V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Explain the most common types of cryptographic algorithm (i.e. block ciphers, public-key ciphers and hash algorithms) Select and justify an appropriate algorithm for a particular purpose
V1.0
Module Aims
This module will provide you with the underlying theory and practical skills required to secure networks and to send data safely and securely over network communications (including securing the most t common Internet I t t services). i )
V1.0
Module Syllabus - 1
Cryptography Fundamentals Public-Key Infrastructure Web Security Email Security Data Protection Vulnerability Assessment Authentication
V1.0
V1.0
Module Syllabus - 2
Access Control Firewalls VPN Remote Access Wireless Security
V1.0
Module Delivery
The teacher-led time for this module is comprised of lectures and laboratory sessions. Lectures are designed to start each topic.
- You will be encouraged to be active during lectures by raising questions and taking part in discussions.
V1.0
Private Study
You are also expected to undertake private study to consolidate and extend your understanding. Exercises are provided in your Student Guide for you to complete during this time.
V1.0
V1.0
Assessment
This module will be assessed by:
- an examination worth 75% of the total mark - an assignment worth 25% of the total mark
V1.0
V1.0
Cryptography Definition
The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. difi ti
National Institute of Standards and Technology, Special Publication 800-59, (August 2003).
V1.0
V1.0
Security Objectives
NIST gives three objectives (FIPS199):
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information information. - Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. - Availability: Ensuring timely and reliable access to and use of information.
V1.0 NCC Education Limited
Loss of Security
The following defines a loss of security in each objective:
- Loss of Confidentiality: Unauthorized disclosure of information information. - Loss of Integrity: Unauthorized modification or destruction of information. - Loss of Availability: Disruption of access to or use of information or information systems.
V1.0
V1.0
V1.0
Authenticity
Being genuine, verified and trusted. Confidence in the validity of:
- A transmission - A message - A message originator
Verifying that users are who they say they are and that each message came from a trusted source.
V1.0
Accountability
Actions of an entity can be traced uniquely to that entity. Supports:
Non-repudiation p Deterrence Fault isolation Intrusion detection and prevention Recovery Legal action
V1.0
ITU-T stands for International Telecommunication Union Telecommunication Standardization Sector OSI stands for Open Systems Interconnection
V1.0
V1.0
V1.0
Security Attacks
It is useful to categorise attacks as:
- Passive attacks - Active attacks
P Passive i attacks tt k make k use of f information i f ti from f a system but do not affect the system resources. Active attacks alter system resources or affect their operation.
V1.0
Passive Attacks
Release of message contents: The information in a message is read. Traffic analysis: y message g information cannot be read but traffic patterns are analysed to glean information.
V1.0
V1.0
Active Attacks
Masquerade: one entity pretends to be another entity. Replay: passive capture of data and its retransmission et a s ss o to p produce oduce a an u unauthorized aut o ed e effect. ect Message modification: a message is altered to produce an unauthorized effect. Denial of service: preventing or hindering the use of network resources.
V1.0
Security Services
A security service is a service which ensures adequate security of the systems or of data transfer. X.800 Recommendation divides security services into 5 categories:
Authentication Access control Data confidentiality Data integrity Non-repudiation
V1.0
Security Mechanisms
Security mechanisms are used to implement security services. They include:
Encipherment Digital signature Access Control mechanisms Data Integrity mechanisms Authentication Exchange Traffic Padding Routing Control Notarisation
V1.0
V1.0
Number Theory
Many public-key cryptosystems use non-trivial number theory. The RSA public-key cryptosystem is based on the difficulty of factoring large numbers. numbers We will outline the basic ideas of:
- divisors - prime numbers - modular arithmetic
V1.0
Prime numbers
- An integer p is a prime number if its only divisors are 1, -1, p, -p
V1.0
V1.0
V1.0
Modular Arithmetic
If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is divided by n:
- Example, 10 mod3 = 1
If (a mod n) = (b mod n), then a and b are congruent modulo n (a mod n) = (b mod n) if n is a divisor of a-b
V1.0
V1.0
Cryptography
A collection of mathematical techniques for protecting information Most important technique is encryption/decryption
Symmetric y encryption yp (symmetric ( y key y encryption): yp )
- encrypt/decrypt a message using the same key
- Key: a piece of information or sequence of bits Asymmetric encryption (asymmetric key encryption):
- one key used for encryption (public key), another key used for decryption (private key)
V1.0
V1.0
Symmetric Encryption
V1.0
V1.0
V1.0
V1.0
V1.0
Classifying Cryptosystems
As well as classifying as symmetric or asymmetric there are two other main classifications:
- Type of operations used: Substitutions Transpositions - The way in which plaintext is processed: Block cipher where a block of elements is transformed to the output block in one go. Stream cipher where the input elements are processed continuously one element at a time.
V1.0
Substitutions
Each element of the plaintext (bit, letter, group of bits) is mapped to another element. AB BC ZA HELLO MISTER becomes IFMMP NJTUFS
V1.0
V1.0
Transpositions
Elements of the plaintext are re-arranged. HEL LO MIS TER becomes HLMTEOIEL SR
V1.0
V1.0
Cryptanalysis
The main objective of an attacker is to recover the key rather than the plaintext. Relies on knowledge of the nature of the algorithm plus knowledge of the plaintext or access to some plaintext/ciphertext p p p pairs. An encryption scheme is computationally secure if:
- The cost of breaking the scheme exceeds the value of the encrypted information. - The time required to break to the scheme is more than lifetime of the information.
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
AES
Design uses theory of finite fields, a branch of algebra. Every block of 128 bits is presented as 4 by 4 array of bytes. Every E round d except start and d end dh has 4 steps:
Substitution Shift Rows Mix Columns Add Round Key
V1.0
V1.0
V1.0
V1.0
V1.0
AES SubBytes
Each byte is replaced with another based on a lookup table
V1.0
V1.0
AES ShiftRows
A transposition step where each row of the state is shifted cyclically a certain number of steps
V1.0
AES MixColumns
A mixing operation which operates on the columns of the state, combining the four bytes in each column
V1.0
AES AddRoundKey
Each byte of the state is combined with the round key using bitwise XOR
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
2. Compute n = pq.
- n is used as the modulus for both the public and private keys
3. Compute (n) = (p1)(q1) 4. Choose an integer e such that 1 < e < (n) and gcd(e,(n)) = 1, i.e. e and (n) are coprime.
- e is released as the public key exponent
V1.0
V1.0
The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the private (or decryption) exponent d which must be kept secret.
V1.0
RSA Encryption
Alice transmits her public key (n,e) to Bob and keeps the private key secret. Bob then wishes to send message M to Alice. He first turns M into an integer m, such that 0 < m < n by using an agreed-upon reversible protocol k known as a padding ddi scheme. h He then computes the ciphertext c corresponding to c = me (mod n). Bob then transmits c to Alice. Note that at least nine values of m will yield a ciphertext c equal to m, but this is very unlikely to occur in practice.
V1.0 NCC Education Limited
RSA Decryption
Alice can recover m from c by using her private key exponent d via computing m = cd (mod n). Given m, she can recover the original message M by reversing the padding scheme. A simplified example of the whole process is given in the laboratory exercises.
V1.0
V1.0
RSA Security
Relies upon the complexity of the factoring problem. Nobody knows how to factor big numbers in a reasonable time. However, nobody has shown that the fast factoring is impossible!
V1.0
Hash Functions
A hash function is a mathematical function that converts a large, possibly variably-sized amount of data into a small datum. Hashing is a method of binding the file contents together to ensure integrity.
- Like using sealing wax on an envelope. - Only by breaking the seal can the contents be accessed, and any tampering is readily apparent.
V1.0
V1.0
V1.0
V1.0
V1.0
SHA-1 Examples
SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 A small change in the message will, with overwhelming probability, result in a completely different hash. SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3
V1.0
V1.0
References
NIST (Feb. 2004). Standards for Security Categorization of Federal Information and Information Systems. FIPS 199. [Available Online] http://csrc.nist.gov/publications/fips/fips199/FIPSPUB 199 fi l df PUB-199-final.pdf Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education.
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Explain the vulnerabilities inherent in wireless networks Deploy a secure network architecture for wireless access Configure Access Control Lists Encrypt and protect the wireless link
V1.0
Wireless Networks
A wireless network typically has a number of wireless-enabled devices connecting to an access point Each access point connects to a wider network
- I In a home h wireless i l network t k thi this wider id network t k may be the Internet - In a business network this wider network is typically a LAN
V1.0
WLAN
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
WEP Encryption
Uses the RC4 stream cipher for confidentiality Uses the CRC-32 checksum for integrity Secret keys can be 64 or 128 bits long
- Some vendors do supply 256-bit key version
V1.0
V1.0
V1.0
The effect is that no real authentication occurs WEP encryption keys are used for encrypting data frames on the wireless network The client must have the correct keys at this point
V1.0
V1.0
V1.0
V1.0
WEP Weaknesses
The 24-bit IV is too short and repeats after some time
- there is a 50% probability the same IV will repeat after 5000 packets
Packets can be replayed so that the access point broadcasts Ivs With the right equipment, WEP can be cracked in a few minutes at most
V1.0
V1.0
V1.0
Developed in response to the weaknesses in WEP WPA implements most of the IEEE 802.11i standard WPA2 is fully compliant with the IEEE 802.11i standard
- This has been incorporated into IEEE 802.11-2007
V1.0
IEEE 802.11i
Implemented as WPA2 Uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol, also known as CCM mode Protocol (CCMP)
- AES based block cipher - Replacing the RC4 stream cipher of WEP
V1.0
CCMP
More secure than the protocols in WEP & WPA Uses a 128-bit key Uses a 128-bit block size Provides:
- Data Confidentiality - only authorized parties have access - Authentication proves user identity - Access control - in conjunction with layer management
V1.0 NCC Education Limited
V1.0
Does not require an authentication server Wireless Wi l network t k client li t d devices i authenticate th ti t di directly tl with the access point They all use the same 256-bit key Keys are automatically changed and authenticated after a set period of time
V1.0
I In order d to t allow ll a guest t user to t have h access to t a network the key must be given to that guest PSK is a 64-bit hexadecimal number generated from a passphrase
- Passphrase could be open to dictionary attack
V1.0
Enterprise Mode
Designed for enterprise networks Provides authentication using IEEE 802.1X and Extensible Authentication Protocol (EAP) Requires a Remote Authentication Dial In User Service (RADIUS) authentication server or similar More complex but provides additional security
- For example against dictionary attacks
V1.0
V1.0
IEEE 802.1X
IEEE Standard for Port-based Network Access Control (PNAC) Requires three parties:
- a supplicant the client device wishing to connect - an authenticator the access point - an authentication server a host running software that supports RADIUS and EAP
Client device only has access through the authenticator when validated and authorized
V1.0
EAP
The authentication framework utilised by wireless networks Supplies functions and negotiation of authentication methods
- Called EAP methods
Provides a secure authentication mechanism Negotiates a secure private key between authenticator and client
V1.0
V1.0
V1.0
Authentication
- If EAP Method is agreed, EAP Requests and Responses are sent between supplicant and authentication server until the server responds with EAP-Success message - Authenticator sets port to the authorised state and traffic is allowed
V1.0
RADIUS
Protocol providing a centralised Authentication, Authorization, and Accounting (AAA) service Management for the authorisation of computers wishing to connect to a network Client/server protocol Runs in the application layer of the OSI model Uses UDP for transport
- assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting
V1.0
RADIUS Functions
A RADIUS Server has three main functions:
- Authenticating users and/or devices and providing permission for them to access the network - Authorising users and/or devices for specific services on the network - Accounting for usage of network services
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
The operational overhead to manage and maintain a wireless network increases with the size of the network
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
References
Tanenbaum, A.S. (2003). Computer Networks. 4th Edition. Prentice Hall. g , W. (2010). ( ) Cryptography yp g p y and Network Stallings, Security: Principles and Practice. 5th Edition. Pearson Education.
V1.0
V1.0
V1.0
V1.0
Topic 2 PKI
V1.0
V1.0
V1.0
V1.0
Topic 2 PKI
Learning Outcomes
By the end of this topic students will be able to:
Describe the Public Key Infrastructure Explain digital signatures Explain the role of Certification Authorities
V1.0
Overview
This topic provides an overview to the key terms and concepts used in a PKI including:
Encryption Public keys Private keys Digital signatures Digital certificates
V1.0
What is PKI?
Public Key Infrastructure (PKI) is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over the Internet. It is defined in 2 ways:
- The method, technology and technique used to create a secure data infrastructure. - The use of the public and private key pair to authenticate and for proof of content.
V1.0
V1.0
Topic 2 PKI
Benefits of PKI
PKI aims to offer its users the following benefits:
- Certainty regarding the quality of information transmitted electronically - Certainty of the source and destination of such information - Assurance of the time and timing of such information - Certainty of the privacy of such information - Assurance that such information may be used as evidence in a court of law
V1.0
Use of PKI
To support secure information exchange over insecure networks.
- e.g. the Internet where such features cannot be provided easily
For information exchange e change over o er private pri ate networks. net orks
- e.g. an organisations internal network
To securely deliver cryptographic keys. To facilitate other cryptographically delivered security services.
V1.0
V1.0
V1.0
Topic 2 PKI
V1.0
V1.0
Asymmetric v Symmetric
Asymmetric Two keys, one each for encrypting and decrypting Can identify y sender or recipient based on encryption/decryption using private key which is known to one entity in the communication Symmetric Same key for encrypting and decrypting Cannot be used to identify y sender or recipient as all parties involved know the same key
V1.0
V1.0
Topic 2 PKI
- A random session key is generated using a symmetric algorithm to encrypt the data. - The public key is then used to encrypt that key and both are sent securely to the recipient.
V1.0
V1.0
Digital Signature
A digital signature is a unique, encrypted numerical value. It differs each time it is generated and is used to prove the ownership or copyright of data. A hashing algorithm is performed on the document to be signed producing a unique numerical value.
- This is why it differs each time it is generated
This is then encrypted using a private cryptographic key and links the result to the document.
V1.0 NCC Education Limited
V1.0
Topic 2 PKI
V1.0
V1.0
V1.0
Topic 2 PKI
Receiving a Document
You receive a document via email. This was digitally signed by the sender by calculating a hash value for the document and encrypting it with their private key. You calculate a hash value for the same document and decrypt the encrypted hash value.
- If the both values are the same, this verifies the sender and that the document has not been edited. - If the two values don't match, then the document has been edited or the sender is not who they claim to be.
V1.0
Summary
Public Key Cryptography is the encryption & decryption and signing/verification of data.
- Ensures privacy between sender and receiver of the y directly y preventing p g unintended disclosure of data by the data. - Identifies the sender of the data by authentication. - Ensures that the data has not been modified or tampered with.
V1.0
V1.0
V1.0
Topic 2 PKI
V1.0
V1.0
Checking Usage
Key usage may be set in the certificate but this does not ensure that the software which uses the public key has done any checks on the content of the certificate. Someone receiving a digitally signed document needs to check if the key was authorized for what it has been used for.
V1.0
V1.0
Topic 2 PKI
Certificate Standards
The data in a certificate usually conforms to the ITU (IETF) standard X.509. Includes information about:
the identity of the owner of the corresponding private key the length of the key the algorithm used by the key the associated hashing algorithm dates of validity of the certificate the actions that the key can be used for
V1.0
V1.0
V1.0
V1.0
Topic 2 PKI
V1.0
V1.0
V1.0
V1.0
Topic 2 PKI
CA Digital Certificates
A person may have many certificates issued by many CAs. Some applications may insist that you use certificates issued by certain CAs. The CA may be:
- part of your own organisation - a company (e.g. a bank or a post office) - or an independent entity (e.g. VeriSign)
V1.0
Revocation
There is a system for making it known that certificates are no longer valid (revoked). A system of revocation lists has been developed that exists outside the directory/database that stores certificates.
- It is a list of certificates that are no longer valid.
Revocation lists may be publicly available as certificates may have been widely distributed.
V1.0
V1.0
Topic 2 PKI
V1.0
V1.0
Publishing in Directories
Directories are databases that are X.500/LDAP compliant.
- The databases contain certificates in the X.509 format. - They provide specific search facilities which are specified in the LDAP standards p published by y the IETF.
V1.0
V1.0
Topic 2 PKI
Publishing in Databases
Databases can be configured to accept X.509 format certificates. This can be done for private systems where search methods do not follow the LDAP structure. structure This method is not used for public directories because it is essentially a proprietary system.
V1.0
V1.0
Do not usually delete certificates because they may be required for future legal reasons. Typically a CA will run these systems to keep track of their certificates.
V1.0
V1.0
Topic 2 PKI
These applications have no knowledge base built in to them about what the security requirements really are, or which PKI services are relevant in their delivery.
V1.0
References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. Network Working Group (1999). Internet X.509 Public Key Infrastructure [Available Online] http://www.ietf.org/rfc/rfc2459.txt
V1.0
Topic 2 PKI
Any Questions?
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Explain the concept of web security with SSL/TLS Demonstrate applying for and deploying a Digital Certificate
V1.0
Web Security
The Web presents us with some security issues that may not be present in other networks:
Two-way systems Multiple types of communication Importance to business Complex software Multiple connections to a server Untrained users
V1.0
Two-way Systems
The Web works on a client-server model that allows communication in both directions:
- Server sends files to clients - Clients send files to servers
V1.0
V1.0
The web delivers real-time content. Multiple file types = multiple security threats
V1.0 NCC Education Limited
Importance to Business
Used to supply corporate information Used to supply product/service information Used for business transactions including financial transactions
- banking, online shops, ordering systems, etc.
If web servers are compromised, there may be very serious consequences to a business.
- Loss of money & trade - Loss of reputation
V1.0
Complex Software
Servers are relatively easy to set up and configure. It is simple to create web content.
- Even complex looking web applications are often simple to create
This simplicity is made possible by complex underlying software. Complex software often has undetected security holes.
- You can be sure that someone will detect them!
V1.0
V1.0
Multiple Connections
The Web works because there are multiple connections to a server. Different servers are connected to each other. What happens pp if a server is subverted and a malicious attacker gains control?
- How many clients will be affected? - How many other servers will be affected?
V1.0
Untrained Users
The Web is used by many, many clients with no training or understanding of security issues.
- How many people surf the Internet without antivirus software? - Add in the people who have out of date virus definitions
Many people do not have the tools or knowledge to deal with threats on the Web. These same people will be interacting with servers around the world.
V1.0 NCC Education Limited
Traffic Security
Maintaining the security of a server as a piece of hardware is not fundamentally different to general computer security. We will concentrate on the security of Web traffic
- At the Network level (IPSec) - At the Transport level (SSL/TLS)
V1.0
V1.0
V1.0
TCP
IP/IPSec
V1.0
IP
V1.0
V1.0
IP Security (IPSec)
Provides security services at the IP layer for other TCP/IP protocols and applications to use Provides the tools that devices on a TCP/IP network need in order to communicate securely
- When two devices wish to securely communicate, they create a secure path between themselves that may traverse across many insecure intermediate systems.
V1.0
V1.0
V1.0
V1.0
V1.0
IPSec Applications
Securing a companys Virtual Private network (VPN) over the Internet Securing remote access over the Internet Establishing connections with partners via an extranet Enhancing eCommerce security by adding to the security mechanism in the application layer
V1.0
IPSec Advantages
Can be applied to a firewall or router and apply to all traffic across that boundary It is transparent to applications. It is transparent to end users. It can provide security for individual users if required.
V1.0
V1.0
V1.0
V1.0
SSL Architecture
SSL uses TCP to provide a reliable and secure endto-end service. It is not a single protocol but two layers of protocols (see next slide) slide). The Hypertext Transfer Protocol (HTTP) used for server/client interaction on the Internet can operate on top of the SSL Record Protocol.
V1.0
V1.0
SSL Architecture
SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP
V1.0
SSL Connections
A connection is a transport* that provides a suitable service. SSL connections are peer-to-peer relationships. These SSL connections are transient.
- They only last for a certain length of time.
V1.0
SSL Sessions
A session in SSL is an association between a client and a server. Such sessions are created by the SSL Handshake Protocol. A session i d defines fi the h security i parameters. A session may be shared by multiple connections.
- Allows the same settings to be used by many connections without the need for repeatedly sending the security parameters
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
A fatal alert will cause SSL to immediately terminate the connection, but not other connections on the same session.
V1.0
V1.0
V1.0
V1.0
V1.0
Messages
The series of messages are initiated by the client. The first phase establishes the security credentials. The second phase involves authenticating the server and exchanging g g keys. y The third phase involves authentication the client and exchanging keys. The fourth phase is completing the exchange.
V1.0
HTTPS
HTTP over SSL/TLS Used to create secure communications between a Web browser and Web server Built into modern browsers Requires server to support HTTPS communication
- For example, at the time of writing, the Google search engine does not support connections via HTTPS
V1.0
V1.0
If all is well, the browser will typically show a padlock or some other symbol to indicate the use of SSL/TLS.
V1.0
- Cookies
From server to browser From browser to server
V1.0
SSL Advantages
It is independent of the applications once a connection has been created.
- After the initiating handshake, it acts as a secure tunnel through which you can send almost anything.
V1.0
V1.0
SSL Disadvantages
The extra security comes with extra processing overhead. This overhead is largely at the server end. Means communications using g SSL/TLS are a slower than those without it
- Some sources suggest that HTTPS communication can be up to three time slower than HTTP. - With modern browsers, servers and connection speeds, this should not cause significant problems.
V1.0
SSL/TLS Broken
September 2011 - appears SSL/TLS cryptography has been broken by researchers This has major implications for the secure communications via the Internet
Reference for news emerging (September 2011): http://www.computerweekly.com/Articles/2011/09/22/247969/Researchers-claim-to-havebroken-SSLTLS-encryption.htm
V1.0
References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. Thomas, S.A. (2000). SSL & TLS Essentials: Securing the Web. Wiley.
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Describe email security mechanisms Digitally sign an email
V1.0
Importance of Email
Business has come to rely on email as a means of communication:
- fast - cost cost-effective effective - easy collaboration and information-sharing
Email has become the primary method for corresponding with colleagues, customers, and business partners
V1.0
V1.0
V1.0
Viruses
Viruses are very sophisticated and often appear to be harmless correspondence:
- personal communication - jokes - marketing promotions
Most viruses require recipients to download attachments in order to spread Some are designed to launch automatically, with no user action required
V1.0
New threats emerge all the time and updates offer protection from all the latest threats
V1.0
Spam
A large proportion of all corporate email is spam Spam costs US business billions of dollars in lost productivity and system slow-downs annually Most spam is annoying and slows down the network Hackers may sometimes disguise viruses, spyware, and malware as innocent-looking spam
V1.0
V1.0
V1.0
Phishing
Used for identity theft and fraud Posing as authorised emails from trustworthy institutions Attempt to get recipients to surrender personal information such as bank account details Most are aimed at individuals Some have targeted smaller businesses
V1.0
Enables threat analysis, attack prioritisation and response to minimise risk and impact of phishing
V1.0
V1.0
Spyware
Enables hackers to record activities and data from the infected computer Done via a program that dynamically gathers information and transmits it via an Internet connection Often bundled in with shareware and freeware programs Usually installs and runs without user knowledge
V1.0
V1.0
Email Authentication
Aims to provide enough information to the recipient so that they know the nature of the email A valid identity on an email is a vital step in stopping spam, forgery, fraud, and other serious crimes SMTP was not designed with security in mind and thus had no formal verification of the sender Signing emails identifies the origin of a message, but not if it should be trusted
V1.0
V1.0
V1.0
Blacklisting IP Addresses
The IP addresses originating spam and phishing emails can be blacklisted so that future email from them is not received but either quarantined or deleted Many IP addresses are dynamic
Change frequently An organisation has a block of IP addresses IP addresses are allocated when needed May get a new address every time a connection is made
Controlling Traffic
Some ISPs use techniques to prevent spamming by their customers:
- Port 25 can be blocked so that port 587 is used and that requires authentication - Limiting the number of received headers in relayed mail - Infected computers can be cleaned and patched - Outgoing email can be monitored for any sudden increase in flow or in content (a typical spam signature)
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Digitally signed messages are usually not encrypted if the confidentiality does not need to be protected
V1.0
Encrypting Transmission
Encrypting the transmissions between mail servers is used only when two organisations want to protect emails regularly sent between themselves The organisations could establish a virtual private network (VPN) to encrypt the communications between their mail servers over the Internet A VPN can be used encrypt entire messages including header information
- E.g. senders, recipients, subject lines
V1.0
V1.0
Individual Emails
Most email messages are protected individually rather than along a secure VPN Each message is protected by digitally signing and optionally encrypting it Widely used standards for signing and encrypting message bodies are:
- Open Pretty Good Privacy (OpenPGP) - Secure/Multipurpose Internet Mail Extensions (S/MIME)
V1.0
OpenPGP
A protocol for encrypting and signing messages and creating certificates using public key cryptography Based on an earlier protocol, PGP First released in June 1991 The original PGP protocol used some encryption algorithms with intellectual property restrictions OpenPGP was developed as a standard protocol based on PGP Version 5
V1.0
OpenPGP Algorithms
A number of OpenPGP based products fully support cryptographic algorithms recommended by NIST including:
- 3DES and AES for data encryption - Digital Signature Algorithm (DSA) and RSA for digital signatures - SHA for hashing
V1.0
V1.0
OpenPGP Cryptography
OpenPGP use both public key cryptography and symmetric key cryptography Public key y cryptography yp g p y is used to create digitally g y signed message digests Encryption of the message body is performed using a symmetric key algorithm
V1.0
V1.0
V1.0
V1.0
Using OpenPGP
Many popular mail clients require the installation of a plug-in in order to operate OpenPGP, e.g.:
- Mozilla Thunderbird, - Apple Mail - Microsoft Outlook
There are a number of OpenPGP distribution websites that contain instructions on how to use OpenPGP with various mail client applications
V1.0
MIME
Multipurpose Internet Mail Extensions - an Internet standard that extends the format of email to support:
Text that uses character sets other than ASCII Attachments that are not text based Message bodies with multiple parts Header information in non-ASCII character sets
V1.0
S/MIME
Secure/MIME is a version of the MIME protocol It supports encryption of email messages and their contents via public-key encryption technology Created in 1995 by a group of software vendors to prevent interception and forgery of email Builds on the existing MIME protocol standard Is easily integrated into existing email products
V1.0
V1.0
S/MIME Functions
Provides cryptographic security services for electronic messaging applications, including:
Authentication (via digital signatures) Message integrity (via digital signatures) Non-repudiation of origin (via digital signatures) Privacy (using encryption) Data security (using encryption)
V1.0
S/MIME Interoperability
Based on widely supported standards
- likely to continue to be widely implemented across a variety of operating systems and email clients
Is supported by many email clients and can be used to securely communicate between them
- Not always simple
For example, a Windows operating system user with the Outlook email client can send a secure, digitally signed email to a Unix operating system user without installing any additional software
V1.0
S/MIME Certificates
An individual key/certificate must be obtained from a Certificate Authority (CA) Accepted best practice is to use separate private keys for signature and encryption
- permits escrow of the encryption key without compromise to the non-repudiation property of the signature key
V1.0
V1.0
S/MIME Process
S/MIME-enabled mail clients send messages in a similar way to OpenPGP S/MIME version 3.1 supports two recommended symmetric key encryption algorithms:
- AES - 3DES
V1.0
Key Management
OpenPGP and S/MIME use digital certificates to manage keys A digital certificate identifies:
- the entity that the certificate was issued to - the public key of the entitys public key pair - other information, such as the date of expiration, signed by some trusted party
V1.0
V1.0
V1.0
V1.0
V1.0
References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. NIST (2007). Guidelines on Electronic Mail Security. NIST.
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Use port scanners to highlight open ports Perform password cracking using dictionary and brute-force brute force methods
V1.0
Security Vulnerability - 1
A security vulnerability is a flaw or a weakness in a system or network that allows an attack to harm the system or network in some way, such as:
- Allowing an unauthorised user to access the system or network - Causing a deterioration in the performance of the system or network - Damaging or altering the data held by a system or network
V1.0
Security Vulnerability - 2
The vulnerability may be inherent in the system
- E.g. new software includes a vulnerability when it is deployed, even if installed and operated correctly
V1.0
V1.0
Causes
Software - flaws in new software, not tested sufficiently before deployment Hardware dust Organisation procedures poor password policy, lack of audits Personnel not training staff properly Physical environment no physical access controls, risks from flooding Combinations of the above
V1.0
Complex Systems
Computer networks in large businesses are usually large and also complex A larger system is more likely to have security holes A complex system is more likely to have security holes Complete testing of large, complex networks is very difficult and extremely time consuming
V1.0
Common Components
Modern networks will use common components:
- Software used by many others (sometimes opensource) - Hardware used by many others - Operating p g systems y used by y many y others
Attackers will have access to these components and be familiar with any security flaws they have The Internet rapidly spreads the knowledge of these flaws and increases the likelihood of them being quickly exploited
V1.0 NCC Education Limited
V1.0
Many Services
A typical modern network will provide numerous services to an organisation More services means:
- M More protocols t l - More ports - More connections
V1.0
Password Vulnerability
Vital to enforce the use of strong passwords Vital to regularly change passwords
- And ensure this is a real change not abc1 changed to abc2
Most users will use a really weak password if they can as it is easier to remember
- A 2006 UK survey gave the top 3 passwords as:
123 Password Liverpool
V1.0
Even where an OS has no inherent flaws the network administrator must set suitable permissions in order to protect the network.
V1.0
V1.0
The web browsing policy of an organisation, plus its firewall etc. is vital in protecting the whole network Acceptable use policies and staff training form a vital part of the protection
V1.0
Software Bugs
New software may contain security flaws that can be exploited by a hacker This is not a malicious act but the complexity and amount of code in modern software applications make this inevitable Updates and regular patches are issued by software providers to fix these vulnerabilities as they are discovered
- One of the many reasons for using genuine software
V1.0
User Input
Programs that allow user input must check that input to prevent malicious code inclusion Common attacks on systems are:
- SQL Injection attacks - Buffer Overflow attacks - (See Private Study Exercises for more on these)
V1.0
V1.0
Repeating Mistakes
It is important to learn from past mistakes Modern programming code reuses old programming libraries Must ensure that any vulnerabilities that have been discovered are removed The Open Web Application Security Project (OWASP) publishes known vulnerabilities to help system designers and programmers from repeating past mistakes
V1.0
Prevention
Vulnerabilities have been found in every operating system
- Hence the updates and patches that appear and should be installed
System maintenance Firewalls and anti-virus Staff training Access controls Audits
NCC Education Limited
No matter how good the software is it is still important to have trained staff who follow sound security practices and report any potential threats
V1.0
V1.0
V1.0
Vulnerability Management
All networks will contain vulnerabilities Therefore managing these vulnerabilities and the risks associated with them is a key task of network management Managing vulnerability includes:
Prioritising vulnerabilities Fixing vulnerabilities Reducing the effects of potential breeches Monitoring for new/unknown vulnerabilities
V1.0
V1.0
V1.0
Penetration Testing
A penetration test mimics the actions of a malicious attack on a network The aim is to discover the vulnerabilities that exist and that could be discovered by an attacker Provides information on:
Threats to the system Strength of defensive measures in place Possible effects of successful attacks Areas of security requiring upgrade and investment
V1.0
Vulnerability Scanner
A vulnerability scanner can be used in a penetration test It is software that tests a system or network for weaknesses Different types are available Each type focuses on a particular area of potential weakness Can only discover known vulnerabilities
V1.0
Vulnerability Scanners
Types are available for scanning:
Ports Networks Databases Web applications Individual computers
V1.0
V1.0
Port Scanners
Software that probes for open ports Used by network administrators to test the network Used by attackers to look for vulnerabilities The TCP/IP protocol suite has services being supplied by a host through a port There are 65536 different port numbers available Most services use only a very limited number of ports
V1.0 NCC Education Limited
Port Status
A port scan will generally give one of three results:
- Open there is a service using the port and the host has replied with a message that it is listening for port communications on this p - Filtered no reply is received meaning that there is some filtering occurring on this port, typically via a firewall - Closed a reply is received stating that communication is denied on this port
V1.0
V1.0
V1.0
V1.0
System port
SYN/ACK
ACK
V1.0
V1.0
V1.0
V1.0
The target system should send RST S f for all closed ports Null turns off all flags in the packet to the target system This should return RST for all closed ports
V1.0
V1.0
V1.0
V1.0
UDP Scans
Sends a UDP packet to the target port If it receives a ICMP port unreachable message the port is closed If the message is not received it may be assumed that the port is open UDP scans are slow Results are unreliable as no message may be received for other reasons
V1.0
Password Cracking
Cracking a password can enable an attacker to gain access to:
- A network - A computer - Individual files
V1.0
V1.0
Dictionary Attack
A simple and fast way to crack a password A text file contains a set of dictionary words (the dictionary file) This Thi i is l loaded d di into t th the software ft package k It runs against user accounts in the application the hacker is attacking Most passwords are simple and easy to crack
V1.0
All possible combinations of characters are used until the correct combination is found Software packages do the work for you but it can still take weeks to crack a password this way Best defence is to use cryptographic methods allied to strong passwords
V1.0
V1.0
V1.0
References
Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions. 2nd Edition. McGraw Hill. The Open Web Application Security Project (OWASP) website: https://www.owasp.org/index.php/Main_Page
V1.0
V1.0
V1.0
Topic 7 Authentication
V1.0
V1.0
V1.0
V1.0
Topic 7 Authentication
Learning Outcomes
By the end of this unit students will be able to:
Explain the different authentication mechanisms; Describe multifactor authentication; Describe biometrics and their issues. issues
V1.0
Authentication Overview
We are taking a network-based view of user authentication User authentication is the first line of defence of a network It aims to prevent unauthorised access to a network It is the basis of setting access controls It is used to provide user accountability
V1.0
Identification is the means by which a user claims to be a specific identity Verification is the method used to prove that claim
V1.0
V1.0
Topic 7 Authentication
Means of Authentication
Something the individual knows
- E.g. password, PIN
V1.0
Authentication Problems
Guess or steal passwords, PIN, etc Forget passwords, PIN Steal or forge smartcards Lose smartcard False positives in biometrics False negatives in biometrics The most common method of network authentication uses passwords and cryptographic keys
V1.0
Smartcards
Tamper-resistant devices Have a small amount of memory Have a small processor
- Simple p computations, p , e.g. g encryption/decryption, yp yp , digital signatures
V1.0
V1.0
Topic 7 Authentication
Smartcard Examples
Bank/ATM cards Credit cards Travel cards Pass cards for a workplace
V1.0
Passwords
Most common means of authentication Require no special hardware Typical authentication by password
1. User supplies a username and password 2. System looks up the username in the relevant database table 3. Checks that username, password pair exists 4. Provides system access to the user
V1.0
Password Strength
Users tend to pick weak passwords if allowed Easy to crack via dictionary attack Users can be forced to create more complex passwords System can supply users with a strong password Many users will write down a stronger password and this can be a greater security risk than a weak password
V1.0
V1.0
Topic 7 Authentication
A direct attack on the database storing passwords can be used to discover or change passwords Sessions can be hijacked the attacker disconnects the user but remains connected themselves Never use the same password for different applications
V1.0 NCC Education Limited
Losing Passwords
Not uncommon for a user to lose or forget a password Can be dealt with by regularly changing passwords Password generators can be used to change passwords
- Automatically generate new passwords based upon a master secret
V1.0
Challenge - Response
Systems are used that request specific characters in a password rather than the whole password. Commonly used in online banking Example
- The password is MyPassword - The system asks for the 2nd, 3rd and 8th characters - The user enters y, P and o
The idea is that it would take an eavesdropper many sessions to determine the whole password
V1.0
V1.0
Topic 7 Authentication
Hash Functions
A database of plaintext passwords makes stealing all passwords more likely
- Sony!!
Hashing Passwords
MD5 and SHA-1 are commonly used hashing algorithms User sends a username, password pair to the system The system hashes the password The database stores a username, h(password) pair
- h(password) is the result of applying the hashing function to the password
V1.0
V1.0
V1.0
Topic 7 Authentication
V1.0
Multi-Factor Authentication
An identity is verified and authenticated using more than one verification method User/password authentication is single factor authentication
- Only O l one verification ifi ti method, th d th the password d
A stronger form of identity verification Used for applications where security is more important
- E.g. bank ATM card and PIN
V1.0
Multi-Factor Systems
This does not mean using two or three different passwords but two or three different methods ATM Two-factor authentication
- Something you possess bank card - Something you know PIN
V1.0
V1.0
Topic 7 Authentication
Disadvantages
Cost
- Cost of supplying smartcards, USB tokens, etc. - Cost of hardware/software to read the tokens
Inconvenience
- Users may not like the inconvenience of having to carry around a token
A balance has to be made between the cost and inconvenience of security and the sensitivity of the data and transactions being protected
V1.0
PIN
- There is a 1 in 10000 chance of guessing a PIN
Combined
- There is a 1 in 100,000,000 chance of matching both
V1.0
Biometrics
Automated methods used to recognise the unique characteristics of humans Uses one or more traits:
- Physical traits (static biometrics) - Behavioural B h i lt traits it (d (dynamic i bi biometrics) ti )
V1.0
V1.0
Topic 7 Authentication
Biometric Types
Physical characteristics:
Fingerprints Retinas Irises Facial patterns Hand measurements
Behavioural characteristics
- Signature - Typing patterns - Voice recognition
V1.0
V1.0
V1.0
V1.0
Topic 7 Authentication
Multiple p measurements are taken when a user first enrols in the system Matching with template is a success Tolerances are built into the algorithm that matches the templates
V1.0
Fingerprints
Fingertips have ridges and valleys that are unique to that fingertip
- Used by police for a long time
Most common biometric method Available for laptops and PCs Access to systems provided via touch technology
V1.0
Face Recognition
Capture facial image in the visible spectrum
Use a standard camera Use central portion of face Extract features that remain constant over time Avoid changing features, e.g. hair
An alternative version captures an infra-red image of the heat emitted by a face Most users accept use of such systems Problems caused by lighting, masks, etc.
V1.0
V1.0
Topic 7 Authentication
Speech Recognition
Some features of speech differ between individuals These patterns produced reflect the anatomy of the speaker These patterns reflect the patterns of speech learned as a result of:
- Location - Peers - Language
V1.0
Iris Recognition
Iris is the coloured area around the pupil Iris patterns are thought to be unique Video systems are used to capture an image of the iris Becoming economically viable as equipment prices have lowered Works with glasses and contact lenses
V1.0
Hand Geometry
Can utilise measures of fingers or whole hands
Length Width Thickness Surface area
V1.0
V1.0
Topic 7 Authentication
Written Signatures
Uses measurement of the way the signature is written not just the final signature Can measure a range of parameters:
- Speed - Pressure - Angle of writing
V1.0
Typing Patterns
Similar to the recognition of written signatures Uses a standard keyboard Recognises the password that is typed Recognises the way the password is typed:
- Intervals between characters - Speed of typing
V1.0
V1.0
V1.0
Topic 7 Authentication
Injury
- Hygiene concerns about equipment - Criminals chopping off fingers to use!!
Exclusion
- An amputee may have no fingers
V1.0
V1.0
References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions, 2nd Edition. McGraw Hill.
V1.0
V1.0
Topic 7 Authentication
Topic 7 Authentication
Any Questions?
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Configure access control mechanisms Apply and manage port forwarding rules
V1.0
Access Control
Network traffic is in the form of IP/TCP/UDP packets The headers of these packets contain information as to source and destination of the packets Routing devices uses the source and destination addresses to route traffic through the network These addresses can be used to create access control rules We will examine methods for determining if traffic is allowed on a network or section of a network
V1.0 NCC Education Limited
Packet Filtering
Routing devices examine a packet's destination address and decide where to send it Packet filtering adds an extra layer to this process First the destination address is examined If the router determines that it should process the packet it then applies a set of rules to determine what happens to it Can apply these rules to both incoming and outgoing packets
V1.0 NCC Education Limited
V1.0
Filtering Rules
Implement security policies as services that are allowed or disallowed Examples:
- Packets for particular machines can be blocked - Specific types of packets can be blocked - Packets going out of your network can be blocked
Packet filtering rules can be very general or can be applied to specific machines or ports
V1.0
V1.0
Examples:
a. Block all traffic to machine A b. Block all traffic to port 80 (http) c. Block all traffic to port 80 except on machine A
V1.0
V1.0
Stateless Filtering - 1
Simple rules Easy to implement Not flexible For example:
- If all traffic to port 80 is blocked a static filter will block all http traffic - It cannot be set to block all traffic to port 80 except that from http://campus.nccedu.com in a single rule
V1.0
Stateless Filtering - 2
Filtering process is dumb
- Applies a set of static rules to every packet - Does not store any results from previous packets - No intelligence or learning built into the filtering system
V1.0
Stateful Filtering
Also known as Dynamic Packet Filtering Uses a state table that stores detail of legitimate traffic requests:
IP addresses Ports P t Handshake status Route/Time
Compare packets with previous valid traffic Allows traffic based upon connections
V1.0 NCC Education Limited
V1.0
2.Define this as a set of rules that includes IP addresses and port numbers 3.Translate these rules into a language that the router or other device understands
- May be vendor specific so we do not cover this
V1.0
What is Permitted?
This is done at a conceptual level
- Is internet access allowed - Can individual machines accept email from the Internet or will it all come through a central mail server - Are all messages from a specific location blocked
A good general rule is to block all packets except those that have been specifically allowed
- Default is to block all packets not processed by the rule list
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Method was required to create extra IP addresses or the Internet would reach capacity The main reason for the use of NAT originally was to create extra IP addresses
V1.0
The IP Address
An IP address has two parts:
- a network number - a host number
V1.0
V1.0
IP Address Classes - 1
The network size determines the class of IP address There is a network and host part in each IP address IP addresses come in 4 classes (A, B, C and D) Each class suits a different network size
V1.0
IP Address Classes - 2
Network addresses with first byte between 1 and 126 are class A with approx.17 million hosts each Network addresses with first byte between 128 and 191 are class B with approx. 65000 hosts each Network addresses with first byte between 192 and 223 are class C with 256 hosts All other networks are class D, used for special functions, or class E which is reserved
V1.0
Large companies can buy several addresses It is more economic for small businesses to use a single address
V1.0
V1.0
V1.0
Dynamic NAT
A small number of public IP addresses are dynamically assigned to a large number of private IP addresses Port Address Translation ( (PAT) ) is a variant of NAT:
- Allows one or more private networks to share a single public IP address - Commonly used in small businesses - Remaps both source and destination addresses and source and destination ports of packets
V1.0
NATs use their own protocol stack not that of the host machine
- Protects against some attacks
V1.0
V1.0
V1.0
NAT Operation
Changes the source address on every outgoing packet to the single public address Renumbers source ports to be unique
- Used to keep track of each client connection
H Has a port t mapping i t table bl t to record d ports t f for each h client computer
- Relates real local IP address and source port to translated port number, destination address and port - Allows the process to be reversed for incoming packets so they are routed to the correct client
V1.0
PAT Operation
An example of how IP and port are changed
V1.0
V1.0
V1.0
IDS Types
Network based intrusion detection systems (NIDS) Host based intrusion detection systems (HIDS) IDS that look for signatures of known threats IDS that compare traffic patterns against a network baseline and look for anomalies in the patterns
V1.0
NIDS
Positioned in strategic locations in the network Monitor all traffic to and from network devices In a perfect world all traffic would be monitored This would create a bottleneck in the network with a huge processing overhead
- It would deteriorate network speed
V1.0
V1.0
HIDS
Operate on individual hosts or network devices Monitors all inbound and outbound packets but only to and from the device it operates p on If suspicious activity is detected it usually alerts the user and/or network administrator of that activity
V1.0
Signature-based IDS
Monitors packets on the network Compare packets against a stored database of known malicious threats
- Similar to the operation of antivirus software
When a new threat appears there is a period of time before this is added to the database Any new threat is undetected until such time as the database is updated to include this threat
- Similar to the operation of antivirus software
V1.0
Anomaly-based IDS
Monitors network traffic Compare network traffic with a baseline Baseline is normal traffic for that network:
Bandwidth Protocols Ports Devices
User and/or network administrator is alerted if there is a significant change from the baseline
V1.0 NCC Education Limited
V1.0
IDS Overview
Ideal for monitoring and protecting a network Can be prone to false alarms Must be correctly set up to recognize what is normal traffic on the network Network administrators and users must:
- Understand the alerts - Know the most effective course of action upon receiving an alert
V1.0
References
Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions. 2nd Edition. McGraw Hill.
V1.0
V1.0
V1.0
Topic 9 Firewalls
V1.0
V1.0
V1.0
V1.0
Topic 9 Firewalls
Learning Outcomes
By the end of this topic students will be able to:
Describe the components of a firewall Configure a DMZ firewall Evaluate the limitations of firewalls
V1.0
Network Firewall
A firewall is the first line of defence for your network The purpose of a firewall is to keep intruders from gaining access to your network U Usually ll placed l d at t th the perimeter i t of f network t kt to act t as a gatekeeper for incoming and outgoing traffic It protects your computer from Internet threats by erecting a virtual barrier between your network or computer and the Internet
V1.0
A firewall allows you to establish certain rules to determine what traffic should be allowed in or out of your private network
V1.0
V1.0
Topic 9 Firewalls
Creating Rules
Traffic blocking rules can be based upon:
Words or phrases Domain names IP addresses Ports Protocols (e.g. FTP)
While firewalls are essential, they can block legitimate transmission of data and programs
V1.0
Hardware firewalls are typically found in routers, which distribute incoming traffic from an Internet connection to computers Software firewalls reside in individual computers Ideally a network has both
V1.0
Software Firewall
Protect only the computer on which they are installed Provide excellent protection against threats ( i (viruses, worms, etc.) ) Have a user-friendly interface Have flexible configuration
V1.0
V1.0
Topic 9 Firewalls
Router Firewall
Protect your entire network or part of a network Located on your router Protect network hardware which cannot have a software firewall installed on it Allows the creation of network-wide rules that govern all computers on the network
V1.0
Firewall Operation
Can be divided into three main methods:
- Packet filters (see last topic) - Application gateways - Packet inspection p
V1.0
Application Gateways
Application-layer firewalls can understand the traffic flowing through them and allow or deny traffic based on the content Host-based firewalls designed to block objectionable bj ti bl W Web b content t tb based d on k keywords d are a form of application-layer firewall Application-layer firewalls can inspect packets bound for an internal Web server to ensure the request isnt really an attack in disguise
V1.0
V1.0
Topic 9 Firewalls
V1.0
Disadvantages
Needs to know how to handle traffic to and from your specific application
- If you have an application that's unique, your application layer firewall may not be able to support it without making some significant modifications
Application firewalls are generally much slower than packet-filtering or packet-inspection firewalls
- They run applications, maintain state for both the client and server, and also perform inspection of traffic
V1.0
V1.0
V1.0
Topic 9 Firewalls
V1.0
V1.0
Advantages
Generally much faster than application firewalls
- They are not required to host client applications
V1.0
V1.0
Topic 9 Firewalls
Disadvantages
Open to certain denial-of-service attacks These can be used to fill the connection tables with illegitimate connections
V1.0
V1.0
Firewall Architecture
Firewalls are used to protect the perimeter of a network and the perimeter of sections of networks A key question for a network administrator is where firewalls should be located The positioning of firewalls in relation to other network elements is the firewall architecture We will only look at the position of firewalls and the consequences of this
- Other security devices should also be used
V1.0
V1.0
Topic 9 Firewalls
Firewall Architecture
The following are common firewall architectures:
Screening router Screened host Dual homed host Screened subnet Screened subnet with multiple DMZs Dual firewall
V1.0
Screening Router
Simplest of firewall architectures Traffic is screened by a router
- Packet filtering - Using ACLs
V1.0
Screening Router
Usually deployed at the perimeter of the network May be used to control access to a Demilitarized Zone (DMZ) see later More often used in conjunction j with other firewall technologies
V1.0
V1.0
Topic 9 Firewalls
Disadvantages
- No logging - No user authentication - Difficult to hide internal network structure
V1.0
V1.0
V1.0
V1.0
Topic 9 Firewalls
V1.0
Bastion Host
A special purpose computer specifically designed and configured to withstand attacks
The bastion host is the server that connects to the unsecure network through the router
V1.0 NCC Education Limited
Disadvantages
- Difficult to hide internal structure - There is a single point of failure in the network
V1.0
V1.0
Topic 9 Firewalls
Dual-Homed Host
A Bastion Host/Firewall is surrounded with packet filtering routers
- Dual-homed - outside world and protected network - Multi-homed - outside world and multiple protected networks
Routers filter traffic to the Bastion Host Bastion Host adds additional filtering capabilities Bastion Host has no routing capabilities
V1.0
Disadvantages
- Requires users to log onto bastion host or the use of proxy servers
V1.0
V1.0
V1.0
Topic 9 Firewalls
Disadvantages
- Single point of failure
V1.0
V1.0
V1.0
V1.0
Topic 9 Firewalls
References
Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions, 2nd Edition. McGraw Hill. Zwicky, E.D. (2000). Building Internet Firewalls, 2nd Edition. OReilly Media.
V1.0
Topic 9 Firewalls
Any Questions?
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Configure access control mechanisms Explain Virtual Private Networks
V1.0
What is VPN?
A private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate Remote network communication via the Internet Used by companies/organisations / who want to communicate confidentially Two parts:
- Protected or inside network - Outside network or segment (less trustworthy)
V1.0
V1.0
V1.0
information
Firewalls - VPNs allow authorised users and data to
V1.0
V1.0
Key Functions
Authentication - validates that the data was sent from the sender
Access Control - preventing unauthorised users from
altered
V1.0
V1.0
V1.0
A Network
Multiple VPN connections can be made to create a genuine network
V1.0
Protocols
There are three main protocols used:
- IP Security (IPsec) - Point-to-Point Tunneling Protocol (PPTP) - Layer 2 Tunneling Protocol (L2TP)
V1.0
V1.0
IPsec
An open standard protocol suite Provides privacy and authentication services Has two modes of operation Transport Mode encrypts data but not the header Tunnel Mode encrypts both data and header Each connection is a security association (SA)
- Has one security identifier for each direction - Each security identifier is carried in packets and used to look up keys, etc.
V1.0
V1.0
V1.0
V1.0
PPTP
A data link protocol Used to establish a direct connection between two networking nodes Creates the virtual connection across the Internet Can provide:
- Connection authentication - Transmission encryption - Compression
V1.0
L2TP
A tunnelling protocol Does not provide encryption or confidentiality but relies on an encryption protocol that it passes within the h tunnel l The entire L2TP packet, including payload and header, is sent within a UDP datagram
V1.0
V1.0
V1.0
Advantages
Cost effective Greater scalability Easy to add/remove users Mobility Security
V1.0
Disadvantages
Understanding of security issues Unpredictable Internet traffic Difficult to accommodate products from different vendors
V1.0
V1.0
V1.0
VPN Connections
A VPN is a secure, private communication tunnel between two or more devices across a public network (e.g. the Internet) VPN devices can be:
- a computer running VPN software - a special device like a VPN enabled router
Remote computer can connect to an office network Two computers in different locations can connect over the Internet
V1.0 NCC Education Limited
VPN Categories
There are several types of VPN There are different ways of classifying VPNs We use two broad categories based upon architecture:
- Client-initiated VPNs - Network access server (NAS)-initiated VPNs
V1.0
Client-Initiated VPNs
Users establish a tunnel across the ISP shared network to the customer network Customer manages the client software that initiates the tunnel Advantage is that they secure the connection between the client and ISP Disadvantage is that they are not as scalable and are more complex than NAS-initiated VPNs
V1.0
V1.0
NAS-Initiated VPNs
Users connect to the ISP NAS which establishes a tunnel to the private network More robust than client-initiated VPNs Do not require the client to maintain the tunnelcreating software Do not encrypt the connection between the client and the ISP
- not a concern for most customers because the Public Switched Telephone Network (PSTN) is much more secure than the Internet
V1.0
V1.0
Extranet
An extranet is where the Internet or one or two Service Providers are used to connect to business partners Extends network connectivity to:
- Customers - Business partners - Suppliers
Security policy is very important as potentially the VPN could be used for large orders or contracts
V1.0
V1.0
Intranet
Intranet VPNs extend a basic remote access VPN to other corporate offices Connectivity is across the Internet or across the Service Provider IP backbone S Service levels are likely to be maintained and enforced within a single Service Provider For VPNs across the Internet (multiple Service Providers) there are no performance guarantees
- no one is in charge of the Internet!
V1.0
V1.0
V1.0
V1.0
VPN in Industry
Healthcare: transferring confidential patient information within a health care provider Manufacturing: suppliers can view inventories & allow clients to purchase online safely Retail: securely transfer sales data or customer info between stores & headquarters Banking: enables account information to be transferred safely within departments & branches
V1.0
SSL VPNs are easy to install and use ports already available for secure traffic over the Internet
V1.0 NCC Education Limited
V1.0
SSL VPNs
Connect securely via a standard Web browser No special software required on client computers Traffic between Web browser and the SSL VPN device is encrypted with the SSL protocol Support access control by:
- User - Device - Location
V1.0
V1.0
V1.0
V1.0
Requires a web browser that can run active content Can provide functionality not accessible via SSL portal VPNs
V1.0
SSL Costs
Initial costs are higher
- Requires purchase of SSL Certificate
V1.0
References
Sybex, (2001). Hacking Exposed: Networking Complete. 2nd Edition. John Wiley & Sons. Tanenbaum, A A.S. S (2003) (2003). Computer Networks. 4th Tanenbaum Edition. Prentice Hall.
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
V1.0
Learning Outcomes
By the end of this topic students will be able to:
Configure access control mechanisms Select an appropriate remote access solution
V1.0
V1.0
V1.0
V1.0
By accessing files a remote user can transfer any individual files they need whilst working remotely By accessing applications the remote user can use software on the network and therefore also process files and data in the same way as if they were in the workplace
V1.0
V1.0
Client/Database Architecture
Complete applications are installed on the client computer
- Fat clients
Client connects to a database via a network Data for applications is held on the database Usually used where there is only a small number of clients
V1.0
V1.0
Client/Server Architecture
Typically has a stripped down version of applications installed on the client
- Sufficient to connect to the server application
A full version of the software is installed on the server Business logic rules are applied at the server and a connection created to the database Example is mail client such as MS Outlook
V1.0
Web-based Architecture
Web browser is used as the client Requires minimal software on the client computer Interacts with web server Provides web-based user interface Server may communicate with other application servers to provide functionality
- These are usually on other hardware
V1.0
V1.0
V1.0
V1.0
Application Hosting
Application hosting involves using an external partner to host applications on their servers Removes the need for internal IT departments to manage the architecture, servers and applications Use of software and hosting management is via the external partner who charges for this service The remote access is to this external partners servers, whether from inside the office or from a remote location
V1.0
V1.0
Web-based Applications
Clients do not require any dedicated software other than a standard web browser Data passes over the Internet Data transfer is encrypted Can be provided as Software-as-a-Service (SaaS)
- Software vendors provide access to the software via the Internet
V1.0
V1.0
V1.0
V1.0
Remote Desktop
Allows applications to be run on a remote server but displayed locally Can be achieved via software installed on the client or via a feature provided by the OS May be command line applications May be applications with a graphical user interface (GUI) There are many OS that provide this functionality
V1.0
The controlling computer transmits input from its own keyboard or mouse to the controlled computer The software implements these actions on the controlled computer
V1.0 NCC Education Limited
V1.0
V1.0
A Warning!!
Attackers have used remote access software to gain control of many computers A typical scenario involves the user receiving a telephone call from someone pretending to be a legitimate corporation They offer to fix your computer remotely Once the remote access is allowed they use the computer for other purposes
V1.0
V1.0
V1.0
V1.0
Platform Independence
VNC is platform independent A VNC viewer can connect to a VNC server using a different operating system Multiple clients can connect to the same VNC server at the same time VNC clients and servers are available for most GUI based operating systems
V1.0
VNC Components
VNC server is the program on the server that allows the client to take control of it VNC client (also known as the viewer) is the program that controls the server The remote framebuffer (RFB) protocol sends simple graphic messages to the client and input actions to the server The machine with the VNC server does not have to have a physical display
V1.0
Framebuffer
A memory buffer Drives video output display Stores information on the colour value of every pixel in a display Used in all systems that use windows Information can be transmitted storing the colour and position of each pixel in a rectangle
V1.0
V1.0
VNC Security
VNC does not use plaintext passwords But it is not very secure Open to sniffing attacks Can be tunnelled over SSH or VPN connection for enhanced security There are SSH clients for most platforms
V1.0
Supports a number of technologies Supports a number of LAN protocols An extension of the ITU T.120 family of protocols Clients exist for most operating systems
V1.0
V1.0
RDP Operation
RDP uses its own video driver to convert rendering information into packets Sends them to the client via the network RDP receives rendering data at client and converts into Windows graphics device interface (GDI) calls Mouse/keyboard events are sent from client to server RDP uses its own on-screen events driver to receive these events
V1.0 NCC Education Limited
RDP Features
RDP offers many features:
Encryption Bandwidth reduction Roaming disconnect Cli b d mapping Clipboard i Print redirection Sound redirection Support for 24 bit colour Smart Card authentication
V1.0
References
Sybex, (2001). Networking Complete. 2nd Edition. John Wiley & Sons. Tanenbaum, A.S. (2003). Computer Networks. 4th Edition. Prentice Hall. Microsoft Developer Network,
http://msdn.microsoft.com/en-us/library/aa383015.aspx
V1.0
V1.0
V1.0
V1.0