1 / 90

Internet & Web Security

Internet & Web Security. Overview. Encryption and authentication ... Communication and data-sharing applications ... Web security and firewalls. Encryption and authentication. Foundations of Internet security Data confidentiality and integrity Authentication Example systems.

naiya
Download Presentation

Internet & Web Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet & Web Security

  2. Overview • Encryption and authentication ... • Communication and data-sharing applications ... • Web security and firewalls ...

  3. Encryption and authentication ... • Foundations of Internet security • Data confidentiality and integrity • Authentication • Example systems

  4. Communication and data-sharing applications ... • Mail and news • Virtual terminal services • File sharing • Example systems

  5. Web security and firewalls ... • WWW security • Network security issues • SATAN • Useful tools

  6. Foundations of Internet security ... • Internet security ... • Layered protocol models ... • Security and Layered Internet Protocols ...

  7. Internet security ... • Authentication ... • Access control ... • Integrity ... • Confidentiality ...

  8. Authentication ... • Something you are (SYA) • Something you know (SYK) • Something you have (SYH)

  9. Access control ... • Who gets access to what • Authentication, rights, privileges

  10. Integrity ... • Current vs. original (pure) condition of data

  11. Confidentiality ... • E-mail "like postcards" • FTP, WWW

  12. Layered protocol models ... • Protocol message contents ... • Identities • Sender, receiver • Message length • Message data • Layered protocols ... • Protocol enveloping ... • OSI reference model ... • Internet TCP/IP model ... • Protocol enveloping in TCP/IP ...

  13. Layered protocols ... • N layers

  14. Protocol enveloping ...

  15. OSI reference model ... • Open Systems Interconnection abstract model • Does not define: PL bindings, OS bindings, API issues, UI issues • Defines: 7 protocol layers ...

  16. Defines: 7 protocol layers ... • Physical ... • Data link ... • Network ... • Transport ... • Session ... • Presentation ... • Application ...

  17. Physical ... • Network transmission medium • E.g., coaxial, twisted-pair, fiber-optic • Raw bit-stream service • Responsible only for writing / reading bits to / from physical medium

  18. Data link ... • Group bits into frames • Goal: reliable delivery mechanism • Error detection • Noise, interference • Collisions • Flow control • Avoid unnecessary frame loss • Saturated buffers

  19. Network ... • Extend data link layer • From local to neighboring / distant networks • E.g., Ethernet, Token Ring • Incompatible physical and link layers • ==> Internetworks (networks of networks) • Topology: routers • Two network layer services ...

  20. Two network layer services ... • connection-oriented (CO) • "reliable" / "virtual-circuit" • well ordered data stream • guarantee lost, order, duplicate • connectionless (CL) • "unreliable" / "datagram" • no guarantees

  21. Transport ... • higher-level tasks (not end-to-end delivery) • multiplexing • OSI: 5 incompatible transport protocols • CL, w/ CL network • CL, w/ CO network • CO, w/ CO network • CO, w/ CL network • highest network aware

  22. Session ... • how data exchanged in dialog • two-way simultaneous (full-duplex) • two-way alternate (half-duplex) • one-way (simplex) • checkpointing • synch points in data stream • resume aborted transfer at last encountered synch point

  23. Presentation ... • hide diff in data rep'n • e.g., ASCII vs. EBCDIC • generic rep’n w/ ISO ASN.) spec ...

  24. generic rep'n w/ ISO ASN. spec ... • (Abstract Syntax Notation One) • Boolean • Integer (arb. length) • Real (arb. length & prec.) • Enumerated (days of week, months of year, etc.) • Bit string (arb. length) • Octet (byte) string (arb. length) • Null (any undef'd value)

  25. Application ... • service consumer • via APIs

  26. Internet TCP/IP model ... • 5 layers • physical, data link, network, transport, application • session, presentation • by application, w/ assistance of API • Network layer: IP ... • Transport layer: TCP & UDP ... • Application layer ...

  27. Network layer: IP ... • move data between endpoints • if not on same host ==> routing • IP protocol • IP datagram (packet)

  28. Transport layer: TCP & UDP ... • Transmission Control Protocol (TCP) • connection-oriented • User Datagram Protocol (UDP) • connectionless

  29. Application layer ... • FTP • SMTP: Simple Mail Transfer Protocol • NNTP: Network News • HTTP

  30. Protocol enveloping in TCP/IP ... • Application data --> TCP segment --> IP datagram --> Ethernet frame

  31. Security and Layered Internet Protocols ... • Physical and link layer ... • Security at the IP layer ... • TCP/UDP layer ... • Application layer ...

  32. Physical and link layer ... • physical transmission medium • access control • confidentiality

  33. Security at the IP layer ... • network snooping (sniffing) ... • Message replay ... • Message alteration ... • Message delay and denial ... • Authentication issues ... • Unauthorized access ... • Routing attacks ...

  34. network snooping (sniffing) ... • abuse of tools for debugging / network problems ... • network interface into promiscuous mode ... • solution: encrypt

  35. abuse of tools for debugging / network problems ... • e.g., Network General's Expert Sniffer • etherfind (SunOS) • tcpdump (free on Internet) • Sniffer FAQ • comp.security, news.answers • ftp://ftp.iss.net/pub/faq/sniff • http://www.iss.net/iss/sniff.html

  36. network interface into promiscuous mode ... • report all packets to sniffer • display / record • analyze • super user on unix / VMS • remote also possible

  37. Message replay ... • snoop & record conversation between systems A & B • play back messages from A to B • replay, as if A • e.g., restore earlier password file (and account)

  38. Message alteration ... • modify contents • modify checksomes to cover alterations • solution: encrypt for data integrity

  39. Message delay and denial ... • delay: datagrams held indefinitely • unauthorized control of router • authenticate to prevent • denial: datagrams discarded before delivery • overwhelm router / other comm. end system • datagram overflow ==> lost

  40. Authentication issues ... • address masquerading ... • address spoofing ...

  41. Address masquerading ... • configure network interface w/ other system's IP address • NFS: access solely based on IP address • one system down, another can masquerade

  42. Address spoofing ... • aka TCP sequence number attack • exploits weakness of TCP • net effect at IP layer • How ... • Defense ...

  43. How ... • Legitimate 3-way handshake A <--> B ... • C impersonates A ...

  44. Legitimate 3-way handshake A <--> B ... • A --> B: SYN + ISN(A) (initial sequence number) • A <-- B: SYN + ISN(B) + ACK(ISN(A)) • A --> B: ACK(ISN(B)) • A <--> B: application data

  45. C impersonates A ... • C --> B: counterfeit IP datagram SYN + ISN(C) • A <-- B: SYN + ISN(B) + ACK(ISN(C)) • A down; doesn't know • C --> B: ACK(ISN(B)) • C predicts ISN(B) • TCP ISN generator: 32-bit clock (w/ time) • C --> B: rsh command

  46. Defense ... • 1. no address-based auhentication • 2. screening router • filter packets based on configurable rules • inbound attacks from outside • outbound attacks from inside

  47. Unauthorized access ... • Packet filtering • Screeing router • Firewall

  48. Routing attacks ... • normally: dynamic routing • instead: source routing (legit for tests) • use to bypass filter • or, pass through attacking location • alteration, delay, denial • ICMP (Internet Control Message Protocol) redirects

  49. TCP/UDP layer ... • Some of same problems as at IP layer • No guarantee of confidentiality • packet filtering • hijacking • modify controls through "hijacked" privileges • e.g., steal telnet session

  50. Application layer ... • Application gateways ... • APIs ...

More Related