1 / 16

Chapter 9 Networking & Distributed Security (Part C)

Chapter 9 Networking & Distributed Security (Part C). Outline. Overview of Networking Threats Wiretapping, impersonation, message interruption/modification, DoS Controls Encryption, authentication, distributed authentication, traffic control, integrity control Email privacy: PEM, PGP

denim
Download Presentation

Chapter 9 Networking & Distributed Security (Part C)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 9Networking & Distributed Security (Part C)

  2. Outline • Overview of Networking • Threats Wiretapping, impersonation, message interruption/modification, DoS • Controls Encryption, authentication, distributed authentication, traffic control, integrity control • Email privacy: PEM, PGP • Firewalls csci5233 computer security & integrity (Chap. 9)

  3. Electronic Mails • Security Goals vs Threats csci5233 computer security & integrity (Chap. 9)

  4. Privacy-enhanced E-Mails (PEM) • Internet standards 1987: RFC989 (PEM version 1) 1989: RFC1113 (version 2) 1993: RFC1421, 1422, 1423, 1424 (Part I, II, III, IV), version 3 • Protection of privacy-enhanced emails occurs in the body of the message. The header of the message is not changed to ensure compatibility with the then existing email systems. • Overview: Fig. 9-27, 9-28 (p.424) 1) The message header and body is encrypted under a symmetric key, K  E (message, K) 2) K is encrypted by the recipient’s public key  Rpub (K) 3) A duplicate header is prepended to the message, which contains both Rpub(K) and E(message, K). • Q: In step 2, can symmetric key, instead of the recipient’s public key, be used to encrypt the message key? csci5233 computer security & integrity (Chap. 9)

  5. Privacy-enhanced E-Mails (PEM) • The answer: YES. See p.425. • Q: What would be the requirements if symmetric key is used? Proc-Type field: processing type DEK-Info field: data exchange key field Key-Info: key exchange • Message encryption: DES • Key exchange: DES or RSA • In principle, any encryption algorithms can be used. csci5233 computer security & integrity (Chap. 9)

  6. Privacy-enhanced E-Mails (PEM) • Security features: Confidentiality – message encryption Authenticity - ? Nonrepudiability - ? Integrity - ? Answers: p.425 csci5233 computer security & integrity (Chap. 9)

  7. Privacy-enhanced E-Mails (PEM) • Advantages: The user may choose to use PEM or not in sending an email. PEM provide strong end-to-end security for emails. • Problems? • Key management • The end points may not be secure. • Yet another privacy enhanced email protocol: PGP: p.426 csci5233 computer security & integrity (Chap. 9)

  8. Firewalls • Q: Which is more important, protection of emails or protection of network-connected resources? (see argument on p.427) • A firewall works in a way similar to a filter, which lets through only desirable interactions while keeping all others out of the protected network. • Analogy: a gate keeper, a security gateway • A firewall is a device or a process that filters all traffic between a protected (inside) network and a less trustworthy (outside) network. • Scenarios: • Internal users sending company secrets outside • Outside people breaking into systems inside csci5233 computer security & integrity (Chap. 9)

  9. Firewalls • Alternative security policies: • To block all incoming traffic, but allow outgoing traffic to pass. • To allow accesses only from certain places • To allow accesses only from certain users • To allow accesses for certain activities (such as specific port numbers) • Port 79: finger; Port 23: telnet; Port 513: rlogin; • Port 21: ftp; Port 177: X Windows • ICMP messages: the PROTOCOL field of IP header = 1 • Each of these mechanisms is a potential back door into the system. csci5233 computer security & integrity (Chap. 9)

  10. Types of Firewalls • Screening Routers • The simplest, but may be the most effective type of firewalls. • A router plays the role of a ‘gateway’ between two networks. (Fig. 9-31, p.429) • A screening router takes advantage of a router’s ability of “screening” passing-through packets and forwards only packets that are desirable. • Example: Fig. 9-32. • A router has a unique advantage because it sits between an outside and the inside network. (Fig. 9-33) csci5233 computer security & integrity (Chap. 9)

  11. Types of Firewalls • Proxy Gateways • “proxy”: authority or power to act for another • A firewall that simulates the effects of an application by running “pseudo-applications”. • To the inside it implements part of the application protocol to make itself look as if it is the outside connection. • To the outside it implements part of the application protocol to act just like the inside process would. • It examines the content, not just the header, of a packet. • Examples of using proxy firewalls: pp.431-432 csci5233 computer security & integrity (Chap. 9)

  12. Types of Firewalls • Guards • A “sophisticated” proxy firewall • A guard firewall examines and interprets the content of a packet. • A guard usually implements and enforces certain business policies. • Example: enforcing an email “quota” (p.433) • Other examples • Trade-offs? • Table 9-3 (p.434) Comparing the types of firewalls csci5233 computer security & integrity (Chap. 9)

  13. Firewalls • Examples of Firewall Configurations • Screening router only: Fig. 9-35 • Proxy firewall only: Fig. 9-36 • A combined approach: Fig. 9-37 Q: Does it make sense to reverse the position of the screening router and the proxy firewall in Fig. 9-37? csci5233 computer security & integrity (Chap. 9)

  14. DMZ (Demilitarized zone) • The segment in a network bounded by two firewalls. csci5233 computer security & integrity (Chap. 9)

  15. Considerations about Firewalls • Firewalls provide perimeter protection of a network, if the network’s perimeter is clearly defined and can be controlled by the firewall. • A firewall is a prime target to attack. • A firewall does not solve all security problems. Why not? • A firewall may have a negative effect on software portability. (See VM: Ch. 16 – Through the firewall) csci5233 computer security & integrity (Chap. 9)

  16. Summary • Network security is a rich area, in terms of complexity of the problem and research opportunities. • Intrusion detection • Honeypots • Security versus performance • … • Next: • Buffer overflow (VM: Ch 7) • Applying cryptography (VM: Ch 11) csci5233 computer security & integrity (Chap. 9)

More Related