1 / 37

Overview of Network Security

Overview of Network Security. Outline. Basic security services Threats/attacks Detection and Response Cryptography and other theoretical security foundations Final remarks. Basic Security Services. Possession Utility Accuracy Availability Authenticity Confidentiality Integrity.

parker
Download Presentation

Overview of Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Overview of Network Security The Ohio State University

  2. Outline • Basic security services • Threats/attacks • Detection and Response • Cryptography and other theoretical security foundations • Final remarks The Ohio State University

  3. Basic Security Services • Possession • Utility • Accuracy • Availability • Authenticity • Confidentiality • Integrity The Ohio State University

  4. Threats The Ohio State University

  5. Attacks New Table The Ohio State University

  6. Example of Attacks – DDoS Attacks The Ohio State University

  7. Example of Attacks – DDoS Attacks The Ohio State University

  8. Example of Attacks – DDoS Attacks The Ohio State University

  9. What Makes DDoS Attacks Possible? • Internet was designed with functionality & not security in mind • Internet security is highly interdependent • Internet resources are limited • Power of many is greater than power of a few The Ohio State University

  10. Intrusion Detection Terminology • Alert or alarm • False negative • The failure of an IDS system to react to an actual attack event. • False positive • An alarm or alert that indicates that an attack is in progress or that an attack has successfully occurred when in fact there was no such attack. The Ohio State University

  11. IDSs Classification • All IDSs use one of two detection methods: • Signature-based • Statistical anomaly-based • IDSs operate as: • network-based • host-based The Ohio State University

  12. Signature-Based IDS • Examine data traffic in search of patterns that match known signatures • Widely used because many attacks have clear and distinct signatures • Problem with this approach is that as new attack strategies are identified, the IDS’s database of signatures must be continually updated The Ohio State University

  13. Statistical Anomaly-Based IDS • The statistical anomaly-based IDS (stat IDS) or behavior-based IDS sample network activity to compare to traffic that is known to be normal • When measured activity is outside baseline parameters or clipping level, IDS will trigger an alert • IDS can detect new types of attacks • Requires much more overhead and processing capacity than signature-based • May generate many false positives The Ohio State University

  14. Network-based IDS and Host-based IDS The Ohio State University

  15. Network-Based IDS (NIDS) • Resides on computer or appliance connected to segment of an organization’s network; looks for signs of attacks • When examining packets, a NIDS looks for attack patterns • Installed at specific place in the network where it can watch traffic going into and out of particular network segment The Ohio State University

  16. Host-Based IDS • Host-based IDS (HIDS) resides on a particular computer or server and monitors activity only on that system • Benchmark and monitor the status of key system files and detect when intruder creates, modifies, or deletes files • Most HIDSs work on the principle of configuration or change management • Advantage over NIDS: can usually be installed so that it can access information encrypted when traveling over network The Ohio State University

  17. Example of Response – defensing against DDoS attack • Ingress Filtering - P. Ferguson and D. Senie, RFC 2267, Jan 1998 - Block packets that has illegitimate source addresses - Disadvantage : Overhead makes routing slow • Identification of the origins (Traceback problem) - IP spoofing enables attackers to hide their identity - Many IP traceback techniques are suggested • Mitigating the effect during the attack - Pushback The Ohio State University

  18. IP Traceback - Allows victim to identify the origin of attackers - Several approaches ICMP trace messages, Probabilistic Packet Marking, Hash-based IP Traceback, etc. The Ohio State University

  19. PPM • Probabilistic Packet Marking scheme - Probabilistically inscribe local path info - Use constant space in the packet header - Reconstruct the attack path with high probability Making at router R For each packet w Generate a random number x from [0,1) If x < p then Write IP address of R into w.head Write 0 into w.distance else if w.distance == 0 then wirte IP address of R into w.tail Increase w.distance endif The Ohio State University

  20. Cryptographic Algorithms • Data Encryption Standard (DES): one of most popular symmetric encryption cryptosystems • 64-bit block size; 56-bit key • Adopted by NIST in 1976 as federal standard for encrypting non-classified information • Triple DES (3DES): created to provide security far beyond DES • Advanced Encryption Standard (AES): developed to replace both DES and 3DES The Ohio State University

  21. Cryptographic Algorithms • Asymmetric Encryption (public key encryption) • Uses two different but related keys; either key can encrypt or decrypt message • If Key A encrypts message, only Key B can decrypt • Highest value when one key serves as private key and the other serves as public key The Ohio State University

  22. Figure 8-4 Using Public Keys The Ohio State University

  23. Final Remarks • Security services are not just encryption and decryption • Threats and attacks to the Internet are potent. • Signature and Anomaly based IDS have their own advantage and disadvantage • Symmetric and asymmetric keys can be used together and also they need to be tuned to different applications. The Ohio State University

  24. Appendix: Our Existing Work on Network Security The Ohio State University

  25. Overview of Insider Attacks The Ohio State University

  26. Outline • What are insider attacks? • Key aspects of the Insider attack problem • Possible approaches to defending against insider attacks • Theoretical foundation for defending against insider attacks The Ohio State University

  27. Example Insider Attack • Ivan the insider gets fired and Alf the administrator forgets to void Ivan’s (login) credentials. • Ivan goes home, logins into his work machine and takes some malicious action (introduces bugs into source, deletes files and backups, etc…) • Alternatively, Alf might void Ivan’s credentials, but forget that Ivan also uses a shared group account. The Ohio State University

  28. Trusted Computing Base Proposed Definition • A malicious insider is an adversary who operates inside the trusted computing base, basically a trusted adversary. • The insider threat is an adversarial model encompassing all possible malicious insiders. Ivan The Ohio State University

  29. Where are Insider Attacks? The Ohio State University

  30. Example Insider Attacks and Threats • Data corruption, deletion, and modification • Leaking sensitive data • Denial of service attacks • Blackmail • Theft of corporate data • On and on…. The Ohio State University

  31. Insider Attacks: Problem motivation • 59% of companies have had one or more ‘Insider abuse of net access’ incidents in 2003 • Estimated losses due to ‘Insider net abuse’ and ‘unauthorized access’ $15 M(Source: FBI/CSI Computer Crime and Security Survey 2004.) • Insider attacks account for as much as 80% of all computer and Internet related crimes [1] • 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders • Majority of insiders are privileged users and majority of attacks are launched from remote machines The Ohio State University

  32. What are the key aspects of the Insider Threat problem? • Insider attacks are different from outside attacks: starting with privileges that cannot be denied • Resource access • Knowledge of targets and vulnerabilities • Insider attacks are more difficult to detect and defend against • Perimeter defenses look for outside attacks • Any user or group of users may potentially launch an attack • Can inflict wider damage, quicker • High premium on not punishing the good users • Detection requires large number of correlated data streams to be processed • Insiders may subvert single stream detection The Ohio State University

  33. Problem Discussion • Typical adversarial models ignore the insider threat by assuming the TCB is free of threats • Insider threat violates this assumption Corporate Network Firewall/IDS The Ohio State University

  34. Prevailing Sentiments (Myths?) • Current systems are capable of countering the insider threat • Insider threat is impossible to counter because of the insider’s resources and access permissions • Insider attacks are a social or organizational issue which cannot be countered by technical means (Anderson94) The Ohio State University

  35. Possible Approaches to Defending against insider attacks • Minimize the size of the TCB to decrease the number of possible insiders • Distribute trust amongst multiple parties to force collusion • Most insiders act alone • Question trust assumptions made in computing systems • Treat the LAN like the WAN • BroLAN, SANE, etc… • Predicated-based Authentication • Others? The Ohio State University

  36. Theoretical Foundation for Defending against Insider Attacks • Non-stored-key based encryption • Remembered by the legitimate user • Special trusted device kept by the legitimate user The Ohio State University

  37. References • How do you stop the enemy from within? Debunking the myths about insider attacks , http://www.wib.org/wb_articles/crime_dec04/insider_dec04.htm • Protecting Secret Data from Insider Attacks, http://fc05.ifca.ai/p02.pdf • Insider Attack Detection Using Cyber Sensor Fusion, http://www.bizforum.org/whitepapers/NGC.htm • How To Spot Insider-Attack Risks In The IT Department, http://www.informationweek.com/news/showArticle.jhtml?articleID=196602853 • **Stopping insider attacks: howorganizations can protect their sensitive information, http://www-935.ibm.com/services/us/imc/pdf/gsw00316-usen-00-insider-threats-wp.pdf • **Securing Web Servers against Insider Attack, http://www.cs.dartmouth.edu/~sws/papers/jsm.pdf • **Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage, http://www.cert.org/archive/pdf/merit.pdf • **Modeling Insider Attacks on Group Key-Exchange Protocols, CCS05 • National Threat Assessment Center - Insider Threat Study, http://www.secretservice.gov/ntac_its.shtml • **The Insider Threat, www.cs.cmu.edu/~jfrankli/talks/insider-threat.ppt • **Protecting Secret Data from Insider Attacks, www-static.cc.gatech.edu/~wenke/papers/fc_05.pdf • Jim Carr. Strategies and issues: Thwarting insider attacks, 2002. • Nathan Einwechter. The enemy inside the gates: Preventing and detecting insider attacks, 2002. The Ohio State University

More Related