unit -5
DESCRIPTION
UNIT -5. Password Management Firewall Design Principles. Password Management. Password Protection. User ID and password: User authorized to gain access to the system Privileges accorded to the user Discretionary access control . Password Protection. - PowerPoint PPT PresentationTRANSCRIPT
UNIT -5Password ManagementFirewall Design Principles.
2
NETWORK SECURITY By: Hom
era Durani
PASSWORD MANAGEMENT
3
NETWORK SECURITY By: Hom
era Durani
PASSWORD PROTECTIONUser ID and password: User authorized to gain access to the system Privileges accorded to the user Discretionary access control
4
NETWORK SECURITY By: Hom
era Durani
PASSWORD PROTECTION Unix system (user ID, cipher text password,
plain text salt) password 8 printable characters - 56-bit value (7-
bit ASCII) encryption routine (crypt(3)) based on DES modified DES algorithm with 12-bit salt value
(related to time of password assignment) 25 encryptions with 64-bit block of zeros input 64-bit - 11 character sequence
5
NETWORK SECURITY By: Hom
era Durani
LOADING A NEW PASSWORD
6
NETWORK SECURITY By: Hom
era Durani
PASSWORD PROTECTIONPurposes of salt: Prevents duplicate passwords from being
visible Effectively increases password length without
the user needing to remember additional 2 characters (possible passwords increased by 4096)
Prevent use of hardware DES implementation for a brute-force guessing attack
7
NETWORK SECURITY By: Hom
era Durani
OBSERVED PASSWORD LENGTHSIN A PURDUE STUDY
8
NETWORK SECURITY By: Hom
era Durani
PASSWORDS CRACKED FROM A SAMPLE SET
easy pickin’s
9
NETWORK SECURITY By: Hom
era Durani
ACCESS CONTROLOne Method: Deny access to password file Systems susceptible to unanticipated break-ins An accident in protection may render the password
file readable compromising all accounts Users have accounts in other protection domains
using the same passwords
10
NETWORK SECURITY By: Hom
era Durani
ACCESS CONTROL Answer:
Force users to select passwords that are difficult to guess
Goal: Eliminate guessable passwords while allowing the user to select a password that is memorable
11
NETWORK SECURITY By: Hom
era Durani
PASSWORD SELECTION STRATEGIES(BASIC TECHNIQUES) User education
Users may ignore the guidelines
Computer-generated passwords Poor acceptance by users Difficult to remember passwords
12
NETWORK SECURITY By: Hom
era Durani
PASSWORD SELECTION STRATEGIES Reactive password checking
System runs its own password cracker Resource intensive Existing passwords remain vulnerable until
reactive checker finds them Proactive password checking
Password selection is guided by the systemStrike a balance between user accessibility and
strength May provide guidance to password crackers (what
not to try) Dictionary of bad passwords (space and time
problem)
13
NETWORK SECURITY By: Hom
era Durani
PROACTIVE PASSWORD CHECKERThere are two techniques currently in use:
Markov Model – search for guessable password
Bloom Filter – search in password dictionary
14
NETWORK SECURITY By: Hom
era Durani
MARKOV MODELProbability that b follows a
M = {states, alphabet, prob, order}
15
NETWORK SECURITY By: Hom
era Durani
MARKOV MODEL “Is this a bad password?”…same as… “Was this password generated by this Markov
model?” Passwords that are likely to be generated by
the model are rejected Good results for a second-order model
16
NETWORK SECURITY By: Hom
era Durani
BLOOM FILTERA probabilistic algorithm to quickly test membership in a large set using multiple hash functions into a single array of bitsDeveloped in 1970 but not used for about 25 yearsUsed to find words in a dictionary also used for web cachingSmall probability of false positives which can be reduced for different values of k, # hash funcs
NETWORK SECURITY By: Homera Durani
17
BLOOM FILTER A vector v of N bits k independent hash
functions. Range 0 to N-1 For each element x,
compute hash functions H1(x), H2(x)…Hk(x)
Set corresponding bits to 1
Note: A bit in the resulting vector may be set to 1 multiple times
H1(x)=P1
H2(x)=P2
H3(x)=P3
H4(x)=P4
Element: x11
1
1
N bits
Bit Vector: v
18
NETWORK SECURITY By: Hom
era Durani
BLOOM FILTER To query for existence of an entry x,
compute H1(x), H2(x)…Hk(x) and check if the bits at the corresponding locations are 1
If not, x is definitely not a member Otherwise there may be a false positive
(passwords not in the dictionary but that produce a match in the hash table). The probability of a false positive can be reduced by choosing k and N
19
NETWORK SECURITY By: Hom
era Durani
PERFORMANCE OF BLOOM FILTER
Dictionary of 1 millionwords with 0.01 probabilityof rejecting a password
We need a hash table of9.6 X 106 bits
NETWORK SECURITY By: Hom
era Durani
20
FIREWALL
21
NETWORK SECURITY By: Hom
era Durani
OUTLINE Firewall Design Principles
Firewall Characteristics Types of Firewalls Firewall Configurations
22
NETWORK SECURITY By: Hom
era Durani
FIREWALLS
Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet
23
NETWORK SECURITY By: Hom
era Durani
FIREWALL DESIGNPRINCIPLES
Information systems undergo a steady evolution (from small LAN`s to Internet connectivity)
Strong security features for all workstations and servers not established
24
NETWORK SECURITY By: Hom
era Durani
FIREWALL DESIGNPRINCIPLES
The firewall is inserted between the premises network and the Internet
Aims: Establish a controlled link Protect the premises network from Internet-
based attacks Provide a single choke point
25
NETWORK SECURITY By: Hom
era Durani
FIREWALL CHARACTERISTICS
Design goals: All traffic from inside to outside must pass
through the firewall (physically blocking all access to the local network except via the firewall)
Only authorized traffic (defined by the local security police) will be allowed to pass
26
NETWORK SECURITY By: Hom
era Durani
FIREWALL CHARACTERISTICS
Design goals: The firewall itself is immune to penetration (use
of trusted system with a secure operating system)
27
NETWORK SECURITY By: Hom
era Durani
FIREWALL CHARACTERISTICS
Four general techniques: Service control
Determines the types of Internet services that can be accessed, inbound or outbound
Direction control Determines the direction in which particular
service requests are allowed to flow
28
NETWORK SECURITY By: Hom
era Durani
FIREWALL CHARACTERISTICS
User control Controls access to a service according to which
user is attempting to access it Behavior control
Controls how particular services are used (e.g. filter e-mail)
29
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Three common types of Firewalls: Packet-filtering routers Application-level gateways Circuit-level gateways (Bastion host)
30
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Packet-filtering Router
31
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Packet-filtering Router Applies a set of rules to each incoming IP packet
and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of
rules based on matches to fields in the IP or TCP header
Two default policies (discard or forward)
32
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Advantages: Simplicity Transparency to users High speed
Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication
33
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Possible attacks and appropriate countermeasures IP address spoofing Source routing attacks Tiny fragment attacks
34
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Application-level Gateway
35
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Application-level Gateway Also called proxy server Acts as a relay of application-level traffic
36
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Advantages: Higher security than packet filters Only need to scrutinize a few allowable
applications Easy to log and audit all incoming traffic
Disadvantages: Additional processing overhead on each
connection (gateway as splice point)
37
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Circuit-level Gateway
38
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Circuit-level Gateway Stand-alone system or Specialized function performed by an
Application-level Gateway Sets up two TCP connections The gateway typically relays TCP segments from
one connection to the other without examining the contents
39
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Circuit-level Gateway The security function consists of determining
which connections will be allowed Typically use is a situation in which the system
administrator trusts the internal users An example is the SOCKS package
40
NETWORK SECURITY By: Hom
era Durani
TYPES OF FIREWALLS
Bastion Host A system identified by the firewall administrator
as a critical strong point in the network´s security
The bastion host serves as a platform for an application-level or circuit-level gateway
41
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible
Three common configurations
42
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Screened host firewall system (single-homed bastion host)
43
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Screened host firewall, single-homed bastion configuration
Firewall consists of two systems: A packet-filtering router A bastion host
44
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Configuration for the packet-filtering router: Only packets from and to the bastion host are
allowed to pass through the router The bastion host performs authentication and
proxy functions
45
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Greater security than single configurations because of two reasons: This configuration implements both packet-level
and application-level filtering (allowing for flexibility in defining security policy)
An intruder must generally penetrate two separate systems
46
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)
47
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Screened host firewall system (dual-homed bastion host)
48
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Screened host firewall, dual-homed bastion configuration The packet-filtering router is not completely
compromised Traffic between the Internet and other hosts on
the private network has to flow through the bastion host
49
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Screened-subnet firewall system
50
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Screened subnet firewall configuration Most secure configuration of the three Two packet-filtering routers are used Creation of an isolated sub-network
51
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Advantages: Three levels of defense to thwart intruders The outside router advertises only the existence
of the screened subnet to the Internet (internal network is invisible to the Internet)
52
NETWORK SECURITY By: Hom
era Durani
FIREWALL CONFIGURATIONS
Advantages: The inside router advertises only the existence of
the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)