network security chapter 7
DESCRIPTION
TRANSCRIPT
![Page 1: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/1.jpg)
CHAPTER 7
SECURITY IN NETWORKS AND DISTRIBUTED SYSTEM
![Page 2: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/2.jpg)
INTRODUCTION Network is two devices connected across some
medium by hardware and software that complete the communications (simple definition of network).
User (Client)
Host Server
Communication medium
Simple View of Network
![Page 3: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/3.jpg)
Introduction A network is normally not just single client to a
single server; typically many clients interact with many servers.
User (Client) Host Server
User (Client)User (Client)
User (Client)
Host Server
User (Client)User (Client)
User (Client)
System A
System B
![Page 4: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/4.jpg)
Network Security IssuesNetwork have security problems for the following reasons: Sharing – resources and workload sharing Complexity of system Unknown parameter – expandability of a network also implies
uncertainty about the network boundary Many points of attack – file may past through many host before
reaching the destination Anonymity – attacker can mount an attack with touching the
system Unknown path – there may be many path from one host to
another.
![Page 5: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/5.jpg)
Possible Network Security Threats Wiretapping Impersonation Message confidence violations Message integrity violations Hacking Denial of Service (DoS)
![Page 6: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/6.jpg)
Possible Network Security ThreatsWiretapping Wiretap means to intercept communications. Passive / Active Wiretapping Packet sniffer can retrieve all packets on the net. “Inductance” is a process where an intruder can tap a
wire without making physical contact with the cable. Microwave and satellite – higher possibility of
interception due to wider broadcasting.
![Page 7: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/7.jpg)
Possible Network Security ThreatsWiretapping Optical fiber offers two significant security
advantages: The entire optical network must be tuned carefully each
time a new connection is made. Therefore, no one can tap an optical system without detection.
Optical fiber carries light energy, not electricity. Light does not emanate a magnetic field as electricity does. Therefore an inductive tap is impossible on an optical fiber cable.
![Page 8: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/8.jpg)
Possible Network Security ThreatsWiretapping However, optical fiber also has weaknesses
where wiretappers will try to tap at the repeaters, splices and other equipments that connects to the fiber optic and thus creates vulnerabilities.
![Page 9: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/9.jpg)
Possible Network Security ThreatsImpersonation Pretend to be someone (personnel) or something
(process). In an impersonation, the attacker has several choices:
Guess the identity and authentication details of the target Pick up the identity and authentication details of the target
from a previous communication Circumvent or disable the authentication mechanism at
the target computer Use a target that will not be authenticated Use a target whose authentication data is known
![Page 10: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/10.jpg)
Possible Network Security ThreatsMessage Confidentiality Violations Misdelivery Exposure Traffic Flow Analysis
![Page 11: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/11.jpg)
Possible Network Security ThreatsMessage Integrity Violations Falsification of Messages
Change the content of a message Change any part of the content of a message Replace a message entirely Redirect a message Destroy or delete the message
Noise – unintentional interference
![Page 12: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/12.jpg)
Possible Network Security ThreatsHacking A source of threat to security in computer
communication. Hacker is considered as a separate threat because a
hacker can develop tools to search widely and quickly for particular weaknesses and move swiftly to exploit weaknesses.
In this way, hacker has unlimited time to analyze, plan, code, simulate and test for future attack.
In reviewing the effects of this attack ; if it succeeds, what additional capability would that give the hacker for future attacks?
![Page 13: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/13.jpg)
Possible Network Security ThreatsDenial of Service Result of any action or series of actions that
prevents any part of a telecommunications system from functioning.
Connectivity Flooding Routing problems Disruption of Service
![Page 14: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/14.jpg)
Network Security Control Encryption – link encryption, end-to-end encryption Link Encryption:
Data is encrypted just before the system places it on the physical communication links.
Decryption occurs just as the communication enters the receiving computer.
![Page 15: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/15.jpg)
Application
Presentation
Session
Transport
Network
Data Link
Physical
Sender ReceiverMessageIntermediate
Host
Message
(Plaintext)
Exposed
Message Encrypted Message in Plaintext: Exposed
Link Encryption
![Page 16: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/16.jpg)
Network Security Control End-to-end encryption:
Provides security from one end of a transmission through the other.
![Page 17: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/17.jpg)
Application
Presentation
Session
Transport
Network
Data Link
Physical
Sender Message
Intermediate
Host
Message Encrypted Message in Plaintext: Exposed
Receiver
End-to-End Encryption
![Page 18: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/18.jpg)
Network Security ControlLink Encryption versus End-to-end Encryption:
Link Encryption End-to-end Encryption
Security Within HostsMessage exposed in the sending hostMessage expose in intermediate nodes
Security Within HostsMessage encrypted in sending hostMessage encrypted in intermediate nodes
Role of UserApplied by sending hostInvisible to userHost maintains encryptionCan be done in hardwareAll or no messages encrypted
Role of UserApplied by sending processUser applies encryptionUser must find algorithmSoftware implementationUser chooses to encrypt or not, for each message
![Page 19: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/19.jpg)
Authentication Issues in Distributed System
There are two main concern regarding authentication
issue in distributed system which are:
(1) How to ensure the authenticity of the communicating hosts?
(2) How to ensure authenticity of users who are using the hosts?
![Page 20: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/20.jpg)
Authentication Issues in Distributed System
That is by using: Digital Distributed Authentication DCE (Distributed Computer Environment) Kerberos SESAME CORBA
![Page 21: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/21.jpg)
Authentication Issues in Distributed System
Kerberos Is a system that supports authentication in distributed
systems. Was designed at Massachusetts Institute of
technology. The basis of kerberos is a central server that provides
authenticated tokens called tickets to requesting applications.
![Page 22: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/22.jpg)
Authentication Issues in Distributed System
KERBEROSInitiating a Kerberos Session:
![Page 23: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/23.jpg)
Authentication Issues in Distributed SystemKERBEROS
Obtaining a Ticket to Access a File:
![Page 24: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/24.jpg)
KERBEROS:Access to Services and Servers in Kerberos
![Page 25: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/25.jpg)
Authentication Issues in Distributed System
Kerberos was carefully designed to withstand attacks in
distributed environments:
No password communicated on the network Cryptographic protection against spoofing Limited period of validity Time stamps to prevent replay attacks Mutual authentication
![Page 26: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/26.jpg)
Authentication Issues in Distributed System Kerberos is not a perfect answer to security
problems in distributed systems because: Kerberos requires continuous availability of a trusted
ticket granting server. Authenticity of servers requires a trusted relationship
between the ticket granting server and every server Kerberos requires timely transactions A subverted workstation can save and later replay user
passwords
![Page 27: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/27.jpg)
Authentication Issues in Distributed System
Kerberos is not a perfect answer to security problems in distributed systems because: Password guessing works Kerberos does not scale well Kerberos is not a complete solution
![Page 28: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/28.jpg)
Privacy Enhanced Electronic Mail (PEM)
The basis of PEM is encryption. In order to send a PEM message the sender
must have a certificate for the receiver.
![Page 29: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/29.jpg)
Message header
+ Body
Message
Encryption
key
Receiver’s
public key
New header
Encrypted data
Encrypted key
Encrypted Message Header + Body
Public key encryption
Symmetric key encryption
![Page 30: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/30.jpg)
![Page 31: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/31.jpg)
Compose message
PEM processing requested ?
PEM
Send messageReceive message
Privacy enhanced ?
PEM
View message
Yes
No
Yes
No
PEM processing in Message Transmission
![Page 32: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/32.jpg)
Privacy Enhanced Electronic Mail (PEM)
The major problem with PEM is key management. Therefore PGP was designed to overcome this
problem.
![Page 33: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/33.jpg)
Pretty Good Privacy (PGP) Was designed by Phil Zimmerman to offer a reasonable
degree of privacy for email. It uses a message structuring scheme similar to PEM. The key management for PGP is ad hoc. Each user has a set of people he or she knows and trusts. The user exchanges public keys with those friends, exactly as
one might swap business card at meeting. Some people accept not just the friends’ public key but also
all public keys their friends have.
![Page 34: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/34.jpg)
Pretty Good privacy (PGP)
The assumption here is that any friend of yours is a friend of mine.
A PGP user builds a key ring which is the set of all public keys that person possesses.
In that way, when an encrypted messages arrives, the person can decrypt it if the key is on that person’s key ring.
![Page 35: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/35.jpg)
Firewalls A firewall is a process that filters all traffic between
a protected or “inside” network and a less trustworthy or “outside” network.
There are three types of firewall: Screening Routers Proxy gateways Guards
![Page 36: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/36.jpg)
FirewallsScreening Router Is the simplest and in some situations the most effective type
of firewall. Hosts tend not to be connected directly to a wide area
network; more often hosts are connected to a router.
![Page 37: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/37.jpg)
Firewalls
Router joining LAN to two WANs
![Page 38: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/38.jpg)
![Page 39: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/39.jpg)
FirewallsScreening Router Router will only see the header of the message. Header will contain information on:
The sender/receiver address Protocol Port Length of a packet
It can also control the traffic based on application – by using port numbers (eg: 21 for FTP and 25 for SMTP)
It can also decide which application is acceptable and not acceptable.
It can also determine the authentication of an inside address.
![Page 40: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/40.jpg)
![Page 41: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/41.jpg)
FirewallsProxy Gateway Is also called a bastion host. Is a firewall that simulates the (proper) effects
of an application so that the application will receive only requests to act properly.
![Page 42: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/42.jpg)
FirewallsProxy Gateway To understand the real purpose of a proxy
gateway, we consider some examples: A company wants to set up an online lists so that
outsiders can see the products and prices offered. It wants to be sure that no outsider can change the prices or product list and that outsiders can access only the price list not any of the more sensitive files stored inside.
![Page 43: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/43.jpg)
![Page 44: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/44.jpg)
FirewallsGuard A guard is a sophisticated proxy firewall. The guard decides what services to perform on the
user’s behalf based on its available knowledge such as whether it can reliably know of the (outside) user’s identity, previous interactions and so forth.
![Page 45: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/45.jpg)
FirewallsGuard Here are some more sophisticated examples of guard
activities: A university wants to allow its students to use email up to
a limit of so many messages or so many characters of email in the last so many days. Although this result could be achieved by modifying email handlers it is more easily done by monitoring the common point through which all email flows (the mail transfer protocol).
A school wants its students to be able to access the WWW but because of the slow speed of its connection to the Web it will allow only so many characters per download image.
![Page 46: Network Security Chapter 7](https://reader035.vdocuments.site/reader035/viewer/2022081414/54bc2a244a7959336b8b477f/html5/thumbnails/46.jpg)
FirewallsFirewalls are not complete solutions to all computer security problems. Firewalls can protect an environment only if the firewalls
control the entire perimeter. Firewall do not protect data outside the perimeter. Firewall are the most visible part of an installation to the
outside and therefore is the most attractive point of attack. Firewalls are targets of penetrators. Firewalls must be correctly configured. Firewalls exercise only minor control over the content
admitted to the inside – inaccurate data or malicious code must be controlled inside the perimeter.