internet web security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet & Web Security PowerPoint Presentation
Download Presentation
Internet & Web Security

Loading in 2 Seconds...

play fullscreen
1 / 90

Internet & Web Security - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

Internet & Web Security. Overview. Encryption and authentication ... Communication and data-sharing applications ... Web security and firewalls. Encryption and authentication. Foundations of Internet security Data confidentiality and integrity Authentication Example systems.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Internet & Web Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Internet & Web Security

    2. Overview • Encryption and authentication ... • Communication and data-sharing applications ... • Web security and firewalls ...

    3. Encryption and authentication ... • Foundations of Internet security • Data confidentiality and integrity • Authentication • Example systems

    4. Communication and data-sharing applications ... • Mail and news • Virtual terminal services • File sharing • Example systems

    5. Web security and firewalls ... • WWW security • Network security issues • SATAN • Useful tools

    6. Foundations of Internet security ... • Internet security ... • Layered protocol models ... • Security and Layered Internet Protocols ...

    7. Internet security ... • Authentication ... • Access control ... • Integrity ... • Confidentiality ...

    8. Authentication ... • Something you are (SYA) • Something you know (SYK) • Something you have (SYH)

    9. Access control ... • Who gets access to what • Authentication, rights, privileges

    10. Integrity ... • Current vs. original (pure) condition of data

    11. Confidentiality ... • E-mail "like postcards" • FTP, WWW

    12. Layered protocol models ... • Protocol message contents ... • Identities • Sender, receiver • Message length • Message data • Layered protocols ... • Protocol enveloping ... • OSI reference model ... • Internet TCP/IP model ... • Protocol enveloping in TCP/IP ...

    13. Layered protocols ... • N layers

    14. Protocol enveloping ...

    15. OSI reference model ... • Open Systems Interconnection abstract model • Does not define: PL bindings, OS bindings, API issues, UI issues • Defines: 7 protocol layers ...

    16. Defines: 7 protocol layers ... • Physical ... • Data link ... • Network ... • Transport ... • Session ... • Presentation ... • Application ...

    17. Physical ... • Network transmission medium • E.g., coaxial, twisted-pair, fiber-optic • Raw bit-stream service • Responsible only for writing / reading bits to / from physical medium

    18. Data link ... • Group bits into frames • Goal: reliable delivery mechanism • Error detection • Noise, interference • Collisions • Flow control • Avoid unnecessary frame loss • Saturated buffers

    19. Network ... • Extend data link layer • From local to neighboring / distant networks • E.g., Ethernet, Token Ring • Incompatible physical and link layers • ==> Internetworks (networks of networks) • Topology: routers • Two network layer services ...

    20. Two network layer services ... • connection-oriented (CO) • "reliable" / "virtual-circuit" • well ordered data stream • guarantee lost, order, duplicate • connectionless (CL) • "unreliable" / "datagram" • no guarantees

    21. Transport ... • higher-level tasks (not end-to-end delivery) • multiplexing • OSI: 5 incompatible transport protocols • CL, w/ CL network • CL, w/ CO network • CO, w/ CO network • CO, w/ CL network • highest network aware

    22. Session ... • how data exchanged in dialog • two-way simultaneous (full-duplex) • two-way alternate (half-duplex) • one-way (simplex) • checkpointing • synch points in data stream • resume aborted transfer at last encountered synch point

    23. Presentation ... • hide diff in data rep'n • e.g., ASCII vs. EBCDIC • generic rep’n w/ ISO ASN.) spec ...

    24. generic rep'n w/ ISO ASN. spec ... • (Abstract Syntax Notation One) • Boolean • Integer (arb. length) • Real (arb. length & prec.) • Enumerated (days of week, months of year, etc.) • Bit string (arb. length) • Octet (byte) string (arb. length) • Null (any undef'd value)

    25. Application ... • service consumer • via APIs

    26. Internet TCP/IP model ... • 5 layers • physical, data link, network, transport, application • session, presentation • by application, w/ assistance of API • Network layer: IP ... • Transport layer: TCP & UDP ... • Application layer ...

    27. Network layer: IP ... • move data between endpoints • if not on same host ==> routing • IP protocol • IP datagram (packet)

    28. Transport layer: TCP & UDP ... • Transmission Control Protocol (TCP) • connection-oriented • User Datagram Protocol (UDP) • connectionless

    29. Application layer ... • FTP • SMTP: Simple Mail Transfer Protocol • NNTP: Network News • HTTP

    30. Protocol enveloping in TCP/IP ... • Application data --> TCP segment --> IP datagram --> Ethernet frame

    31. Security and Layered Internet Protocols ... • Physical and link layer ... • Security at the IP layer ... • TCP/UDP layer ... • Application layer ...

    32. Physical and link layer ... • physical transmission medium • access control • confidentiality

    33. Security at the IP layer ... • network snooping (sniffing) ... • Message replay ... • Message alteration ... • Message delay and denial ... • Authentication issues ... • Unauthorized access ... • Routing attacks ...

    34. network snooping (sniffing) ... • abuse of tools for debugging / network problems ... • network interface into promiscuous mode ... • solution: encrypt

    35. abuse of tools for debugging / network problems ... • e.g., Network General's Expert Sniffer • etherfind (SunOS) • tcpdump (free on Internet) • Sniffer FAQ • comp.security, news.answers • ftp://ftp.iss.net/pub/faq/sniff • http://www.iss.net/iss/sniff.html

    36. network interface into promiscuous mode ... • report all packets to sniffer • display / record • analyze • super user on unix / VMS • remote also possible

    37. Message replay ... • snoop & record conversation between systems A & B • play back messages from A to B • replay, as if A • e.g., restore earlier password file (and account)

    38. Message alteration ... • modify contents • modify checksomes to cover alterations • solution: encrypt for data integrity

    39. Message delay and denial ... • delay: datagrams held indefinitely • unauthorized control of router • authenticate to prevent • denial: datagrams discarded before delivery • overwhelm router / other comm. end system • datagram overflow ==> lost

    40. Authentication issues ... • address masquerading ... • address spoofing ...

    41. Address masquerading ... • configure network interface w/ other system's IP address • NFS: access solely based on IP address • one system down, another can masquerade

    42. Address spoofing ... • aka TCP sequence number attack • exploits weakness of TCP • net effect at IP layer • How ... • Defense ...

    43. How ... • Legitimate 3-way handshake A <--> B ... • C impersonates A ...

    44. Legitimate 3-way handshake A <--> B ... • A --> B: SYN + ISN(A) (initial sequence number) • A <-- B: SYN + ISN(B) + ACK(ISN(A)) • A --> B: ACK(ISN(B)) • A <--> B: application data

    45. C impersonates A ... • C --> B: counterfeit IP datagram SYN + ISN(C) • A <-- B: SYN + ISN(B) + ACK(ISN(C)) • A down; doesn't know • C --> B: ACK(ISN(B)) • C predicts ISN(B) • TCP ISN generator: 32-bit clock (w/ time) • C --> B: rsh command

    46. Defense ... • 1. no address-based auhentication • 2. screening router • filter packets based on configurable rules • inbound attacks from outside • outbound attacks from inside

    47. Unauthorized access ... • Packet filtering • Screeing router • Firewall

    48. Routing attacks ... • normally: dynamic routing • instead: source routing (legit for tests) • use to bypass filter • or, pass through attacking location • alteration, delay, denial • ICMP (Internet Control Message Protocol) redirects

    49. TCP/UDP layer ... • Some of same problems as at IP layer • No guarantee of confidentiality • packet filtering • hijacking • modify controls through "hijacked" privileges • e.g., steal telnet session

    50. Application layer ... • Application gateways ... • APIs ...