1 / 26

Internet Security

Internet Security. Based on Learning Tree Course #468: Internet and Intranet Security: A Comprehensive Introduction. Security Model Objectives vs. Threats. Normal Flow. Information Destination. Information Source. Authenticity vs. Masquerade. Privacy vs. Interception.

koko
Download Presentation

Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internet Security Based on Learning Tree Course #468: Internet and Intranet Security: A Comprehensive Introduction Will Lennon

  2. Security ModelObjectives vs. Threats Normal Flow Information Destination Information Source Authenticity vs. Masquerade Privacy vs. Interception Integrity vs. Modification Availability vs. Interruption Will Lennon

  3. Authenticity vs. Masquerade • Personal Authenticity (Logins)restrict access to unauthorized users • Interior Authenticity (DHCP, IPSec)restrict access to unauthorized hosts • Exterior Authenticity (firewalls)restrict access to internal services Will Lennon

  4. Authenticity vs Masquerade 3 ways to establish personal identity: • Something you know (Passwords) • Something you have (Keys) • Something you are (Biometrics) Will Lennon

  5. Personal Authenticity vs. Masquerade Passwords attacks: • Guessing (spouse, pets, child) • Cracking passwords (dictionary attacks) • Snooping passwords (network analyzers) • Social Engineering (Deception) • Trojan Horses Will Lennon

  6. Personal Authentication methods • One-time lists • Repeated hashing (S/Key, OPIE) • Electronic tokens • Challenge-Response Schemes (CHAP) Will Lennon

  7. Interior Authentication: IPSec • Generic security mechanism for IPv6 • A security association is created between two parties • Provides privacy services as well as authentication • Included in most modern O.S.s Will Lennon

  8. Exterior Authentication: Firewalls Packet Filters • Stateless Packet Filters • State-full Packet Filters Proxies • Application Proxy • Circuit-Level Gateways Will Lennon

  9. Sanity Check Network 1: 147.117.xx.xx Network 2: 192.168.88.xx From: 192.168.88.11 To: 192.168.88.33 Insane: blocked Router From: 147.117.32.65 To: 192.168.88.33 Sane: Pass Will Lennon

  10. Stateless Packet Filters Network 1: 147.117.xx.xx Network 2: 192.168.88.xx Telnet Telnet (port 23): Block Router SMTP SMTP (port 25): Pass Will Lennon

  11. Stateless Packet Filter Refinements: TCP • Block incoming packets without ACK to block connections initiated by external hosts • Doesn’t work for UDP TCP Handshake Client Server SYN SYN + ACK ACK Will Lennon

  12. Problems with Stateless Packet Filtering • IP Fragmentation • Protocols with variable port numbers • Non-standard use of standard ports Will Lennon

  13. Circuit-Level Gateway 1: Inside Host connects to TCP port on Gateway 2: Gateway connects to Outside Host 3: Gateway passes messages transparently Gateway InsideHost 1 OutsideHost 2 3 Will Lennon

  14. Screened Subnet Topology FTPServer WWW Server WWW Proxy Internal Network DWOS Screening Router(Packet Filter) DMZ Will Lennon

  15. Chapman Architecture FTPServer WWW Server Bastion Host WWW Internal Network DWOS Screening Router(Packet Filter) Screening Router DMZ Will Lennon

  16. Privacy vs. Interception 3 ways to maintain information privacy: • Hide the existence -> steganography • Hide the content -> access control • Hide the meaning -> encryption Will Lennon

  17. Hello a#k3Wj Hello Encryptor Decryptor Key A Key B Cryptography / Encryption Two types of cryptographic algorithms exist: 1) Secret Key (aka Symmetrical) Key A == Key B DES, 3DES, Blowfish, RC5, IDEA, Skipjack 2) Public Key (aka Symmetrical) Key A != Key B RSA, DSA Hash Functions: MD5, SHA Will Lennon

  18. Public Key Encryption Example Alice: “I want to send you a secret message.” Ahab: “Encrypt it with my public key: s6sd2KlUq.” Alice: “Here’s the message: iqm3k2lsjesk Ahab: “Got it.” ? Alice Ahab Will Lennon

  19. Virtual Private Networks (VPNs) • VPN is an encrypted tunnel through which all data passes between two endpoints • Endpoints are usually firewalls • Encryption technology varies, often negotiated using IPSec Net 1 Net 2 VPN Internet Will Lennon

  20. Integrity vs. Modification Use a Hash Function to assure Integrity. A Hash Sum or message digest is: • data dependent • irreversible • collision free Message HashFunction Hash Sum Will Lennon

  21. Cryptography for Personal Messages Sender’s Private Key Message MD5 Hash(Integrity) Encrypt (Authenticity) Hash Sum Digital Signature Receiver’s Public Key Message Encrypted Private Message Encrypt (Privacy) Digital Signature Will Lennon

  22. Availability vs. Interruption Bombs: • Files that have undesirable behavior Viruses: • Designed to propagate themselves • Limited to a particular OS or application • Must be attached to another piece of software Worms: • Similar to viruses but are stand-alone software Will Lennon

  23. Availability vs. Interruption • Electro-Magnetic Pulse (EMP)HERF gun: High Energy Radiated Frequency • Data Flood: -->traceOn(“”) • Broadcast Storms: “Smurf Attack” • Bombardment Attacks: SYN flood • Duplicate IP Address problem Will Lennon

  24. SYN Flood Client Server SYN Server opens a new port, sends response, and waits for client to acknowledge SYN + ACK ACK Client repeated sends SYN messages. Client never sends the ACK message. Server’s ports quickly become full. Will Lennon

  25. Smurf Attack Attack Station Start Zombies Ping To: 255.255.255.255 From: 1.2.3.4 Zombies Zombies Zombies Zombies Relays Relays Relays Relays Relays Ping Response To: 1.2.3.4 From: w.x.y.z Victim 1.2.3.4 Will Lennon

  26. Requirements for Good Security • Security Policy • Security Technology • Activity Logging • Incidence Response Plan • Enforcement Will Lennon

More Related