Download
security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security PowerPoint Presentation

Security

74 Views Download Presentation
Download Presentation

Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Computer Networks John Kristoff

  2. Confidentiality snooping encryption Integrity deletion, changes backups Availability denial of service attacks Authentication are who you say you are Nonrepudiation no denying it Access Control don’t touch that! What to Protect John Kristoff

  3. Most Importantly Protect your reputation John Kristoff

  4. Good Books • Network Security: PRIVATE Communication in a PUBLIC World. Kaufman, Perlman and Speciner. • Cryptography and Network Security: Principles and Practice. Stallings. John Kristoff

  5. Where to Put the Protection? John Kristoff

  6. Host Based Security • Recall End-to-End Argument • Security is ultimately a host problem • Key idea: protect the DATA • End hosts are in control of data • Users are in control of end hosts • Users can and often will do dumb things • Result: very difficult to protect all hosts John Kristoff

  7. Network Based Security • Should augment host based security • Useful for • Protecting groups of users from others • Prohibiting certain types of network usage • Controlling traffic flow • Difficult to inspect traffic • encryption can hide bad things • tunneling can mislead you John Kristoff

  8. Perimeter Security • Boundary between a trusted internal network and a hostile external network John Kristoff

  9. Internal Security • Most often ignored • Most likely the problem • Disgruntled employee • Curious, but dangerous employee • Clueless and dangerous employee John Kristoff

  10. Security by Obscurity • Is no security at all. • However • It’s often best not to advertise unnecessarily • It’s often the only layer used (e.g. passwords) • Probably need more security John Kristoff

  11. Layered Defenses • The belt and suspenders approach • Multiple layers make it harder to get through • Multiple layers take longer to get through • Basic statistics and probability apply • If Defense A stops 90% of all attacks and Defense B stops 90% of all attacks, you might be able to stop up to 99% of all attacks • Trade-off in time, money and convenience John Kristoff

  12. Physical Security • Trash bins • Social engineering • It’s much easier to trust a face than a packet • Protect from the whoops • power • spills • the clumsy • software really can kill hardware John Kristoff

  13. Packet Filtering Firewalls • Apply rules to incoming/outgoing packets • Based on • Addresses • Protocols • Ports • Application • Other pattern match John Kristoff

  14. Packet Filtering Firewall Illustrated John Kristoff

  15. Example Firewall: ipchains -A input -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 172.0.0.0/255.240.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 22:22 -p 6 -j ACCEPT -A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 1024:65535 -p 6 ! -y -j ACCEPT John Kristoff

  16. Example Firewall: Cisco Router Filters access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 172.0.0.0 0.15.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 224.0.0.0 31.255.255.255 any access-list 100 deny ip 1.2.0.0 0.0.255.255 any access-list 100 permit tcp any host 1.2.3.4 eq domain access-list 100 permit udp any host 1.2.3.4 eq domain access-list 100 deny tcp any host 1.2.3.5 eq telnet log access-list 100 deny tcp any host 1.2.3.6 eq syn log access-list 100 deny ip any host 1.2.3.4 access-list 100 permit ip any 1.2.0.0 0.0.255.255 access-list 100 deny ip any any John Kristoff

  17. Encryption • Make a readable message unreadable • Math intensive • Plain text versus cipher text • Algorithms and keys • public • private • key size John Kristoff

  18. Encryption? #include<stdlib.h> #include<stdio.h> main(I,O,O0,OO,l) int I,O0,OO,l; char **O; { return !!I>=I?!I>=I?!!~I>=~I?!~I>=~I?!OO?!I:OO%2? OO=main(I,O,O0,OO>>!!OO,l), OO=main(I-!I-!!I,O,OO,OO,l), OO=main(I-!I-!!I,O,O0,OO,l), !(OO-!I||I)?l-1:OO :(OO=main(I,O,O0,OO>>!!OO,l), !(OO-l+!I||I)?l-1:main(I-!I-!!I,O,OO,OO,l)) :(O0+OO)%l :main(I-I/I-I/I,O,O0,OO+OO/OO, main(0,O,O0,OO,I-I-I)+I+1?1:printf("%d ",I-I-I)+fflush(stdout)) :main(I-I-I-I-I,O,I+I-I+I,I,0) :main(~!!I-!!I,O,atoi(1[O]),1,atoi(0[O])); } John Kristoff

  19. Shared Secret Key • Each party knows a secret • The secret is used to decrypt the cipher text • Book: Ulysses • Page: 7 • Line: 23 • Word: 4 • Must know the book and keep it a secret John Kristoff

  20. Shared Secret Key Illustrated John Kristoff

  21. Public Key Cryptography • Public Key • Everyone can use it to encrypt messages to you • Private Key • Only you know this key and only it decrypts messages encrypted with your public key • Keyring John Kristoff

  22. Public Key Illustrated John Kristoff

  23. Denial of Service (DoS) • Prevents or impairs standard service • SYN flooding • SMURF attacks • Distributed Denial of Service (DDoS) • Most effective when source address can be spoofed • Difficult problem to solve John Kristoff

  24. Example Denial of Service Illustrated John Kristoff

  25. Example Distributed Denial of Service Illustrated John Kristoff

  26. Buffer Overflows and Weak Validation of Input • Key idea: overwriting the something on the stack • Popular exploits with CGI scripts • Regular users can gain root access • If exploit on TCP/UDP service, remote root can be accomplished John Kristoff

  27. Session Hijacking If you can predict sequence numbers and spoof the source address, you might be able to pretend to be one end of the session. It helps if you can keep one end of the session busy while you’re hijacking. John Kristoff

  28. Session Hijacking Illustrated John Kristoff

  29. Password Cracking • Very common today • If attacker can get a hold of the password file, they can go offline and process it • Recall • passwords are a form of obscurity • multiple defenses may be needed • A good password selection strategy John Kristoff

  30. Viruses and Worms • Programs written with the intent to spread • Worms are very common today • Often email based (e.g. ILOVEYOU) • Viruses infect other programs • Code copied to other programs (e.g. macros) • All require the code to be executed • Proves users continue to do dumb things • Sometimes software is at fault too John Kristoff

  31. Example: Securing Routers ! version 12.0 service tcp-keepalives-in service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption clock timezone cst -6 clock summer-time cdst recurring no ip source-route no ip finger no ip bootp server ! interface FastEthernet1/0 description backbone router ip address a.b.c.d 255.255.255.0 ip access-group 100 in no ip unreachables no ip directed-broadcast no cdp enable John Kristoff

  32. Example: Securing Routers [continued] router rip passive-interface Serial1/0 network a.b.0.0 distribute-list 1 in Serial2/0 logging history warnings logging trap debugging logging facility local7 logging source-interface Loopback0 logging a.b.c.d access-list 1 deny any access-list 10 permit a.b.c.0 0.0.0.255 access-list 10 deny any access-list 100 permit tcp a.b.0.0 0.0.255.255 any eq telnet log access-list 100 deny ip any any log John Kristoff

  33. Example: Securing Routers [continued] snmp-server community password RO 10 snmp-server location computing center snmp-server contact Network Administrator banner motd^C This host is to be used by authorized personnel only!^C ! line vty 0 4 exec-timeout 0 5 access-class 100 in password 7 823442561E01034A12 login transport input telnet ssh ! ntp source Loopback0 ntp server a.b.c.d end John Kristoff

  34. Example: Securing UNIX • Remove unnecessary UDP/TCP servers • Startup scripts in /etc/rc.d directories • /etc/inetd.conf • Use secure versions of servers • ssh • tcpwrappers • Many useful tools available • Tripwire, IP Filter, ipchains, lsof, tcpwrappers, etc... John Kristoff

  35. Example: Securing Windows • Disable file/printer sharing • Use virus protection software • Keep current on latest service packs • Disable unnecessary protocols John Kristoff

  36. Network Address Translation • NAT is a hack! • Provides some level of security, but with a great deal of cost • If security is the only goal, avoid NAT • NAT has been required for sites with IP address allocation problems • RSIP may get NAT users back on track John Kristoff

  37. NAT Illustrated John Kristoff

  38. Virtual Private Networks John Kristoff

  39. Key Idea A session between two endpoints that is secured from eavesdroppers and all threats on the network in between, usually through the use of encryption technology. John Kristoff

  40. Why Is This Worthwhile? • Cost, Cost, Cost! • Ability to make use of a public, insecure network, rather than building your own private, secure network John Kristoff

  41. Challenges • Increased overhead • Complexity • Performance • Quality • Management John Kristoff

  42. Oh, and One More Thing John Kristoff

  43. Some Terms/Technology Thrown Around with VPNs • IPsec • PPP/PPTP/L2TP/L2F • CHAP, PAP • Encapsulation • Tunneling • AAA • RADIUS/TACACS/TACACS+ • Firewalls John Kristoff

  44. ssh TripWire tcpwrappers IP Filter, ipchains nmap tcpdump, windump syslog ntp snort logcheck, swatch crack, l0pftcrack kerberos PGP kerberos S/MIME SSL Security Tools John Kristoff

  45. Final Thoughts • Network Address Translation • Think about long term implications • Security as a end-to-end problem • Java, Javascript and ActiveX • Certificates • Intrusion Detection John Kristoff