Security

Security Computer Networks John Kristoff

Confidentiality snooping encryption Integrity deletion, changes backups Availability denial of service attacks Authentication are who you say you are Nonrepudiation no denying it Access Control don’t touch that! What to Protect John Kristoff

Most Importantly Protect your reputation John Kristoff

Good Books • Network Security: PRIVATE Communication in a PUBLIC World. Kaufman, Perlman and Speciner. • Cryptography and Network Security: Principles and Practice. Stallings. John Kristoff

Where to Put the Protection? John Kristoff

Host Based Security • Recall End-to-End Argument • Security is ultimately a host problem • Key idea: protect the DATA • End hosts are in control of data • Users are in control of end hosts • Users can and often will do dumb things • Result: very difficult to protect all hosts John Kristoff

Network Based Security • Should augment host based security • Useful for • Protecting groups of users from others • Prohibiting certain types of network usage • Controlling traffic flow • Difficult to inspect traffic • encryption can hide bad things • tunneling can mislead you John Kristoff

Perimeter Security • Boundary between a trusted internal network and a hostile external network John Kristoff

Internal Security • Most often ignored • Most likely the problem • Disgruntled employee • Curious, but dangerous employee • Clueless and dangerous employee John Kristoff

Security by Obscurity • Is no security at all. • However • It’s often best not to advertise unnecessarily • It’s often the only layer used (e.g. passwords) • Probably need more security John Kristoff

Layered Defenses • The belt and suspenders approach • Multiple layers make it harder to get through • Multiple layers take longer to get through • Basic statistics and probability apply • If Defense A stops 90% of all attacks and Defense B stops 90% of all attacks, you might be able to stop up to 99% of all attacks • Trade-off in time, money and convenience John Kristoff

Physical Security • Trash bins • Social engineering • It’s much easier to trust a face than a packet • Protect from the whoops • power • spills • the clumsy • software really can kill hardware John Kristoff

Packet Filtering Firewalls • Apply rules to incoming/outgoing packets • Based on • Addresses • Protocols • Ports • Application • Other pattern match John Kristoff

Packet Filtering Firewall Illustrated John Kristoff

Example Firewall: ipchains -A input -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 172.0.0.0/255.240.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 22:22 -p 6 -j ACCEPT -A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 1024:65535 -p 6 ! -y -j ACCEPT John Kristoff

Example Firewall: Cisco Router Filters access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 172.0.0.0 0.15.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 224.0.0.0 31.255.255.255 any access-list 100 deny ip 1.2.0.0 0.0.255.255 any access-list 100 permit tcp any host 1.2.3.4 eq domain access-list 100 permit udp any host 1.2.3.4 eq domain access-list 100 deny tcp any host 1.2.3.5 eq telnet log access-list 100 deny tcp any host 1.2.3.6 eq syn log access-list 100 deny ip any host 1.2.3.4 access-list 100 permit ip any 1.2.0.0 0.0.255.255 access-list 100 deny ip any any John Kristoff

Encryption • Make a readable message unreadable • Math intensive • Plain text versus cipher text • Algorithms and keys • public • private • key size John Kristoff

Encryption? #include<stdlib.h> #include<stdio.h> main(I,O,O0,OO,l) int I,O0,OO,l; char **O; { return !!I>=I?!I>=I?!!~I>=~I?!~I>=~I?!OO?!I:OO%2? OO=main(I,O,O0,OO>>!!OO,l), OO=main(I-!I-!!I,O,OO,OO,l), OO=main(I-!I-!!I,O,O0,OO,l), !(OO-!I||I)?l-1:OO :(OO=main(I,O,O0,OO>>!!OO,l), !(OO-l+!I||I)?l-1:main(I-!I-!!I,O,OO,OO,l)) :(O0+OO)%l :main(I-I/I-I/I,O,O0,OO+OO/OO, main(0,O,O0,OO,I-I-I)+I+1?1:printf("%d ",I-I-I)+fflush(stdout)) :main(I-I-I-I-I,O,I+I-I+I,I,0) :main(~!!I-!!I,O,atoi(1[O]),1,atoi(0[O])); } John Kristoff

Shared Secret Key • Each party knows a secret • The secret is used to decrypt the cipher text • Book: Ulysses • Page: 7 • Line: 23 • Word: 4 • Must know the book and keep it a secret John Kristoff

Shared Secret Key Illustrated John Kristoff

Public Key Cryptography • Public Key • Everyone can use it to encrypt messages to you • Private Key • Only you know this key and only it decrypts messages encrypted with your public key • Keyring John Kristoff

Public Key Illustrated John Kristoff

Denial of Service (DoS) • Prevents or impairs standard service • SYN flooding • SMURF attacks • Distributed Denial of Service (DDoS) • Most effective when source address can be spoofed • Difficult problem to solve John Kristoff

Example Denial of Service Illustrated John Kristoff

Example Distributed Denial of Service Illustrated John Kristoff

Buffer Overflows and Weak Validation of Input • Key idea: overwriting the something on the stack • Popular exploits with CGI scripts • Regular users can gain root access • If exploit on TCP/UDP service, remote root can be accomplished John Kristoff

Session Hijacking If you can predict sequence numbers and spoof the source address, you might be able to pretend to be one end of the session. It helps if you can keep one end of the session busy while you’re hijacking. John Kristoff

Session Hijacking Illustrated John Kristoff

Password Cracking • Very common today • If attacker can get a hold of the password file, they can go offline and process it • Recall • passwords are a form of obscurity • multiple defenses may be needed • A good password selection strategy John Kristoff

Viruses and Worms • Programs written with the intent to spread • Worms are very common today • Often email based (e.g. ILOVEYOU) • Viruses infect other programs • Code copied to other programs (e.g. macros) • All require the code to be executed • Proves users continue to do dumb things • Sometimes software is at fault too John Kristoff

Example: Securing Routers ! version 12.0 service tcp-keepalives-in service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption clock timezone cst -6 clock summer-time cdst recurring no ip source-route no ip finger no ip bootp server ! interface FastEthernet1/0 description backbone router ip address a.b.c.d 255.255.255.0 ip access-group 100 in no ip unreachables no ip directed-broadcast no cdp enable John Kristoff

Example: Securing Routers [continued] router rip passive-interface Serial1/0 network a.b.0.0 distribute-list 1 in Serial2/0 logging history warnings logging trap debugging logging facility local7 logging source-interface Loopback0 logging a.b.c.d access-list 1 deny any access-list 10 permit a.b.c.0 0.0.0.255 access-list 10 deny any access-list 100 permit tcp a.b.0.0 0.0.255.255 any eq telnet log access-list 100 deny ip any any log John Kristoff

Example: Securing Routers [continued] snmp-server community password RO 10 snmp-server location computing center snmp-server contact Network Administrator banner motd^C This host is to be used by authorized personnel only!^C ! line vty 0 4 exec-timeout 0 5 access-class 100 in password 7 823442561E01034A12 login transport input telnet ssh ! ntp source Loopback0 ntp server a.b.c.d end John Kristoff

Example: Securing UNIX • Remove unnecessary UDP/TCP servers • Startup scripts in /etc/rc.d directories • /etc/inetd.conf • Use secure versions of servers • ssh • tcpwrappers • Many useful tools available • Tripwire, IP Filter, ipchains, lsof, tcpwrappers, etc... John Kristoff

Example: Securing Windows • Disable file/printer sharing • Use virus protection software • Keep current on latest service packs • Disable unnecessary protocols John Kristoff

Network Address Translation • NAT is a hack! • Provides some level of security, but with a great deal of cost • If security is the only goal, avoid NAT • NAT has been required for sites with IP address allocation problems • RSIP may get NAT users back on track John Kristoff

NAT Illustrated John Kristoff

Virtual Private Networks John Kristoff

Key Idea A session between two endpoints that is secured from eavesdroppers and all threats on the network in between, usually through the use of encryption technology. John Kristoff

Why Is This Worthwhile? • Cost, Cost, Cost! • Ability to make use of a public, insecure network, rather than building your own private, secure network John Kristoff

Challenges • Increased overhead • Complexity • Performance • Quality • Management John Kristoff

Oh, and One More Thing John Kristoff

Some Terms/Technology Thrown Around with VPNs • IPsec • PPP/PPTP/L2TP/L2F • CHAP, PAP • Encapsulation • Tunneling • AAA • RADIUS/TACACS/TACACS+ • Firewalls John Kristoff

ssh TripWire tcpwrappers IP Filter, ipchains nmap tcpdump, windump syslog ntp snort logcheck, swatch crack, l0pftcrack kerberos PGP kerberos S/MIME SSL Security Tools John Kristoff

Final Thoughts • Network Address Translation • Think about long term implications • Security as a end-to-end problem • Java, Javascript and ActiveX • Certificates • Intrusion Detection John Kristoff

Security

Security

Presentation Transcript

Security

Computer Security Security Evaluation

Network Security: WLAN Security

Network Security: Security, Threats

Network Security: Cellular Security

Network Security: WLAN Security

Network Security: Security Protocols

Network Security: Routing security

SQL Server 2008 – Security, Security, Security ….

NATIONAL SECURITY / NATIONS SECURITY

Network Security: WLAN Security

Security Association / Security Context

Security and Cyber Security

Security

Security Guards - Psg Security

Security Doors |Security Systems | Security Alarms | London

Security Doors – home security

Security

Security

Zero-Trust Security Market by Data Security, Endpoint Security, API Security, Security Analytics, Security Policy Manage