Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Security
1 11/04/21 ms
Presentation Content
• What is Internet?
• What do we need to protect?
• Threat Motivation
• Attack Types
• Security Objectives
• Security mechanisms
• References
2 11/04/21 ms
What is Internet?
3 11/04/21 ms
What do we need to protect
• Data
• Resources
• Reputation
4 11/04/21 ms
Threat Motivation
• Spy
• Joyride
• Ignorance
• Score Keeper
• Revenge
• Greed
• Terrorist
5 11/04/21 ms
Types of Attacks
• Passive
• Active
– Denial of Services
– Social Engineering
6 11/04/21 ms
TCP 3 way handshake
Client Server
SYN(X)
SYN(Y), ACK(X)
Half open
ACK(Y)
Full open
X, Y are sequence numbers
7 11/04/21 ms
TCP Session Hijack
Attacker Server
Valid TCP Connection
SYN(X)
Client, 146.135.12.1
8 11/04/21 ms
Security Objectives
• Identification
• Authentication
• Authorization
• Access Control
• Data Integrity
• Confidentiality
• Non-repudiation
9 11/04/21 ms
Identification
• Something which uniquely identifies a
user and is called UserID.
• Sometime users can select their ID as
long as it is given too another user.
• UserID can be one or combination of
the following:
– User Name
– User Student Number
– User SSN
10 11/04/21 ms
Authentication
• The process of verifying the identity of
a user
• Typically based on
– Something user knows
• Password
– Something user have
• Key, smart card, disk, or other device
– Something user is
• fingerprint, voice, or retinal scans
11 11/04/21 ms
Authentication Cont.
• Authentication procedure
– Two-Party Authentication
• One-Way Authentication
• Two-Way Authentication
– Third-Party Authentication
• Kerberos
• X.509
– Single Sign ON
• User can access several network resources
by logging on once to a security system.
12 11/04/21 ms
C lie n t S e rv e r
O n e -w a y A u th e n tic a tio n
A u th e n tic a te d
S e rv e rID &
T w o -w a y A u th e n tic a tio n
P a ssw o rd
A u th e n tic a te d
T w o - P a r ty A u th e n tic a tio n s
13 11/04/21 ms
S e c u r ity S e r v e r
Se
d
or
rv
sw
er
as
ID
ed
,P
,P
at
ID
as
Au
ic
nt
sw
th
nt
ie
e
e
or
nt
Cl
th
d
ic
Au
at
ed
Exchange Keys
C lie n t S e rv e r
E x c h a n g e D a ta
T h ir d -P a r ty A u th e n tic a tio n s
14 11/04/21 ms
Authorization
15 11/04/21 ms
Access Control
• The process of enforcing access right
• and is based on following three entities
– Subject
• is entity that can access an object
– Object
• is entity to which access can be controlled
– Access Right
• defines the ways in which a subject can
access an object.
16 11/04/21 ms
Access Control Cont.
• Access Control is divided into two
– Discretionary Access Control (DAC)
• The owner of the object is responsible for
setting the access right.
– Mandatory Access Control (MAC)
• The system defines access right based on
how the subject and object are classified.
17 11/04/21 ms
Data Integrity.
18 11/04/21 ms
Confidentiality
19 11/04/21 ms
Non-repudiation
20 11/04/21 ms
Security Mechanisms
• Web Security
• Cryptographic techniques
• Internet Firewalls
21 11/04/21 ms
Web Security
• Basic Authentication
• Secure Socket Layer (SSL)
22 11/04/21 ms
Basic Authentication
23 11/04/21 ms
Secure Socket Layer (SSL)
24 11/04/21 ms
Secure Socket Layer Cont..
The client sends a "hello" message to the Web server, and the
server responds with a copy of its digital certificate.
The client decrypts the server's public key using the well-known
public key of the Certificate Authority such as VeriSign.
The client generates two random numbers that will be used for
symmetric key encryption, one number for the receiving channel
and one for the sending channel. These keys are encrypted
using the server's public key and then transmitted to the server.
The client issues a challenge (some text encrypted with the
send key) to the server using the send symmetric key and waits
for a response from the server that is using the receive
symmetric key.
Optional, server authenticates client
Data is exchanged across the secure channel.
25 11/04/21 ms
Cryptographic Techniques
26 11/04/21 ms
Secret Key Algorithm
S e c re t K e y S e c re t K e y
E n c r y p t io n D e c r y p tio n
C le a r T e x t C ip h e r T e x t C le a r T e x t
Bob A lic e
27 11/04/21 ms
Public Key Algorithm
E n c r y p tio n D e c r y p tio n
C le a r T e x t C ip h e r T e x t C le a r T e x t
Bob A lic e
28 11/04/21 ms
Secure Hash Function
M essag
Key
D ig e s t
C le a r Hash
Text F u n c tio n
C o m p u te d
M essag
K ey D ig e s t
O r ig in a l O r ig in a l
C le a r C le a r
Text Text
Hash
F u n c tio n
Non-
O r ig in a l S e c u re O r ig in a l
M essage N e tw o rk M essage C o m p a re
D ig e s t D ig e s t ?
Bob A lic e
29 11/04/21 ms
Digital Signature
D e c r y p tio n &
E n c r y p tio n
A u th e n tic a tio n
C le a r T e x t C ip h e r T e x t C le a r T e x t
A lic e Bob
30 11/04/21 ms
Certificate Authority
R e q u e s t B o b 's C e r tific a te
P u b lic K e y A u th o r ity P u b lis h P u b lic
Key
B o b 's P u b lic
Key
A lic e Bob
C ip h e r T e x t
31 11/04/21 ms
X.509 Certificate
• Is a ITU-T Recommendation.
• Specifies the authentication service for X.500
directories
• X.500 specifies the directory services.
• Version 1 was published in 1988.
• Version 2 was published in 1993.
• Version 3 was proposed in 1994 and approved
in 1997.
• Binds the subject (user's) name and the user's
public key.
32 11/04/21 ms
X.509 Certificate (cont..)
• X09 certificate consists of the following fields:
– Version
– Serial Number
– Algorithm Identifier
– Issuer name
– Validity period
– Subject name
– Subject public key information
– Issuer unique identifier (Version 2 & 3 only)
– Subject unique identifier (Version 2 & 3 only)
– Extensions (Version 3 only)
– Signature
33 11/04/21 ms
X.509 Certificate (Cont..)
• Version 1
– Basic
• Version 2
– Adds unique identifier to prevent reuse of X.500
• Version 3
– Adds extension to carry additional information and
some of them are
• Distinguish different certificates
• Alternative to X.500 name
• Limit on further certification by subject
• Policy and Usage
34 11/04/21 ms
X.509 Certificate Revocation List (CRL)
• Is to prevent fraud and misuse.
• A certificate may be revoked for one the
following reason:
– The user’s private is compromised
– The user is no longer certified by this CA
– The CA’s private key a compromised
• Version 1 was published in 1988.
• Version 2 was published in 1997.
35 11/04/21 ms
X.509 CRL (cont..)
36 11/04/21 ms
Internet Firewall
• A firewall is to control traffic flow between
networks.
• Firewall uses the following techniques:
– Packet Filters
– Application Proxy
– Socks servers
– Secure Tunnel
– Screened Subnet Architecture
37 11/04/21 ms
Packet Filtering
• Most commonly used firewall technique
• Operates at IP level
• Checks each IP packet against the filter rules
before passing (or not passing) it on to its
destination.
• Very fast than other firewall techniques
• Hard to configure
38 11/04/21 ms
Packet Filter Cont..
Packet
N o n -S e c u re S e c u re
F ilte r in g
N e tw o rk N e tw o rk
S e rv e r
39 11/04/21 ms
Application Proxy
• Application Level Gateway
• The communication steps are as follows
– User connects to proxy server
– From proxy server, user connects to destination
server
• Proxy server can provide
– Content Screening
– Logging
– Authentication
40 11/04/21 ms
Application (telnet) Proxy Cont..
N o n -S e c u re T e ln e td T e ln e t S e c u re
T e ln e t T e ln e td
N e tw o rk N e tw o rk
P o rx y S e rv e r
41 11/04/21 ms
SOCKS Server
• Circuit-level gateways
• Generally for outbound TCP traffic from
secure network
• Client code must be installed on the user’s
machine.
• The communication steps are as follows:
– User starts application using destination server IP address
– SOCKS server intercepts and authenticates the IP address
and the userID
– SOCKS creates a second session to non-secure system
42 11/04/21 ms
Socks Servers Cont..
S ta n d a rd S o c k S ifie d
Non- S e rv e r C lie n t
Socks S e c u re
S e c u re
s e rv e r N e tw o rk
N e tw o rk
43 11/04/21 ms
Secure Tunnel Cont..
R e m o te A c c e s s
B u s in e s s P a r tn e r
C o p o r a te In tr a n e t
W o rk s ta tio n
W o r k s ta tio n
VPN R o u te r L a p to p
L a p to p
R o u te r
In te r n e t s e rv e r
s e rv e r
B r a n c h O ffic e
W o rk s ta tio n
R o u te r L a p to p
s e rv e r
44 11/04/21 ms
Secure IP Tunnel
45 11/04/21 ms
VPN Solutions
• IP Security (IPSec)
• Layer 2 Tunnel Protocol (L2TP)
• Virtual Circuits
• Multi Protocol Label Switching (MPLS)
46 11/04/21 ms
IPSec Solution
47 11/04/21 ms
Principle of IPSec protocols
• Authentication Header (AH)
– Provides data origin authentication, data integrity and replay
protection
• Encapsulating Security Payload (ESP)
– Provides data confidentiality, data origin authentication, data
integrity and replay protection
• Internet Security Association and Key Management
Protocol (ISAKMP) or Internet Key Exchange (IKE)
– Provides a method for automatically setting up security association
and managing their cryptographic key.
• Security Association (SA)
– Provides all the relevant information that communicating systems
need to execute the IPSec protocols.
48 11/04/21 ms
Operation Modes of IPSec
• Transport Mode
– The IP payload is encrypted and the IP headers are left
alone
IP Header Payload
49 11/04/21 ms
Operation Modes of IPSec Conti...
• Tunnel Mode
– The entire original IP datagram is encrypted and it becomes
the payload in the new IP
50 11/04/21 ms
IPSec Example
• This example combines IPSec protocols and is AH in tunnel mode
protecting ESP traffic in transport mode. This example assume that
the SA’s for communicates points have set up.
Branch Office
Coporate Intranet
Workstation
Workstation
Laptop
G1 G2 Laptop
Internet
server server
H1 H2
AH in Tunnel Mode
51 11/04/21 ms
IP Header
H1 to H2
Payload
IP Header
H1 to H2
ESP Hdr. Payload ESP Trl. ESP Auth.
Encrypted
Encrypted
Authenticated
52 11/04/21 ms
New IP Hdr. IP Header
G1 to G2
AH Hdr. H1 to H2
ESP Hdr. Payload ESP Trl. ESP Auth.
Encrypte
d
Authenticated
IP Header
H1 to H2
ESP Hdr. Payload ESP Trl. ESP Auth.
Encrypte
d
IP Header
H1 to H2
Payload
53 11/04/21 ms
Screened Subnet Architecture Cont..
FTP
Socks
P ro x y
S e rv e r
S e rv e r
Non-
Packet S c re e n e d Packet S e c u re
S e c u re D
F ilte r in g Subnet F ilte r in g N e tw o rk
N e tw o rk
HTTP T e le n t
P ro x y P ro x y
S e rv e r S e rv e r
D e m ilita r iz e d Z o n e (D M Z )
54 11/04/21 ms
Screened Subnet Architecture
55 11/04/21 ms
Firewall Conclusion
• Not the complete answer
• The fox is inside the henhouse
• Host security + User education
• Cannot control back door traffic
• any dial-in access
• Management problems
• Cannot fully protect against new viruses
• Antivirus on each host Machine
• Needs to be correctly configured
• The security policy must be enforced
56 11/04/21 ms