

Subject: Compromised Box?

I believe on of your systems on your subnet has been compromised and is

now running a eggdrop on IRC EFnet. A eggdrop is a client that is always

connected to the EFnet server and allows a user to get Operator status.

This eggdrop could result in DoS attacks on your server if the user makes

the right people angry.

ÚÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -

| H20B0NG ( [email protected] <mailto:[email protected]> )

³ ircname : ]real eyes realize real lies[

| channels : #shells

³ server : irc.stanford.edu

ÀÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- -

There is the bot and system information. If you are not concerned about

this, sorry for wasting your time. But it could result in downtime in

the long run. Look for a connection to a irc server on port 6667, It might

reveal the persons IP that is using your box to connect.

Thanks.

Roger

Business Data Communications, 4e


Security threats l.jpg
Security Threats

  • Passive attacks

    • Eavesdropping on, or monitoring, transmissions

    • Electronic mail, file transfers, and client/server exchanges are examples of transmissions that can be monitored

  • Active attacks

    • Modification of transmitted data

    • Attempts to gain unauthorized access to computer systems

Business Data Communications, 4e


Security threats type 1 l.jpg
Security Threats - Type 1

Non-technical based threats and can be prevent and protected using managerial approaches. Typically, they are from disasters.

  • Nature disasters: flood, fire, earthquake, etc

  • Terror attacks

  • Criminal cases

  • Accidents by human error

    Direct consequences:

  • Destroying host computers or large sections of the network.

  • Damaging data storages

Business Data Communications, 4e


How to prevent the losses from type 1 threats l.jpg
How to prevent the losses from type 1 threats?

  • Discussion focus: If you were CIO for a large company what you should do to prevent the losses from a disaster from a managerial point of view?

Business Data Communications, 4e


Security threats type 2 l.jpg
Security Threats - Type 2

These are technical attacks. Need both technical and managerial approaches to prevent and protect the attacks.

  • Destruction: Virus/Worm attacks

  • Disruption: DoS (Denial of Service) and DDoS (Distributed DoS) attack

  • Unauthorized access: often viewed as hackers gaining access to organizational data files and resources.

    • Most unauthorized access incidents involve employees. Serious intruders could change files to commit fraud or theft, or destroy information to injure the organization.

    • Story: Microsoft network was hacked in Oct. 2000

Business Data Communications, 4e


Attacks passive vs active l.jpg
Attacks: Passive vs. Active

  • Passive Attacks

    • Eavesdropping

    • Monitoring

  • Active Attacks

    • Modification

    • Hacking

    • Software bombing

    • Disrupting

Business Data Communications, 4e


Slide12 l.jpg

Worm vs. Virus

Business Data Communications, 4e


Red alert worm l.jpg
Red Alert Worm

  • "'Code Red' Unleashed on Web"Los Angeles Times (08/01/01) P. C3; Piller, Charles

  • A malicious computer worm is spreading over the Internet, causing infected computers to search the Web to find more victims. Eventually the Code Red worm, which only recently began its spread, will cause its host computers to deluge the White House Web site with a barrage of data. However, a previous version of the worm was released earlier last month against the same White House target. That version also defaced the Web sites hosted on the servers it infected with a message claiming "Hacked by Chinese," though the Chinese government has denied the worm originated in that country. Officials at the White House have since used an address-change technique to divert the data flow from Code Red computers, and the site will also remain safe from the current version. Code Red, however, will continue to spread, reaching its peak within 36 hours of its August 1st release date, according to Internet Security Systems researcher Chris Rouland. The worm is programmed to go dormant on August 28th.

Business Data Communications, 4e


A true story of red alert attack l.jpg
A True Story of Red Alert Attack

  • When: July 20, 2001

  • Where: Dr. Lin’s Office

  • What computer: 129.118.49.94, Windows 2000 Advanced Server

  • How: Not known yet

  • Who discovered the attack: someone using DShield.org reported and they sent BACS an email

  • Symptoms:

    • When using asp scripts, the page displays: “Hacked by Chinese”

    • A malicious program scans ports of other computer

Business Data Communications, 4e


Security attacks l.jpg
Security Attacks

Normal flow

Interruption

Interception

Business Data Communications, 4e

Modification

Fabrication


Preventing unauthorized access l.jpg
Preventing Unauthorized Access

Approaches to preventing unauthorized access:

  • Developing a security policy

  • Developing user profiles

  • Strengthen physical security and software security

  • Securing dial-in service system

  • Fix security holes

  • Using firewall

  • Using encryption

    A combination of all techniques is best to ensure strong security.

Business Data Communications, 4e


Securing network access points l.jpg
Securing Network Access Points

What is a firewall: A router, gateway, or special purpose computer that examines packets flowing into and out of a network and restricts access to the organization’s network.

Why using firewall: With the increasing use of the Internet, it becomes important to prevent unauthorized access to your network from intruders on other networks.

Case Study: Attack to a firewall

Business Data Communications, 4e


Securing network access points18 l.jpg
Securing Network Access Points

Packet-level firewall:

  • Examines the source and destination address of every network packet that passes through it and only allows packets that have acceptable source and destination addresses to pass.

  • Vulnerable to IP-level spoofing, accomplished by changing the source address on incoming packets from their real address to an address inside the organization’s network.

  • Many firewalls have had their security strengthened since the first documented case of IP spoofing in December 1994.

Business Data Communications, 4e


Spoof l.jpg
*Spoof

  • "Spoof" was a game invented in 1933 by an English comedian, Arthur Roberts. Webster's defines the verb to mean (1) to deceive or hoax, and (2) to make good-natured fun of. On the Internet, "to spoof" can mean:

    • To deceive for the purpose of gaining access to someone else's resources (for example, to fake an Internet address so that one looks like a certain kind of Internet user)

    • To simulate a communications protocol by a program that is interjected into a normal sequence of processes for the purpose of adding some useful function

    • To playfully satirize a Web site.

Business Data Communications, 4e


Application level firewall l.jpg
Application-level Firewall

Application-level firewall

  • Acts as an intermediate host computer or gateway between the Internet and the rest of the organization’s network.

  • In many cases, needs special programming codes to permit the use of application software unique to the organization.

    Difference:

  • packet-level firewalling - prohibits only disabled accesses

  • application-level firewalling - permits only authorized accesses

Business Data Communications, 4e


Proxy server l.jpg
Proxy Server

Proxy server - the technology for firewalls

  • Uses an address table to translate network addresses inside the organizations into fake addresses for use on the Internet (network address translation or address mapping). This way systems outside the organization never see the actual internal IP addresses.

  • Is becoming the application-level firewall of choice.

    Many organizations use a combination of packet-level and application-level firewalls.

Business Data Communications, 4e


Network address translation nat l.jpg
Network Address Translation (NAT)

  • The process of translating between one set of private addresses inside a network and a set of public address outside the network.

  • Transparent

  • A NAT proxy server uses an address table to translate the private IP addresses used inside the organization into proxy IP address used on the Internet. It uses the source port number in the TCP packet to a unique number that it uses as an index into its address table to find the IP address of the actual sending computer in the internal network.

Business Data Communications, 4e


Proxy server software l.jpg
*Proxy Server Software

There are numerous proxy server software products on the market, priced ranging $300 to $1000 currently. Examples are:

  • Microsoft Proxy Server [http://www.microsoft.com/proxy/default.asp],

  • Netscape Proxy Server [http://home.netscape.com/proxy/v3.5/],

  • Novell BorderManager [http://www.novell.com/bordermanager/]

  • Squid [http://squid.nlanr.net],

  • Harvest [http://harvest.transarc.com],

  • WinGate [http://www.wingate.com],

  • WinProxy [http://www.ositis.com/dloadfr.htm], etc.

Business Data Communications, 4e


Proxy server features l.jpg
*Proxy Server Features

  • Reverse hosting.

  • Reverse proxy.

  • Multi-protocol support.

  • Virtual private networking ability.

  • Application-level proxy

  • Circuit level proxy with SOCKS 4 client support and SOCKS 5 logic policy support.

  • Secure Sockets Layer (SSL) tunneling.

  • Authentication.

  • Enterprise security management such as LDAP based user/group/password management for proxy authentication, Simple Network Management Protocol (SNMP) support, etc.

Business Data Communications, 4e


Slide25 l.jpg

(Demilitarized Zone)

Business Data Communications, 4e


Slide26 l.jpg
DMZ

  • Features:

    • Allows limited accesses to DMZ from the outside (Using a packet level firewall)

    • Prevent unauthorized accesses to departmental networks from the Internet (using a proxy server)

    • Allows full accesses to DMZ and the Internet from internal networks

    • Limits inter-departmental accesses (using the proxy server for each department)

Business Data Communications, 4e


Network eavesdropping l.jpg
Network Eavesdropping

Another way to gain unauthorized access, where the intruder inserts a listening device or computer into the organization’s network to record messages.

Targets:

  • Network cables,

  • Network devices such as controllers, hubs, and bridges

    Certain types of cable can impair or increase security by making eavesdropping easier (i.e. wireless) or more difficult (i.e. fiber optic).

    Physical security of the network’s local loop and interexchange telephone circuits is the responsibility of the common carrier.

Business Data Communications, 4e


Slide28 l.jpg

Trojan Horse - A Malicious Sniffer

A tiny program that runs on a workstation (PC or Macintosh). In its simplest form, it simply records every key pressed, including your username and password when logging onto any computer network.

Trojan Horse may steal the important security information without awareness.

Business Data Communications, 4e


Outline of encryption l.jpg
Outline of Encryption

  • Symmetric key encryption

  • Public-key encryption

  • Key management

  • Digital signature

  • Digital certificate

  • Certificate authority

Business Data Communications, 4e


Encryption l.jpg
Encryption

Encryption: A means of disguising information by the use of mathematical rules known as algorithms to prevent unauthorized access.

Five components to the algorithm

  • Plaintext: The original readable message or data

  • Ciphertext: encrypted message produced as output.

  • Encryption algorithm: Performs various substitutions and transformations on the plaintext.

  • Secret key: Input to the encryption algorithm. Substitutions and transformations performed depend on this key

  • Decryption algorithm: Encryption algorithm run in reverse. Uses ciphertext and the secret key to produce the original plaintext.

Business Data Communications, 4e


Using encryption l.jpg
Using Encryption

Today, the U.S. government considers encryption to be a weapon, and regulates its export in the same way it regulates the export of machine guns or bombs. The government is also trying to develop a policy called key escrow (key recovery), requiring key registration with the government.

Business Data Communications, 4e


Encryption methods l.jpg
Encryption Methods

  • The essential technology underlying virtually all automated network and computer security applications is cryptography

  • Two fundamental approaches are in use:

    • conventional encryption, also known as symmetric encryption

    • public-key encryption, also known as asymmetric encryption

Business Data Communications, 4e


Conventional encryption operation l.jpg
Conventional Encryption Operation

Business Data Communications, 4e


Conventional encryption requirements weaknesses l.jpg
Conventional Encryption Requirements & Weaknesses

  • Requirements

    • A strong encryption algorithm

    • Secure process for sender & receiver to obtain secret keys

  • Methods of Attack

    • Cryptanalysis

    • Brute force

Business Data Communications, 4e


Symmetric key encryption des l.jpg
Symmetric Key Encryption - DES

Data encryption standard (DES):

  • A commonly used encryption algorithm.

  • Symmetric (the key used to decrypt a particular bit stream is the same one used to encrypt it)

    Symmetric algorithms can cause problem with key management; keys must be dispersed and stored carefully.

    A 56-bit version of DES is the most commonly used encryption technique today.

Business Data Communications, 4e


Data encryption standard des l.jpg
Data Encryption Standard (DES)

  • Adopted in 1977, reaffirmed for 5 years in 1994, by NBS/NIST

  • Plaintext is 64 bits (or blocks of 64 bits), key is 56 bits

  • Plaintext goes through 16 iterations, each producing an intermediate value that is used in the next iteration.

  • DES is now too easy to crack to be a useful encryption method

Business Data Communications, 4e


Triple dea tdea l.jpg
Triple DEA (TDEA)

  • Alternative to DES, uses multiple encryption with DES and multiple keys

  • With three distinct keys, TDEA has an effective key length of 168 bits, so is essentially immune to brute force attacks

  • Principal drawback of TDEA is that the algorithm is relatively sluggish in software

Business Data Communications, 4e


Public key encryption l.jpg
Public-Key Encryption

  • Based on mathematical functions rather than on simple operations on bit patterns

  • Asymmetric, involving the use of two separate keys

  • Misconceptions about public key encryption

    • it is more secure from cryptanalysis

    • it is a general-purpose technique that has made conventional encryption obsolete

Business Data Communications, 4e


Public key encryption operation l.jpg
Public-Key Encryption Operation

Business Data Communications, 4e


Public key signature operation l.jpg
Public-Key Signature Operation

Business Data Communications, 4e


Characteristics of public key l.jpg
Characteristics of Public-Key

  • Infeasible to determine the decryption key given knowledge of the cryptographic algorithm and the encryption key.

  • Either of the two related keys can be used for encryption, with the other used for decryption.

  • Slow, but provides tremendous flexibility to perform a number of security-related functions

  • Most widely used algorithm is RSA, invented by Ron Rivest, Adi Shamir and Len Adleman at MIT in 1977.

Business Data Communications, 4e


Conventional encryption key distribution l.jpg
Conventional EncryptionKey Distribution

  • Both parties must have the secret key

  • Key is changed frequently

  • Requires either manual delivery of keys, or a third-party encrypted channel

  • Most effective method is a Key Distribution Center (e.g. Kerberos)

Business Data Communications, 4e


Public key encryption key distribution l.jpg
Public-Key EncryptionKey Distribution

  • Parties create a pair of keys; public key is broadly distributed, private key is not

  • To reduce computational overhead, the following process is then used:

    1. Prepare a message.

    2. Encrypt that message using conventional encryption with a one-time conventional session key.

    3. Encrypt the session key using public-key encryption with recipient’s public key.

    4. Attach the encrypted session key to the message and send it.

Business Data Communications, 4e


Digital signature l.jpg
Digital Signature

  • An electronic message that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document.

  • Can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.

  • Additional benefits:

    • Easy transportation, not easily repudiated, not imitated by someone else, and automatically time-stamped.

Business Data Communications, 4e


Digital signature process l.jpg
Digital Signature Process

Business Data Communications, 4e


Public key certificates l.jpg
Public Key Certificates

1. A public key is generated by the user and submitted to Agency X for certification.

2. X determines by some procedure, such as a face-to-face meeting, that this is authentically the user’s public key.

3. X appends a timestamp to the public key, generates the hash code of the result, and encrypts that result with X’s private key forming the signature.

4. The signature is attached to the public key.

Business Data Communications, 4e


Certificate authority l.jpg
Certificate Authority

A certificate authority is a trusted organization that can vouch for the authenticity of the person or organization using authentication.

  • A person wanting to use a CA registers with the CA and must provide some proof of identify.

  • The CA issues a digital certificate that is the requestor's public key encrypted using the CA's private key as proof of identify.

  • This certificate is then attached to the user's email or Web transactions in addition to the authentication information.

  • The receiver then verifies the certificate by decrypting it with the CA's public key -- and must also contact the CA to ensure that the user's certificate has not been revoked by the CA.

  • For higher level security certification, the CA requires that a unique “fingerprint” (key) be issued by the CA for each message sent by the user.

Business Data Communications, 4e


Verisign inc l.jpg
*VeriSign, Inc

  • Headquartered in Mountain View, California, a leading provider of Internet trust services authentication, validation and payment - needed by Web sites, enterprises, and e-commerce service providers to conduct trusted and secure electronic commerce and communications over IP networks.

  • To date, VeriSign has issued over 215,000 Web site digital certificates and over 3.9 million digital certificates for individuals.

Business Data Communications, 4e


Verisign l.jpg
*VeriSign

"Group Approves VeriSign's Control Over Web Addresses” Wall Street Journal (04/03/01) P. B4; Bridis, Ted

In a 12-3 vote, ICANN's board approved its new deal with VeriSign, allowing the company to retain control of the .com domain without divesting portions of its business. By Dec. 2002, VeriSign will give up the .org domain, and the .net domain will be surrendered at a later date, although VeriSign will have a chance to bid for control of the .net domain. There were a few changes made to the agreement. The $10,000 fee that registrars pay to VeriSign was dropped and VeriSign now has to spend $200 million toward the research necessary to create a directory of all domain names. Further, VeriSign must keep the registrar and registry portions of its business separate or it will face fines. The U.S. Commerce Department still has to approve the deal, and four members of Congress have suggested that the Commerce Department "fully analyze" competitive concerns stemming from the new deal. These suggestions, which were made by Reps.

(http://www.washingtonpost.com/wp-dyn/articles/A35085-2001Apr3.html)

Business Data Communications, 4e


Slide50 l.jpg

Secure Transactions for E-Payment

Secure transactions must have at least the following characteristics:

Confidentiality: others cannot eavesdrop on an exchange.

Integrity: the messages received are identical to the messages sent.

Authenticity: you are assured of the persons with whom you are making an exchange.

Non-Repudiation: none of the involved parties can deny that the exchange took place.

Business Data Communications, 4e


Confidentiality l.jpg
Confidentiality

  • The protection of transmitted data from passive attacks: release of message contents, and traffic analysis.

    • With respect to the release of message contents, several levels of protection can be identified. The broadest service protects all user data transmitted between two users over a period of time.

Business Data Communications, 4e


Authentication l.jpg
Authentication

  • Authentication service is concerned with assuring that a communication is authentic.

    • In the case of a single message, to assure the recipient that the message is from the source that it claims to be from

    • In the case of an ongoing interaction, to assure that the two entities are authentic

    • To assure that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties for the purpose of unauthorized transmission and reception.

Business Data Communications, 4e


Integrity l.jpg
Integrity

  • The integrity service is applied particularly to total stream protection.

    • In connection-oriented service, to assure messages are received as sent, without duplication, insertion, modification, recording, or replays.

    • In connectionless service, generally provides protection against message modification.

Business Data Communications, 4e


Non repudiation l.jpg
Non-repudiation

  • To prevent either sender or receiver from denying a transmitted message.

    • The receiver can prove that the message was in fact sent by the alleged sender.

    • The sender can prove that the message was in fact received by the alleged receiver.

Business Data Communications, 4e


How to prevent repudiation l.jpg
How to prevent repudiation?

  • What is repudiation: Denial of the message previously sent

  • Idea: keep the original message encrypted using sender’s private key

  • How: using digital signature

Business Data Communications, 4e


Internet security architecture l.jpg
Internet Security Architecture

PGP

S/MIME

Application

oriented

SET

HTTP

S-HTTP

FTP

SMTP

Transport

oriented

SSL or TLS

TCP

Network

oriented

IP/IPSec

Business Data Communications, 4e


Ipsec l.jpg
IPSec

  • Why IPSec?

    • In 1994, IAB (Internet Architecture Board) issued “Security in the Internet Architecture” (RFC 1636)

    • In 1996, CERT’s annual report listed 8000 reported security incidents affecting 4 million hosts, identifying IP spoofing attacks.

    • IAB proposed security features for IPv6, which are applicable to IPv4. So came IPSec.

  • IP Sec can secure communications across a LAN, WANs, and/or the Internet

  • Examples of use:

    • Secure branch office connectivity over the Internet

    • Secure remote access over the Internet

    • Establishing extranet and intranet connectivity with partners

    • Enhancing electronic commerce security

Business Data Communications, 4e


Benefits of ipsec l.jpg
Benefits of IPSec

  • When implemented in a firewall or router, provides strong security for all traffic crossing the perimeter

  • IPSec in a firewall is resistant to bypass

  • Runs below the transport layer (TCP, UDP) and so is transparent to applications

  • Can be transparent to end users because it is under transport layer

  • Can provide security for individual users if needed, e.g. a remote access VPN for mobile users

Business Data Communications, 4e


Ipsec functions l.jpg
IPSec Functions

  • IPSec provides three main facilities

    • authentication-only function referred to as Authentication Header (AH)

    • combined authentication/encryption function called Encapsulating Security Payload (ESP)

      • Transport mode: protects upper-layer protocols, and is for end-end communications; good for small networks

      • Tunnel mode: protects entire IP packet, and is used between two security gateways; more efficient for VPNs

    • a key exchange function

  • Supports DES or other algorithms; HMAC, a new scheme, is required for authentication.

Business Data Communications, 4e


Esp encryption authentication l.jpg
ESP Encryption & Authentication

Business Data Communications, 4e


Ipsec key management l.jpg
IPSec Key Management

  • Manual

    • System administrator (SA) manually configures each system with its own keys and with the keys of other communicating systems

    • Practical for small, relatively static environments

  • Automated

    • Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system

    • Most flexible but requires more effort to configure and requires more software

Business Data Communications, 4e


Web security l.jpg
Web Security

  • Web Vulnerabilities

    • Unauthorized alteration of data at the Web site

    • Unauthorized access to the underlying operating system at the Web server

    • Eavesdropping on messages passed between a Web server and a Web browser

    • Impersonation

  • Securing the Web site itself

    • install all operating system security patches

    • install the Web server software with minimal system privileges

    • use a more secure platform

  • Securing the Web application

    • Secure HyperText Transfer Protocol (S-HTTP)

    • Secure Sockets Layer (SSL)

Business Data Communications, 4e


Ssl tls l.jpg
SSL & TLS

  • Protocols that sit between the underlying transport protocol (TCP) and the application

  • Provides security at the “socket” level, just above the basic TCP/IP service

  • Can provide security for a variety of Internet services, not just the WWW

  • Secure Socket Layer (SSL)

    • Originated by Netscape

  • Transport Layer Security (TLS)

    • TLS has been developed by a working group of the IETF, and is essentially SSLv3.1

Business Data Communications, 4e


Ssl implementation l.jpg
SSL Implementation

  • Focused on the initialization/handshaking to set up a secure channel

    • Client specifies encryption method and provides challenge text

    • Server authenticates with public key certificate

    • Client send master key, encrypted with server key

    • Server returns a message encrypted with the master key

    • The message (key) is used to generate the key sending message from client to the server

  • Digital signatures used in initialization are based on RSA; after initialization, single key encryption systems like DES can be used

Business Data Communications, 4e


Secure hypertext transfer protocol s http l.jpg
Secure Hypertext Transfer Protocol (S-HTTP)

  • The logical extension of HTTP.

  • A method that is used to support the encryption and decryption of specific WWW documents sent over the Internet.

  • Uses RSA public-key encryption. A main use is expected to be for online payments.

  • Supported by America Online, CompuServe, IBM, Netscape, Prodigy, SPRY (at http://www.spry.com, and now owned by CompuServe), and Spyglass.

  • Designed by Allan Schiffman, then at EIT (which is now working with Terisa Systems).

Business Data Communications, 4e


Slide66 l.jpg
*PGP

  • Pretty Good Privacy

    • A freeware public key encryption package developed by Philip Zimmermann that is often used to encrypt e-mail.

    • User post their public key on web pages, for example, and anyone wishing to send them an encrypted message simply cuts and pastes the key off the web page in to PGP software, which encrypts and sends the message.

Business Data Communications, 4e


Secure electronic transactions l.jpg
Secure Electronic Transactions

  • SET is a payment protocol supporting the use of bank/credit cards for transactions

  • Supported by MasterCard, Visa, and many companies selling goods and services online

  • SET is an open industry standard, using RSA public-key and DES single-key encryption

Business Data Communications, 4e


Set participants interactions l.jpg
*SET Participants & Interactions

Business Data Communications, 4e


Agents in set l.jpg
*Agents in SET

  • Cardholder, workstation of the person holding the card

  • Merchant, needs merchant CA (MCA)

  • CAs

    • Security services

    • Certificates

  • Financial institution

Business Data Communications, 4e


Electronic shopping l.jpg
*Electronic Shopping

  • Shopping & browsing

  • Item and merchant selection

  • Ordering and negotiating

  • Payment selection

  • Payment authorization and transport

  • Confirmation and delivery

  • Good delivery

  • Merchant reimbursement

Business Data Communications, 4e


Ideal components of electronic cash l.jpg
Ideal Components of Electronic Cash

  • Independent of physical location

  • Security

  • Privacy

  • Off-line payment

    • No need for third-party vendor

  • Transferability to other users

  • Divisibility

    • “Making change”

Business Data Communications, 4e


E cash l.jpg
E-Cash

  • Created by David Chaum in Amsterdam in 1990

  • Maintains the anonymity of cash transactions

  • Users maintain an account with a participating financial institution, and also have a “wallet” on their computer’s hard drive

  • Digital coins, or tokens, are stored in the wallet

Business Data Communications, 4e


Digital wallet set l.jpg
*Digital Wallet (SET)

  • In the physical world, your wallet stores your credit cards and cash. In the online world, your digital wallet is installed as a plug-in to your web browser. Like your real wallet, your digital wallet stores your credit card number and your shipping information. Unlike your real wallet, you need to the know the secret "password" to use what's inside. Your wallet implements the "encryption" that makes SET secure.

    See Digital Wallet Demo

Business Data Communications, 4e


Free trade zones ftz l.jpg
*Free Trade Zones (FTZ)

  • Area where communication and transactions occur between trusted parties

  • Isolated from both the external environment and the enterprise’s internet network

  • Supported by firewalls on both ends

  • Inside the FTZ, all communications can be in clear mode without any encryption

  • Necessary because logical boundaries between BTB and IB are becoming fuzzy.

Business Data Communications, 4e


Slide75 l.jpg

Intrusion Detection System

Internet

Internal

Subnet

NAT

Proxy Server

with network-based IDS

Router

Router

Network-based

IDS Sensor

Firewall

Web Server

with host-based IDS

and application-based IDS

Switch

Internal

Subnet

Router

Switch

Mail Server

with host-based IDS

DMZ

Network-based

IDS Sensor

DNS Server

with host-based IDS

Internal

Subnet

IDS Management

Console

Business Data Communications, 4e


Detecting unauthorized access l.jpg
Detecting Unauthorized Access

  • Using Intruder Detection System (IDS). There are three type of IDS:

    • Network-based

    • Host-based

    • Application-based

  • Two techniques for IDS:

    • Misuse detection

    • Anomaly detection

Business Data Communications, 4e


Computer forensics l.jpg
Computer forensics

  • The use of computer analysis techniques to gather evidence for criminal and/or civil trials

  • Includes the following steps:

    • Identify potential evidence.

    • Preserve evidence by making backup copies and use those copies for all analysis.

    • Analyze the evidence.

    • Prepare a detailed legal report for use in prosecutions.

Business Data Communications, 4e


Computer forensics78 l.jpg
*ComputerForensics

"Whodunnit?” Economist (03/31/01) Vol. 358, No. 8215, P. 73

Computer forensics--the tools and techniques used to find, keep, and analyze the digital evidence from cybercrimes--is a field that is becoming more commercially viable by the day. Computer forensics experts must search through data that is often encrypted or put in graphics files in order to establish an "audit trail." Such experts are needed to combat the growing popularity of programs on the Internet that enable a hacker to gain control of a computer's operating system. With more and more computers attached to large networks, and with few users taking anything more than minimal security precautions--if even that--hackers relying on these programs could easily have a field day employing ordinary users' systems to mount sophisticated hacking attacks. However, there are now automated investigation tools that can counter the hacking programs, such as Coroners Toolkit, which speeds up and standardizes the digital-forensic examination process. A group of anti-hacking experts have even set up a network of "honeypots," vulnerable but unimportant computers designed to lure hackers so that the experts can study their habits and techniques.

http://www.economist.com/science/displayStory.cfm?Story_ID=550004

Business Data Communications, 4e


Entrapment honey pot l.jpg
Entrapment - Honey-Pot

  • A server that contains highly interesting fake information available only through illegal intrusion to “bait” or "entrap" the intruder and also possibly divert the hacker's attention from the real network assets.

  • The honey pot server has sophisticated tracking software to monitor access to this information that allows the organization and law enforcement officials to trace and document the intruder’s actions. If the hacker is subsequently found to be in possession of information from the honey pot, that fact can be used in prosecution.

Business Data Communications, 4e


Slide80 l.jpg

VPN

A virtual private network (VPN) is an extension of an enterprise’s private intranet across a public network such as the Internet, creating a secure private connection, essentially through a private tunnel. VPN provides cost-effective data transmission with high security.

Business Data Communications, 4e


Slide81 l.jpg

*VPN is a cost-effective solution

According to industry analyst Forrester Research Inc., when comparing the cost of traditional leased line network versus today's Internet-based VPN, the cost differences for 1,000 users are eye-popping.

Business Data Communications, 4e


Slide82 l.jpg

*Monthly costs for leased-line network and Internet VPN

City Distance (mi.) T1 Fees Internet VPN Fee

SF-Denver 1,267 $13,535 $1,900

Denver-Chicago 1,023 $12,315 $1,900

Chicago-NY 807 $11,235 $1,900

SF-LA 384 $ 5,520 $1,900

Denver-Salt Lake 537 $ 6,285 $1,900

Denver-Dallas 794 $ 7,570 $1,900

NY-DC 235 $ 4,775 $1,900

NY-Boston 194 $ 4,570 $1,900

Business Data Communications, 4e


Virtual private networks l.jpg
Virtual Private Networks

There are two important disadvantages of VPNs:

  • Traffic on the Internet is unpredictable.

  • There are several competing standards for Internet-based VPN, so not all vendor’s equipment and services are compatible.

Business Data Communications, 4e


Slide84 l.jpg

Typical VPN implementation

Extranet VPNs between a corporation and its strategic partners, customers, and suppliers.

Business Data Communications, 4e


Slide85 l.jpg

Typical VPN implementation

Intranet VPNs between internal corporate departments and branch offices

Business Data Communications, 4e


Slide86 l.jpg

Typical VPN implementation

Remote Access VPNs between a corporation and remote or mobile employees

Business Data Communications, 4e


Technologies in vpns l.jpg
* Technologies in VPNs

  • Tunneling and Security Protocols

    • IP Security (IPSec)

    • Point-to-Point Tunneling Protocol (PPTP)

    • Layer2 Tunneling Protocol (L2TP)

    • SOCKS (a layer 3 VPN protocol)

  • Cryptography Key Management

    • ISAKMP/Oakley (Internet Security Association and Key Management Protocol)

  • VPN Hardware

    • Security policy server

    • Certificate authority

    • Security gateway

Business Data Communications, 4e


Slide88 l.jpg

* VPN Solution Providers

  • IBM - eNetwork

  • AT&T - WorldNet VPN service

  • Checkpoint -VPN-1

  • Microsoft - PPTP by Windows NT 4.0

  • FreeGate - Virtual Services Management

  • TradeWave - TradeVPI

  • MultiVPN - Ascend

  • VTCP/Secure - InfoExpress

  • SmartGate - V-ONE

  • Countless VPN solutions:

    • 3Com, Bay, Lucent, ADI, Aventail, PSINet, RedCreek, Shiva, TimeStep, VPNet

Business Data Communications, 4e


ad