topic 10 network security management l.
Skip this Video
Loading SlideShow in 5 Seconds..
Topic 10: Network Security Management PowerPoint Presentation
Download Presentation
Topic 10: Network Security Management

Loading in 2 Seconds...

  share
play fullscreen
1 / 91
Download Presentation

Topic 10: Network Security Management - PowerPoint PPT Presentation

lotus
539 Views
Download Presentation

Topic 10: Network Security Management

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Topic 10: Network Security Management References: FD: Chapter 10 WS: Chapter 18 & 20

  2. Outline • An introduction to network security • Preventing unauthorized access • Data encryption/decryption • Securing e-commerce transactions • Protecting network from the intrusion Business Data Communications, 4e

  3. An introduction to network security

  4. Why Networks Need Security In recent years, organizations have become increasingly dependent on the data communication networks for their daily business communications, database retrieval, distributed data processing, and the internetworking of LANs. The losses associated with security failures can be huge. More important than direct theft losses are the potential losses from the disruption of applications systems that run on computer networks. Business Data Communications, 4e

  5. Figure 10-2 Number of Incidents Reported to CERT (Computer Emergency Response Team) Business Data Communications, 4e Source: CERT Statistics, www.cert.org/stats/cert_stats.html

  6. Percent of organizations reporting security problems due to this cause in the last 12 months Figure 10-5 Common Threats Business Data Communications, 4e

  7. Crime Is Soaring in Cyberspace • New York Times (01/27/03) P. C4; Tedeschi, Bob Cybersecurity consultants such as Ponemon Institute Chairman Larry Ponemon report that cybercrimes are increasing exponentially, yet quantifying losses is difficult because victimized companies are reluctant to publicly disclose electronic theft for a variety of reasons, including fear that it will inspire other hackers to attack them, shake the confidence of their customers and investors, or make them the target of rival businesses' ridicule. Ponemon adds that companies often hide these losses in their balance sheets, a practice that does not allow for "a clean picture of how expensive it is to have to deal with fraudulent or criminal activities." Mi2g estimates that the number of successful, confirmed worldwide hacker intrusions this month will probably exceed 20,000, compared to 16,000 in October. Last year, the FBI and the Computer Security Institute held a survey of 500 computer security practitioners, and found that 80 percent of respondents admitted that their companies sustained financial losses from hack attacks; the average loss was $2 million, according to 223 respondents who quantified the damage. Deloitte Touche Tohmasu's Richard Power reports that the increase in cybercrime is partly attributable to the economic downturn, while cutbacks in corporate budgets and personnel only increase the difficulty businesses face in securing their computer systems. Law enforcement officials acknowledge that tracing cybercrime is hard, because hackers can use technology to remain anonymous--plus they have an advantage over the authorities in terms of skill and numbers. Complicating matters is the fact that perpetrators are often corporate insiders; in fact, Gartner analyst John Pescatore attributes 70 percent of cyber-intrusions to employees who sold information to competitors in hopes of getting better jobs or building a financial cushion to sustain them if they are let go.http://www.nytimes.com/2003/01/27/technology/27ECOM.html Business Data Communications, 4e

  8. Ex-Officials Urge U.S. to Boost Cybersecurity • Washington Post (04/09/03) P. E5; Krebs, Brian Former White House cybersecurity advisor Richard A. Clarke told a House Government Reform subcommittee yesterday that the Homeland Security Department is ill-equipped to effectively implement the White House's National Strategy to Secure Cyberspace, which he co-authored. He warned that legislators should not dismiss the ramifications of an assault on U.S. computer networks, arguing that such thinking is similar to the now-defunct assumption that a major foreign terrorist attack could never take place on American soil. Former National Infrastructure Protection Center (NIPC) director Michael Vatis, who also testified before the House panel, agreed with Clarke. He added that many positions in the Homeland Security Department's cybersecurity division are still unfilled, because most FBI cybersecurity specialists assigned to the NIPC were not transferred to the new department. The Homeland Security Department's David Wray admitted that over 200 positions are still vacant, but supported the Bush administration's decision to have all cybersecurity efforts coordinated by a single officer.Click Here to View Full Article Business Data Communications, 4e

  9. SETI@home Flaw Could Let Invaders In • CNet (04/07/03); Lemos, Robert; Gray, Patrick The SETI@home project released a new version of its distributed client software on April 4 in order to close a buffer overflow flaw that could allow hackers to commandeer the computer systems of SETI@home volunteers. SETI@home is a distributed computing project in which PC users donate idle processing time to scan radio-telescope data for signs of intelligent extraterrestrial transmissions. Three vulnerabilities: • The first one is the buffer overflow problem, to SETI@home in December, which were not disclosed to the public until this past weekend. • Another flaw resides in the project servers that could allow a hacker to breach the main servers and take advantage of all SETI@home clients. • The third flaw Wever alerted SETI@home to lies in the unencrypted data the client sends to the server--such information revolves around the computer that is running the client.http://news.com.com/2100-1002-995801.html Business Data Communications, 4e

  10. Loss from Hack Attacks The cost of cyberattacks to U.S. businesses doubled to $10 billion in 1999, according to estimates from the Computer Security Institute (CSI). The research group today is releasing the results of its survey of 643 large organizations, showing estimated losses of $266 million in 1999 from cybercrime, which is more than twice the amount lost in 1998. - Los Angeles Times (03/22/00) P. C1; Piller, Charles Business Data Communications, 4e

  11. A Hacker’s Story • Kevin Mitnick - a famous hacker • arrested At 1:30 a.m., February 15, 1995 • released on January 21, 2000 • What has he done? • Broke into LA Unified School District’s main computers when he was in high school. • Accessed North American Air Defense Command computers • He is referred to as “electronic terrorist” for many computer break-ins he has committed. • More stories Business Data Communications, 4e

  12. A True Story of Linux Hacking • How the hacker did? • Got the login for admin account • Delete netlog directory to prevent discovery • Load a DoS software bomb • Attack other computers using the bomb • How it is discovered? • When it attacks someone caught it • A complaint is sent to Tech Business Data Communications, 4e

  13. A True Story of Linux Hacking From: roger rick [mailto:h4ker@hotmail.com] Sent: Sunday, February 04, 2001 2:32 PM To: J.Stalcup@ttu.edu; webmaster@ba.ttu.edu Subject: Compromised Box? I believe on of your systems on your subnet has been compromised and is now running a eggdrop on IRC EFnet. A eggdrop is a client that is always connected to the EFnet server and allows a user to get Operator status. This eggdrop could result in DoS attacks on your server if the user makes the right people angry. ÚÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- - | H20B0NG ( bong@geek.ba.ttu.edu <mailto:bong@geek.ba.ttu.edu> ) ³ ircname : ]real eyes realize real lies[ | channels : #shells ³ server : irc.stanford.edu ÀÄÄÄÄÄ---Ä--ÄÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ -- - There is the bot and system information. If you are not concerned about this, sorry for wasting your time. But it could result in downtime in the long run. Look for a connection to a irc server on port 6667, It might reveal the persons IP that is using your box to connect. Thanks. Roger Business Data Communications, 4e

  14. Security Threats - Type 1 Non-technical based threats and can be prevent and protected using managerial approaches. Typically, they are from disasters. • Nature disasters: flood, fire, earthquake, etc • Terror attacks • Criminal cases • Accidents by human error Direct consequences: • Destroying host computers or large sections of the network. • Damaging data storages Business Data Communications, 4e

  15. How to prevent the losses from type 1 threats? • Discussion focus: If you were CIO for a large company what you should do to prevent the losses from a disaster from a managerial point of view? Business Data Communications, 4e

  16. Security Threats - Type 2 These are technical attacks. Need both technical and managerial approaches to prevent and protect the attacks. • Destruction: Virus/Worm attacks • Disruption: DoS (Denial of Service) and DDoS (Distributed DoS) attack • Unauthorized access: often viewed as hackers gaining access to organizational data files and resources. • Most unauthorized access incidents involve employees. Serious intruders could change files to commit fraud or theft, or destroy information to injure the organization. • Story: Microsoft network was hacked in Oct. 2000 Business Data Communications, 4e

  17. Attacks: Passive vs. Active • Passive Attacks • Eavesdropping and Monitoring • Targets: Electronic mail, file transfers, and client/server exchanges • Active Attacks • Modification of transmitted data • Attempts to gain unauthorized access to computer systems • E.g. Modification, Hacking, Software bombing, Disrupting Business Data Communications, 4e

  18. Worm vs. Virus Business Data Communications, 4e

  19. Red Alert Worm • "'Code Red' Unleashed on Web"Los Angeles Times (08/01/01) P. C3; Piller, Charles • A malicious computer worm is spreading over the Internet, causing infected computers to search the Web to find more victims. Eventually the Code Red worm, which only recently began its spread, will cause its host computers to deluge the White House Web site with a barrage of data. However, a previous version of the worm was released earlier last month against the same White House target. That version also defaced the Web sites hosted on the servers it infected with a message claiming "Hacked by Chinese," though the Chinese government has denied the worm originated in that country. Officials at the White House have since used an address-change technique to divert the data flow from Code Red computers, and the site will also remain safe from the current version. Code Red, however, will continue to spread, reaching its peak within 36 hours of its August 1st release date, according to Internet Security Systems researcher Chris Rouland. The worm is programmed to go dormant on August 28th. Business Data Communications, 4e

  20. A True Story of Red Alert Attack • When: July 20, 2001 • Where: Dr. Lin’s Office • What computer: 129.118.49.94, Windows 2000 Advanced Server • How: Not known yet • Who discovered the attack: someone using DShield.org reported and sent BACS an email • Symptoms: • When using asp scripts, the page displays: “Hacked by Chinese” • A malicious program scans ports of other computer Business Data Communications, 4e

  21. Security Attacks Normal flow Interruption Interception Business Data Communications, 4e Modification Fabrication

  22. How to protect your network • Managerial approaches • Technical approaches Business Data Communications, 4e

  23. Preventing unauthorized access

  24. Preventing Unauthorized Access Approaches to preventing unauthorized access: • Developing a security policy • Developing user profiles • Strengthen physical security and software security • Securing dial-in service system • Fix security holes • Using firewall • Using encryption A combination of all techniques is best to ensure strong security. Business Data Communications, 4e

  25. Securing Network Access Points What is a firewall: A router, gateway, or special purpose computer that examines packets flowing into and out of a network and restricts access to the organization’s network. Why using firewall: With the increasing use of the Internet, it becomes important to prevent unauthorized access to your network from intruders on other networks. Case Study: Attack to a firewall Business Data Communications, 4e

  26. Securing Network Access Points Packet-level firewall: • Examines the source and destination address of every network packet that passes through it and only allows packets that have acceptable source and destination addresses to pass. • Vulnerable to IP-level spoofing, accomplished by changing the source address on incoming packets from their real address to an address inside the organization’s network. • Many firewalls have had their security strengthened since the first documented case of IP spoofing in December 1994. Business Data Communications, 4e

  27. *Spoof • "Spoof" was a game invented in 1933 by an English comedian, Arthur Roberts. Webster's defines the verb to mean (1) to deceive or hoax, and (2) to make good-natured fun of. On the Internet, "to spoof" can mean: • To deceive for the purpose of gaining access to someone else's resources (for example, to fake an Internet address so that one looks like a certain kind of Internet user) • To simulate a communications protocol by a program that is interjected into a normal sequence of processes for the purpose of adding some useful function • To playfully satirize a Web site. Business Data Communications, 4e

  28. Application-level Firewall Application-level firewall • Acts as an intermediate host computer or gateway between the Internet and the rest of the organization’s network. • In many cases, needs special programming codes to permit the use of application software unique to the organization. Difference: • packet-level firewalling - prohibits only disabled accesses • application-level firewalling - permits only authorized accesses Business Data Communications, 4e

  29. Proxy Server Proxy server - the technology for firewalls • Uses an address table to translate network addresses inside the organizations into fake addresses for use on the Internet (network address translation or address mapping). This way systems outside the organization never see the actual internal IP addresses. • Is becoming the application-level firewall of choice. Many organizations use a combination of packet-level and application-level firewalls. Business Data Communications, 4e

  30. Network Address Translation (NAT) • The process of translating between one set of private addresses inside a network and a set of public address outside the network. • Transparent • A NAT proxy server uses an address table to translate the private IP addresses used inside the organization into proxy IP address used on the Internet. It uses the source port number in the TCP packet to a unique number that it uses as an index into its address table to find the IP address of the actual sending computer in the internal network. Business Data Communications, 4e

  31. *Proxy Server Features • Reverse hosting. • Reverse proxy. • Multi-protocol support. • Virtual private networking ability. • Application-level proxy • Circuit level proxy with SOCKS 4 client support and SOCKS 5 logic policy support. • Secure Sockets Layer (SSL) tunneling. • Authentication. • Enterprise security management such as LDAP based user/group/password management for proxy authentication, Simple Network Management Protocol (SNMP) support, etc. Business Data Communications, 4e

  32. (Demilitarized Zone) Business Data Communications, 4e

  33. DMZ • Features: • Allows limited accesses to DMZ from the outside (Using a packet level firewall) • Prevent unauthorized accesses to departmental networks from the Internet (using a proxy server) • Allows full accesses to DMZ and the Internet from internal networks • Limits inter-departmental accesses (using the proxy server for each department) Business Data Communications, 4e

  34. Network Eavesdropping Another way to gain unauthorized access, where the intruder inserts a listening device or computer into the organization’s network to record messages. Targets: • Network cables, • Network devices such as controllers, hubs, and bridges Certain types of cable can impair or increase security by making eavesdropping easier (i.e. wireless) or more difficult (i.e. fiber optic). Physical security of the network’s local loop and interexchange telephone circuits is the responsibility of the common carrier. Business Data Communications, 4e

  35. Trojan Horse - A Malicious Sniffer A tiny program that runs on a workstation (PC or Macintosh). In its simplest form, it simply records every key pressed, including your username and password when logging onto any computer network. Trojan Horse may steal the important security information without awareness. Business Data Communications, 4e

  36. Data encryption/decryption

  37. Outline of Encryption • Symmetric key encryption • Public-key encryption • Key management • Digital signature • Digital certificate • Certificate authority Business Data Communications, 4e

  38. Encryption Encryption: A means of disguising information by the use of mathematical rules known as algorithms to prevent unauthorized access. Five components to the algorithm • Plaintext: The original readable message or data • Ciphertext: encrypted message produced as output. • Encryption algorithm: Performs various substitutions and transformations on the plaintext. • Secret key: Input to the encryption algorithm. Substitutions and transformations performed depend on this key • Decryption algorithm: Encryption algorithm run in reverse. Uses ciphertext and the secret key to produce the original plaintext. Business Data Communications, 4e

  39. Using Encryption Today, the U.S. government considers encryption to be a weapon, and regulates its export in the same way it regulates the export of machine guns or bombs. The government is also trying to develop a policy called key escrow (key recovery), requiring key registration with the government. Business Data Communications, 4e

  40. Location of Encryption Devices • Link encryption • Each vulnerable communications link is equipped on both ends with an encryption device. • All traffic over all communications links is secured. • Vulnerable at each switch • End-to-end encryption • the encryption process is carried out at the two end systems. • Encrypted data are transmitted unaltered across the network to the destination, which shares a key with the source to decrypt the data • Packet headers cannot be secured Business Data Communications, 4e

  41. Encryption Methods • The essential technology underlying virtually all automated network and computer security applications is cryptography • Two fundamental approaches are in use: • conventional encryption, also known as symmetric encryption • public-key encryption, also known as asymmetric encryption Business Data Communications, 4e

  42. Conventional Encryption Operation Business Data Communications, 4e

  43. Conventional Encryption Requirements & Weaknesses • Requirements • A strong encryption algorithm • Secure process for sender & receiver to obtain secret keys • Methods of Attack • Cryptanalysis • Brute force Business Data Communications, 4e

  44. Symmetric Key Encryption - DES Data encryption standard (DES): • A commonly used encryption algorithm. • Symmetric (the key used to decrypt a particular bit stream is the same one used to encrypt it) Symmetric algorithms can cause problem with key management; keys must be dispersed and stored carefully. A 56-bit version of DES is the most commonly used encryption technique today. Business Data Communications, 4e

  45. Data Encryption Standard (DES) • Adopted in 1977, reaffirmed for 5 years in 1994, by NBS/NIST • Plaintext is 64 bits (or blocks of 64 bits), key is 56 bits • Plaintext goes through 16 iterations, each producing an intermediate value that is used in the next iteration. • DES is now too easy to crack to be a useful encryption method Business Data Communications, 4e

  46. Triple DEA (TDEA) • Alternative to DES, uses multiple encryption with DES and multiple keys • With three distinct keys, TDEA has an effective key length of 168 bits, so is essentially immune to brute force attacks • Principal drawback of TDEA is that the algorithm is relatively sluggish in software Business Data Communications, 4e

  47. Public-Key Encryption • Based on mathematical functions rather than on simple operations on bit patterns • Asymmetric, involving the use of two separate keys • Misconceptions about public key encryption • it is more secure from cryptanalysis • it is a general-purpose technique that has made conventional encryption obsolete Business Data Communications, 4e

  48. Public-Key Encryption Operation Business Data Communications, 4e

  49. Public-Key Signature Operation Business Data Communications, 4e

  50. Characteristics of Public-Key • Infeasible to determine the decryption key given knowledge of the cryptographic algorithm and the encryption key. • Either of the two related keys can be used for encryption, with the other used for decryption. • Slow, but provides tremendous flexibility to perform a number of security-related functions • Most widely used algorithm is RSA, invented by Ron Rivest, Adi Shamir and Len Adleman at MIT in 1977. Business Data Communications, 4e