1 / 120

Chapter 7 –Security in Networks

Chapter 7 –Security in Networks. Introduction to networks Threats against network applications Controls against network applications Firewalls Intrusion detection systems Private e-mail. Terminal-Host Systems. Created in the 1960s Central host computer does all the processing

Download Presentation

Chapter 7 –Security in Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 7 –Security in Networks • Introduction to networks • Threats against network applications • Controls against network applications • Firewalls • Intrusion detection systems • Private e-mail

  2. Terminal-Host Systems • Created in the 1960s • Central host computer does all the processing • Terminal is dumb--only a remote screen and keyboard • Created in the 1960s, when microprocessors for terminal intelligence did not exist Terminals Host

  3. PC Networks • The Most Common Platform in Organizations • Allows PCs to share resources • Both Wintel (Windows/Intel) PCs and Macintoshes Network

  4. Network • A Network is an Any-to-Any Communication System • Can connect any station to any other Network

  5. Network • Each Station has a Unique Network Address • To connect, only need to know the receiver’s address • Like telephone number GHI DEF “Connect to GHI” ABC MNO JKL

  6. LANs and WANs • Networks Have Different Geographical Scopes • Local Area Networks (LANs) • Small Office • Office Building • Industrial Park / University Campus • Wide Area Networks (WANs) • Connect corporate sites or • Connect corporate sites with sites of customers and suppliers

  7. Elements of a Simple LAN Hub or Switch connects all stations Wiring is standard business telephone wiring (4 pairs in a bundle) Hub or Switch Wiring

  8. Elements of a Simple LAN Client PC Client PCs are used by ordinary managers and professionals; receive service Servers provide services to client PCs Server Server Server Client PC

  9. Elements of a Simple LAN • Client PC • Begin with stand-alone PC • Add a network interface card (NIC) todeal with the network • Networks have many client PCs • Server • Most PC nets have multiple servers

  10. Wide Area Networks • WANs Link Sites (Locations) • Usually sites of the same organization • Sometimes, sites of different organizations Site B Site A Site C WAN

  11. Client/Server Processing • Two Programs • Client program on client machine • Server program on server machine • Work together to do the required processing Server Program Client Program Client Machine Server

  12. Client/Server Processing • Cooperation Through Message Exchange • Client program sends Request message, such as a database retrieval request • Server program sends a Responsemessage to deliver the requested information or an explanation for failure Server Program Client Program Request Client Machine Response Server

  13. Client/Server Processing • Widely Used on the Internet • For instance, webservice • Client program (browser) sends an HTTP request asking for a webserver file • Server program (webserver application program) sends an HTTP response message with the requested webpage HTTP Request Message HTTP Response Message

  14. Client/Server Processing • On the Internet, a Single Client Program--the Browser (also known as the client suite)--Works with Many Kinds of C/S server applications • WWW, some E-mail, etc. E-mail Server Browser Webserver

  15. Standards Organizations and Architectures • TCP/IP Standards • Created by the Internet Engineering Task Force (IETF) • Named after its two most widely known standards, TCP and IP • TCP/IP is the architecture, while TCP and IP are individual standards • However, these are not its only standards, even at the transport and internet layers • IETF standards dominate in corporations at the application, transport, and internet layers • However, application, transport, and internet standards from other architectures are still used

  16. Standards Organizations and Architectures • OSI Standards • Reference Model of Open Systems Interconnection • Created by the International Telecommunications Union-Telecommunications Standards Sector (ITU-T) • And the International Organization for Standardization (ISO) • OSI standards dominate the data link and physical layers • Other architectures specify the use of OSI standards at these layers

  17. OSI Reference Model

  18. TCP/IP versus OSI • Lowest Four Layers are Comparable in Functionality

  19. Internet Standards • Accessing the WWW from Home App HTTP App Trans TCP Trans Int IP Int IP Int DL PPP DL ? DL Phy Modem Phy ? Phy User PC Router Webserver

  20. IndirectCommunication • Application programs on different machines cannot communicate directly • They are on different machines! HTTP Request Browser Web App Trans Trans Int Int DL DL Phy Phy User PC Webserver

  21. Layer Cooperation on the Source Host • Application layer process passes HTTP-request to transport layer process Application HTTP Request Transport Internet Data Link User PC Physical

  22. Layer Cooperation on the Source Host • Transport layer makes TCP segments • HTTP message is the data field • Adds TCP header fields shown earlier • Transport process “encapsulates” HTTP request within a TCP segment TCP Segment HTTP Request TCP-H Data Field TCP Header

  23. Layer Cooperation on the Source Host • Transport layer process passes the TCP segment down to the internet layer process Application Transport TCP segment Internet Data Link User PC Physical

  24. Layer Cooperation on the Source Host • The internet layer process passes the IP packet to the data link layer process • Internet layer messages are called packets Application Transport Internet IP packet Data Link User PC Physical

  25. Layer Cooperation on the Source Host • The data link layer process passes the PPP frame to the physical layer process, which delivers it to the physical layer process on the first router, one bit at a time (no message at the physical layer) Application Transport Internet To first router Data Link PPP frame User PC Physical (10110 …)

  26. Layer Cooperation on the Source Host • Recap: Adding Headers and Trailers: Application HTTP msg Transport HTTP msg TCP-H Internet HTTP msg TCP-H IP-H Data Link PPP-T HTTP msg TCP-H IP-H PPP-H User PC Physical

  27. Protocols • A protocol is a standard for communication between peer processes, that is, processes at the same layer, but on different machines • TCP, IP, and PPP all have “protocol” as their final “P;” they are all protocols • TCP (Transmission Control Protocol) is the protocol governing communication between transport layer processes on two hosts Message Trans TCP Trans

  28. Domain Name System (DNS) • Only IP addresses are official • e.g., 128.171.17.13 • These are 32-bit binary numbers • Only they fit into the 32-bit destination and source address fields of the IP headers IP Packet 32-bit Source and Destination Addresses (110011...)

  29. Domain Name System (DNS) • Users typically only know host names • e.g., voyager.cba.hawaii.edu • More easily remembered, but • Will not fit into the address fields of an IP packet IP Packet NO voyager.cba.hawaii.edu

  30. Internet and Data Link Layer Addresses • Each host and router on a subnet needs a data link layer address to specify its address on the subnet • This address appears in the data link layer frame sent on a subnet • For instance, 48-bit 802.3 MAC layer frame addresses for LANs Subnet DA DL Frame for Subnet

  31. Addresses • Each host and router also needs an IP address at the internet layer to designate its position in the overall Internet 128.171.17.13 Subnet Subnet Subnet

  32. IPv6 • Current version of the Internet Protocol is Version 4 (v4) • Earlier versions were not implemented • The next version will be Version 6 (v6) • No v5 was implemented • Informally called IPng (Next Generation) • IPv6 is Already Defined • Continuing improvements in v4 may delay its adoption

  33. IPv6 • IPv6 will raise the size of the internet address from 32 bits to 128 bits • Now running out of IP addresses • Will solve the problem • But current work-arounds are delaying the need for IPv6 addresses

  34. What Makes a Network Vulnerable? • Anonymity • Many points of attack (targets & origins) • Sharing • Complexity of system • Unknown perimeter • Unknown path

  35. Who Attacks Networks Hackers break into organizations from the outside Challenge Fame Money & Espionage Ideology However, most security breaches are internal, by employees and ex-employees

  36. Threat Precursors • Port Scan • Social Engineering • Reconnaissance • Bulletin Board / Chat • Docs • Packet Sniffers (telnet/ftp in cleartext)

  37. Network Security Threats • Interception • If interceptor cannot read, have confidentiality (privacy) • If cannot modify without detection, have message integrity

  38. Network Security Threats • Impostors (Spoofing/ Masquerade) • Claim to be someone else • Need to authenticate the sender--prove that they are who they claim to be Impostor True Person

  39. Network Security Threats • Remotely Log in as Root User • Requires cracking the root login password • Then control the machine • Read and/or steal information • Damage data (erase hard disk) • Create backdoor user account that will let them in easily later Root Login Command

  40. Security Threats • Content Threats • Application layer content may cause problems • Viruses • In many ways, most severe security problem in corporations today • Must examine application messages

  41. Replay Attack • First, attacker intercepts a message • Not difficult to do

  42. Replay Attack • Later, attacker retransmits (replays) the message to the original destination host • Does not have to be able to read a message to replay it

  43. Replay Attack • Why replay attacks? • To gain access to resources by replaying an authentication message • In a denial-of-service attack, to confuse the destination host

  44. Thwarting Replay Attacks • Put a time stamp in each message to ensure that the message is “fresh” • Do not accept a message that is too old • Place a sequence number in each message • Do not accept a duplicated message Message Time Stamp Sequence Number

  45. Thwarting Replay Attacks • In request-response applications, • Sender of request generates a nonce (random number) • Places the nonce in the request • Server places the nonce in the response • Neither party accepts duplicate nonces Request Response Nonce Nonce

  46. Network Security Threats • Denial of Service (DOS) Attacks • Overload system with a flood of messages • Or, send a single message that crashes the machine

  47. Denial of Service (DOS) Attacks • Transmission Failure • Connection Flooding • Echo-Chargen • Ping of Death • Smurf • Syn Flood • Traffic Redirection • DNS Attacks • Distributed Denial of Service

  48. VPNs • IETF developing IPsec security standards • IP security • At the internet layer • Protects all messages at the transport and application layers E-Mail, WWW, Database, etc. TCP UDP IPsec

  49. VPNs • IPsec Transport Mode • End-to-end security for hosts Local Network Internet Local Network Secure Communication

  50. VPNs • IPsec Tunnel Mode • IPsec server at each site • Secure communication between sites Local Network Internet Local Network IPsec Server Secure Communication

More Related