chapter 37 network security (access control, encryption, firewalls)
Post on 23-Dec-2015
237 Views
Preview:
TRANSCRIPT
Chapter 37
Network Security
(Access Control, Encryption, Firewalls)
2
Secure NetworksSecure Networks
Secure network is not an absolute termNeed to define security policy for
organizationNetwork security policy cannot be separated
from security policy for attached computersCosts and benefits of security policies must
be assessed
3
Network Security PolicyNetwork Security Policy
Devising a network security policy can be complex because a rational policy requires an organization to assess the value of information. The policy must apply to information stored in computers as well as to information traversing a network.
4
Aspects of SecurityAspects of Security
Data integrityData availabilityData confidentialityPrivacy
5
Responsibility and ControlResponsibility and Control
Accountability: how an audit trail is keptAuthorization: who is responsible for each
item and how is responsibility delegated to others
6
Integrity MechanismsIntegrity Mechanisms
Techniques to ensure integrityParity bitsChecksumsCRCs
These cannot guarantee data integrity (e.g., against intentional change
Use of message authentication code (MAC) that cannot be broken or forged
7
Access Control and Passwords
Access Control and Passwords
Passwords used to control accessOver a network, passwords susceptible to
snooping
8
Encryption and ConfidentialityEncryption and Confidentiality
To ensure confidentiality of a transmitted message, use encryption
Secret key or public key schemes
encryption decryptionmessage m message m
Secret key S
Secret key S
9
Public Key Cryptosystem Public Key Cryptosystem Each processor has private key S and public key P S is kept secret, and cannot be deduced from P P is made available to all processors Encryption and decryption with S and P are inverse
functions: P(S(m)) = m and S(P(m)) = m
encryption
private key S public key P
message m message mdecryption
encryption
private key Spublic key P
message m message mdecryption
10
Message Digest Message DigestDigest function maps arbitrary length message m to
fixed length digest d(m)One-way function: given d(m), can't find mCollision-free: infeasible to generate m and m' such
that d(m) = d(m')
message
digest
11
Digital Signature Digital Signature
To sign message m, sender computes digest d(m)
Sender computes S(d(m)) and sends along with m
Receiver computes P(S(d(m))) = d(m) Receiver computes digest of m and
compares with result above; if match, signature is verified
12
Digital Signature Digital Signature
signature
Sender: Alice
Alice's Private Key Alice's Public Key
verifysignature
computesignature
computedigest
computedigest
Receiver: Bob
13
Internet FirewallInternet Firewall
Protect an organization’s computers from internet problems (firewall between two structures to prevent spread of fire)
14
Internet FirewallInternet Firewall
All traffic entering the organization passes through the firewall
All traffic leaving the organization passes through the firewall
The firewall implements the security policy and rejects any traffic that doesn’t adhere
The firewall must be immune to security attacks
15
Packet FilteringPacket Filtering
Packet filter is embedded in routerSpecify which packets can pass through and
which should be blocked
16
Using Packet Filters to Create a Firewall
Using Packet Filters to Create a Firewall
Three components in a firewallPacket filter for incoming packetsPacket filter for outgoing packetsSecure computer system to run application-layer
gateways or proxies
17
Virtual Private NetworksVirtual Private NetworksTwo approaches to building corporate intranet
for an organization with multiple sites:Private network connections (confidential)Public internet connections (low cost)
Virtual Private NetworkAchieve both confidentiality and low costImplemented in software
18
Virtual Private NetworkVirtual Private Network
VPN software in router at each site gives appearance of a private network
19
Virtual Private NetworkVirtual Private Network
Obtain internet connection for each siteChoose router at each site to run VPN softwareConfigure VPN software in each router to know
about the VPN routers at other sitesVPN software acts as a packet filter; next hop
for outgoing datagram is another VPN routerEach outgoing datagram is encrypted
20
TunnelingTunneling
Desire to encrypt entire datagram so source and destination addresses are not visible on Internet
How can internet routers do proper forwarding?Solution: VPN software encrypts entire
datagram and places inside another for transmission
Called IP-in-IP tunneling (encapsulation)
21
TunnelingTunneling
Datagram from computer x at site 1 to computer y at site 2Router R1 on site 1 encrypts, encapsulates in new datagram
for transmission to router R2 on site 2
22
SummarySummary
Security is desirable but must be defined by an organization
Assess value of information and define a security policy
Aspects to consider include privacy and data integrity, availability, and confidentiality
23
Summary (continued)Summary (continued)Mechanisms to provide aspects of security
Encryption: secret and public key cryptosystemsFirewalls: packet filtering
Virtual private networks Use Internet to transfer data among
organization’s sites but ensure that data cannot be read by others
top related