unit -5

UNIT -5Password ManagementFirewall Design Principles.

2

NETWORK SECURITY By: Hom

era Durani

PASSWORD MANAGEMENT

3


era Durani

PASSWORD PROTECTIONUser ID and password: User authorized to gain access to the system Privileges accorded to the user Discretionary access control

4


era Durani

PASSWORD PROTECTION Unix system (user ID, cipher text password,

plain text salt) password 8 printable characters - 56-bit value (7-

bit ASCII) encryption routine (crypt(3)) based on DES modified DES algorithm with 12-bit salt value

(related to time of password assignment) 25 encryptions with 64-bit block of zeros input 64-bit - 11 character sequence

5


era Durani

LOADING A NEW PASSWORD

6


era Durani

PASSWORD PROTECTIONPurposes of salt: Prevents duplicate passwords from being

visible Effectively increases password length without

the user needing to remember additional 2 characters (possible passwords increased by 4096)

Prevent use of hardware DES implementation for a brute-force guessing attack

7


era Durani

OBSERVED PASSWORD LENGTHSIN A PURDUE STUDY

8


era Durani

PASSWORDS CRACKED FROM A SAMPLE SET

easy pickin’s

9


era Durani

ACCESS CONTROLOne Method: Deny access to password file Systems susceptible to unanticipated break-ins An accident in protection may render the password

file readable compromising all accounts Users have accounts in other protection domains

using the same passwords

10


era Durani

ACCESS CONTROL Answer:

Force users to select passwords that are difficult to guess

Goal: Eliminate guessable passwords while allowing the user to select a password that is memorable

11


era Durani

PASSWORD SELECTION STRATEGIES(BASIC TECHNIQUES) User education

Users may ignore the guidelines

Computer-generated passwords Poor acceptance by users Difficult to remember passwords

12


era Durani

PASSWORD SELECTION STRATEGIES Reactive password checking

System runs its own password cracker Resource intensive Existing passwords remain vulnerable until

reactive checker finds them Proactive password checking

Password selection is guided by the systemStrike a balance between user accessibility and

strength May provide guidance to password crackers (what

not to try) Dictionary of bad passwords (space and time

problem)

13


era Durani

PROACTIVE PASSWORD CHECKERThere are two techniques currently in use:

Markov Model – search for guessable password

Bloom Filter – search in password dictionary

14


era Durani

MARKOV MODELProbability that b follows a

M = {states, alphabet, prob, order}

15


era Durani

MARKOV MODEL “Is this a bad password?”…same as… “Was this password generated by this Markov

model?” Passwords that are likely to be generated by

the model are rejected Good results for a second-order model

16


era Durani

BLOOM FILTERA probabilistic algorithm to quickly test membership in a large set using multiple hash functions into a single array of bitsDeveloped in 1970 but not used for about 25 yearsUsed to find words in a dictionary also used for web cachingSmall probability of false positives which can be reduced for different values of k, # hash funcs

NETWORK SECURITY By: Homera Durani

17

BLOOM FILTER A vector v of N bits k independent hash

functions. Range 0 to N-1 For each element x,

compute hash functions H1(x), H2(x)…Hk(x)

Set corresponding bits to 1

Note: A bit in the resulting vector may be set to 1 multiple times

H1(x)=P1

H2(x)=P2

H3(x)=P3

H4(x)=P4

Element: x11

1

1

N bits

Bit Vector: v

18


era Durani

BLOOM FILTER To query for existence of an entry x,

compute H1(x), H2(x)…Hk(x) and check if the bits at the corresponding locations are 1

If not, x is definitely not a member Otherwise there may be a false positive

(passwords not in the dictionary but that produce a match in the hash table). The probability of a false positive can be reduced by choosing k and N

19


era Durani

PERFORMANCE OF BLOOM FILTER

Dictionary of 1 millionwords with 0.01 probabilityof rejecting a password

We need a hash table of9.6 X 106 bits


era Durani

20

FIREWALL

21


era Durani

OUTLINE Firewall Design Principles

Firewall Characteristics Types of Firewalls Firewall Configurations

22


era Durani

FIREWALLS

Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet

23


era Durani

FIREWALL DESIGNPRINCIPLES

Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)

Strong security features for all workstations and servers not established

24


era Durani

FIREWALL DESIGNPRINCIPLES

The firewall is inserted between the premises network and the Internet

Aims: Establish a controlled link Protect the premises network from Internet-

based attacks Provide a single choke point

25


era Durani

FIREWALL CHARACTERISTICS

Design goals: All traffic from inside to outside must pass

through the firewall (physically blocking all access to the local network except via the firewall)

Only authorized traffic (defined by the local security police) will be allowed to pass

26


era Durani


Design goals: The firewall itself is immune to penetration (use

of trusted system with a secure operating system)

27


era Durani


Four general techniques: Service control

Determines the types of Internet services that can be accessed, inbound or outbound

Direction control Determines the direction in which particular

service requests are allowed to flow

28


era Durani


User control Controls access to a service according to which

user is attempting to access it Behavior control

Controls how particular services are used (e.g. filter e-mail)

29


era Durani

TYPES OF FIREWALLS

Three common types of Firewalls: Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host)

30


era Durani

TYPES OF FIREWALLS

Packet-filtering Router

31


era Durani

TYPES OF FIREWALLS

Packet-filtering Router Applies a set of rules to each incoming IP packet

and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of

rules based on matches to fields in the IP or TCP header

Two default policies (discard or forward)

32


era Durani

TYPES OF FIREWALLS

Advantages: Simplicity Transparency to users High speed

Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication

33


era Durani

TYPES OF FIREWALLS

Possible attacks and appropriate countermeasures IP address spoofing Source routing attacks Tiny fragment attacks

34


era Durani

TYPES OF FIREWALLS

Application-level Gateway

35


era Durani

TYPES OF FIREWALLS

Application-level Gateway Also called proxy server Acts as a relay of application-level traffic

36


era Durani

TYPES OF FIREWALLS

Advantages: Higher security than packet filters Only need to scrutinize a few allowable

applications Easy to log and audit all incoming traffic

Disadvantages: Additional processing overhead on each

connection (gateway as splice point)

37


era Durani

TYPES OF FIREWALLS

Circuit-level Gateway

38


era Durani

TYPES OF FIREWALLS

Circuit-level Gateway Stand-alone system or Specialized function performed by an

Application-level Gateway Sets up two TCP connections The gateway typically relays TCP segments from

one connection to the other without examining the contents

39


era Durani

TYPES OF FIREWALLS

Circuit-level Gateway The security function consists of determining

which connections will be allowed Typically use is a situation in which the system

administrator trusts the internal users An example is the SOCKS package

40


era Durani

TYPES OF FIREWALLS

Bastion Host A system identified by the firewall administrator

as a critical strong point in the network´s security

The bastion host serves as a platform for an application-level or circuit-level gateway

41


era Durani

FIREWALL CONFIGURATIONS

In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible

Three common configurations

42


era Durani


Screened host firewall system (single-homed bastion host)

43


era Durani


Screened host firewall, single-homed bastion configuration

Firewall consists of two systems: A packet-filtering router A bastion host

44


era Durani


Configuration for the packet-filtering router: Only packets from and to the bastion host are

allowed to pass through the router The bastion host performs authentication and

proxy functions

45


era Durani


Greater security than single configurations because of two reasons: This configuration implements both packet-level

and application-level filtering (allowing for flexibility in defining security policy)

An intruder must generally penetrate two separate systems

46


era Durani


This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

47


era Durani


Screened host firewall system (dual-homed bastion host)

48


era Durani


Screened host firewall, dual-homed bastion configuration The packet-filtering router is not completely

compromised Traffic between the Internet and other hosts on

the private network has to flow through the bastion host

49


era Durani


Screened-subnet firewall system

50


era Durani


Screened subnet firewall configuration Most secure configuration of the three Two packet-filtering routers are used Creation of an isolated sub-network

51


era Durani


Advantages: Three levels of defense to thwart intruders The outside router advertises only the existence

of the screened subnet to the Internet (internal network is invisible to the Internet)

52


era Durani


Advantages: The inside router advertises only the existence of

the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)

unit -5

Documents

new password

password crackers

cipher text password

time of password assignment

homera duraniloading

homera duranipasswords

plain text salt password

guessable passwords