1 security concepts introduction. 2 main themes of the course vulnerabilities of networked...
Post on 19-Dec-2015
216 views
TRANSCRIPT
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
2
Main Themes of the Course
• Vulnerabilities of networked applications– Worms, denial of service attacks, malicious code
arriving from the network, attacks on infrastructure
• Defense technologies– Protection of information in transit:
cryptography, application- and transport-layer security protocols
– Protection of networked applications: firewalls and intrusion detection
• Study a few deployed systems in detail: from design principles to gory implementation details– Kerberos, SSL/TLS, IPSec
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
3
What This Semester Does Not Cover
• No ethical, legal or economic issues– No file sharing, DMCA, free speech issues
• Only cursory overview of cryptography• Only some issues in systems security
– No detail of access control, OS security, secure hardware
• No language-based security
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
4
Set Text
William Stalling’s Network Security Essentials: Applications
and StandardsPublished by Pearson• ISBN-10: 0132303787
• ISBN-13: 978-0132303781 We will follow this text.
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
5
This Session - Overview• Security Goals• The need for security• OSI Security Architecture• Attacks, services and mechanisms• Security attacks• Security services• Methods of Defense• A model for Internetwork Security• Internet standards and RFCs
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
6
Security Goals
Integrity
Confidentiality
Avalaibility
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
7
Security Goals
• Confidentiality– Concealment of information or
resources• Integrity
– Trustworthiness of data or resources• Availability
– Ability to use information or resources
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
8
Confidentiality
• Need for keeping information secret arises from use of computers in sensitive fields such as government and industry
• Access mechanisms, such as cryptography, support confidentiality– Example: encrypting income tax
return
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
9
Integrity• Often requires preventing unauthorized
changes• Includes data integrity (content) and origin
integrity ( source of data also called authentication)
• Include prevention mechanisms and detection mechanisms– Example: Newspaper prints info leaked from
White House and gives wrong source• Includes both correctness and
trustworthiness
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
10
Availability
• Is an aspect of reliability and system design
• Attempts to block availability, called denial of service attacks are difficult to detect– Example: bank with two servers –one
is blocked, the other provides false information
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
11
The Need for Security
• Computer Security - the collection of tools designed – to protect data and – to thwart hackers
• Network security or internet security- security measures needed to protect data during their transmission
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
12
SecurityMotivation: Why do we need security?
• Increased reliance on Information technology with or with out the use of networks
• The use of IT has changed our lives drastically.
• We depend on E-mail, Internet banking, and several other governmental activities that use IT
• Increased use of E-Commerce and the World wide web on the Internet as a vast repository of various kinds of information (immigration databases, flight tickets, stock markets etc.)
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
13
Security Concerns• Damage to any IT-based system or activity can
result in severe disruption of services and losses
• Systems connected by networks are more prone to attacks and also suffer more as a result of the attacks than stand-alone systems (Reasons?)
• Concerns such as the following are common– How do I know the party I am talking on the network
is really the one I want to talk?– How can I be assured that no one else is listening
and learning the data that I send over a network– Can I ever stay relaxed that no hacker can enter my
network and play havoc?
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
14
Concerns continued…• Is the web site I am downloading
information from a legitimate one, or a fake?
• How do I ensure that the person I just did a financial transaction denies having done it tomorrow or at a later time?
• I want to buy some thing online, but I don’t want to let them charge my credit card before they deliver the product to me
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
15
That is why…
..we need security• To safeguard the confidentiality, integrity,
authenticity and availability of data transmitted over insecure networks
• Internet is not the only insecure network in this world
• Many internal networks in organizations are prone to insider attacks
• In fact, insider attacks are greater both in terms of likelihood of happening and damage caused
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
16
However, in reality• Security is often over looked (not one of the top
criteria)• Availability, efficiency and performance tend to be
the ones• Buggy implementations• Systems too complex in nature and rich in features
can be filled with security holes• Incorporation of security into networks, not growing
with the rapidly growing number and size of networks• Attacking is becoming so common and easy – there
are books clearly explaining how to launch them• Security and attacks are a perpetual cat-and-mouse
play. The only way to avoid attacks is to keep up-to-date with latest trends and stay ahead of malicious netizens
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
17
OSI Security Architecture
• ITU-T Recommendation X.800 Security Architecture for OSI
• International Telecommunications Union (ITU) is a United Nations sponsored agency that develops standards relating to telecommunications and to Open system Interconnection (OSI)
• Extended by ISO 18028- part 2
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
18
Attacks, Services and Mechanisms
• Security Attack: Any action that compromises the security of information.
• Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.
• Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
19
Security Attacks
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
20
Security Attacks
• Interruption: This is an attack on availability– Disrupting traffic– Physically breaking communication
line• Interception: This is an attack on
confidentiality– Overhearing, eavesdropping over a
communication line
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
21
Security Attacks (continued)
• Modification: This is an attack on integrity– Corrupting transmitted data or
tampering with it before it reaches its destination
• Fabrication: This is an attack on authenticity– Faking data as if it were created by a
legitimate and authentic party
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
22
Threats and Attacks
• Threat - a potential for violation of security or a possible danger that might exploit a vulnerability
• Attack - an assault on system security- an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
23
Passive and active attacks• Passive attacks
– No modification of content or fabrication– Eavesdropping to learn contents or other
information (transfer patterns, traffic flows etc.)
• Active attacks– Modification of content and/or participation in
communication to• Impersonate legitimate parties• Modify the content in transit• Launch denial of service attacks
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
24
Fundamental threats
• Information leakage– Disclosure to unauthorized parties
• Prince Charles mobile phone calls, 2006 ( and 1993)• Sarah Palin’s email hack (Sept. 2008)
• Integrity violation– Corruption of data or loss of data
• Top Iraqi cleric’s web site defaced (Sept 2008)• Denial of service
– Unavailability of system/service/network• Xbox (Jan 2008)
• Illegitimate use– Sasser worm 2004
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
25
Services and Mechanisms
• A security policy is a statement of what is and what is not allowed.
• A security service is a measure to address a threat – E.g. authenticate individuals to prevent
unauthorized access• A security mechanism is a means to
provide a service – E.g. encryption, cryptographic protocols
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
26
Security Services• A security service is a service
provided by the protocol layer of a communicating system (X.800)
• 5 Categories– Authentication– Access Control– Data confidentiality– Data Integrity– Nonrepudiation (and Availability)
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
27
Security Services• Authentication (who created or sent the data)
• Access control (prevent misuse of resources)
• Confidentiality (privacy)
• Integrity (has not been altered)
• Non-repudiation (the order is final)
• Availability (permanence, non-erasure)
– Denial of Service Attacks
– Virus that deletes files
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
28
Security Mechanisms Examples
• Two types– Specific mechanisms existing to provide
certain security services• E.g. encryption used for authentication
– Pervasive mechanisms which are general mechanisms incorporated into the system and not specific to a service• E.g. security audit trail
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
29
OSI Network Stack and Attacks (V. Shmatikov)
application
presentation
session
transport
network
data link
physical
IP
TCP
email,Web,NFS
RPC
802.11
Sendmail, FTP, NFS bugs
SYN flooding, RIP attacks,sequence number prediction
IP smurfing and otheraddress spoofing attacks
RPC worms, portmapper exploits
WEP attacks
Only as secure as the single weakest layer…
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
30
Model for Network Security
• Basic tasks– Design an algorithm that opponent
cannot defeat– Generate the secret information to be
used with the algorithm– Develop methods for distributing secret
information– Specify a protocol to be used
• May need a trusted third part to assist
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
31
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
32
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
33
Methods of Defense• Encryption• Software Controls
– (access limitations in a data base, in operating system protect each user from other users)
• Hardware Controls – (smartcard)
• Policies – (frequent changes of passwords)
• Physical Controls
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
34
Internet standards and RFCs
The Internet society (ISOC)• Internet Architecture Board (IAB)• Internet Engineering Task Force (IETF)• Internet Engineering Steering Group (IESG)
International Standards Organisation (ISO)• Numerous security related standards
especially 17799, 18028, 27001
National Institute of Standards and Technology (NIST)