Business

profilepegz 67
Chapter8-Slides.pptx
Home>Business & Finance homework help>Operations Management homework help>Business

Chapter 8 Security

Computer Networking: A Top Down Approach 6th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

A note on the use of these ppt slides:

We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you see the animations; and can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following:

If you use these slides (e.g., in a class) that you mention their source (after all, we’d like people to use our book!)

If you post any slides on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material.

Thanks and enjoy! JFK/KWR

All material copyright 1996-2012

J.F Kurose and K.W. Ross, All Rights Reserved

Network Security

Chapter 8: Network Security

Chapter goals:

understand principles of network security:

cryptography and its many uses beyond “confidentiality”

authentication

message integrity

security in practice:

firewalls and intrusion detection systems

security in application, transport, network, link layers

2

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity, authentication

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

3

Network Security

What is network security?

confidentiality: only sender, intended receiver should “understand” message contents

sender encrypts message

receiver decrypts message

authentication: sender, receiver want to confirm identity of each other

message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

access and availability: services must be accessible and available to users

4

Network Security

Friends and enemies: Alice, Bob, Trudy

well-known in network security world

Bob, Alice (lovers!) want to communicate “securely”

Trudy (intruder) may intercept, delete, add messages

5

Network Security

Who might Bob, Alice be?

… well, real-life Bobs and Alices!

Web browser/server for electronic transactions (e.g., on-line purchases)

on-line banking client/server

DNS servers

routers exchanging routing table updates

other examples?

6

Network Security

There are bad guys (and girls) out there!

Q: What can a “bad guy” do?

A: A lot! See section 1.6

eavesdrop: intercept messages

actively insert messages into connection

impersonation: can fake (spoof) source address in packet (or any field in packet)

hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place

denial of service: prevent service from being used by others (e.g., by overloading resources)

7

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity, authentication

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

8

Network Security

The language of cryptography

m plaintext message

KA(m) ciphertext, encrypted with key KA

m = KB(KA(m))

Network Security

Breaking an encryption scheme

cipher-text only attack: Trudy has ciphertext she can analyze

two approaches:

brute force: search through all keys

statistical analysis

known-plaintext attack: Trudy has plaintext corresponding to ciphertext

e.g., in monoalphabetic cipher, Trudy determines pairings for a,l,i,c,e,b,o,

chosen-plaintext attack: Trudy can get ciphertext for chosen plaintext

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity, authentication

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

11

Network Security

Authentication

Goal: Bob wants Alice to “prove” her identity to him

Protocol ap1.0: Alice says “I am Alice”

Network Security

Authentication: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packet

containing her source IP address

Network Security

Authentication: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packet

containing her source IP address

Network Security

Protocol ap3.0: Alice says “I am Alice” and sends her

secret password to “prove” it.

Authentication: another try

Network Security

Authentication: yet another try

Protocol ap3.1: Alice says “I am Alice” and sends her

encrypted secret password to “prove” it.

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity, authentication

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

17

Network Security

Digital signatures

cryptographic technique analogous to hand-written signatures:

sender (Bob) digitally signs document, establishing he is document owner/creator.

verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

Network Security

simple digital signature for message m:

Bob signs m by encrypting with his private key KB, creating “signed” message, KB(m)

-

-

Digital signatures

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity, authentication

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

20

Network Security

Secure e-mail

Alice:

generates random symmetric private key, KS

encrypts message with KS (for efficiency)

also encrypts KS with Bob’s public key

sends both KS(m) and KB(KS) to Bob

Alice wants to send confidential e-mail, m, to Bob.

KS( )

.

KB( )

.

+

+

-

KS(m )

KB(KS )

+

m

KS

KS

KB

+

Internet

KS( )

.

KB( )

.

-

KB

-

KS

m

KS(m )

KB(KS )

+

21

Network Security

Secure e-mail

Bob:

uses his private key to decrypt and recover KS

uses KS to decrypt KS(m) to recover m

Alice wants to send confidential e-mail, m, to Bob.

KS( )

.

KB( )

.

+

+

-

KS(m )

KB(KS )

+

m

KS

KS

KB

+

Internet

KS( )

.

KB( )

.

-

KB

-

KS

m

KS(m )

KB(KS )

+

22

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

23

Network Security

SSL: Secure Sockets Layer

widely deployed security protocol

supported by almost all browsers, web servers

https

billions $/year over SSL

mechanisms: [Woo 1994], implementation: Netscape

variation -TLS: transport layer security, RFC 2246

provides

confidentiality

integrity

authentication

original goals:

Web e-commerce transactions

encryption (especially credit-card numbers)

Web-server authentication

optional client authentication

minimum hassle in doing business with new merchant

available to all TCP applications

secure socket interface

Network Security

SSL and TCP/IP

Application

TCP

IP

normal application

Application

SSL

TCP

IP

application with SSL

SSL provides application programming interface (API) to applications

C and Java SSL libraries/classes readily available

Network Security

Toy SSL: a simple secure channel

handshake: Alice and Bob use their certificates, private keys to authenticate each other and exchange shared secret

key derivation: Alice and Bob use shared secret to derive set of keys

data transfer: data to be transferred is broken up into series of records

connection closure: special messages to securely close connection

Network Security

Toy: a simple handshake

MS: master secret

EMS: encrypted master secret

hello

public key certificate

KB+(MS) = EMS

Network Security

SSL record protocol

data

data

fragment

data

fragment

MAC

MAC

encrypted

data and MAC

encrypted

data and MAC

record

header

record

header

record header: content type; version; length

MAC: includes sequence number, MAC key Mx

fragment: each SSL fragment 214 bytes (~16 Kbytes)

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

29

Network Security

IPsec services

data integrity

origin authentication

replay attack prevention

confidentiality

two protocols providing different service models:

AH

ESP

Network Security

Two IPsec protocols

Authentication Header (AH) protocol

provides source authentication & data integrity but not confidentiality

Encapsulation Security Protocol (ESP)

provides source authentication, data integrity, and confidentiality

more widely used than AH

Network Security

IPsec datagram

focus for now on tunnel mode with ESP

Network Security

What happens?

Network Security

Virtual Private Networks (VPNs)

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

35

Network Security

WEP design goals

symmetric key crypto

confidentiality

end host authorization

data integrity

self-synchronizing: each packet separately encrypted

given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost

Efficient

implementable in hardware or software

Network Security

Chapter 8 roadmap

8.1 What is network security?

8.2 Principles of cryptography

8.3 Message integrity

8.4 Securing e-mail

8.5 Securing TCP connections: SSL

8.6 Network layer security: IPsec

8.7 Securing wireless LANs

8.8 Operational security: firewalls and IDS

37

Network Security

Firewalls

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others

firewall

38

Network Security

Firewalls: why

prevent denial of service attacks:

SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections

prevent illegal modification/access of internal data

e.g., attacker replaces CIA’s homepage with something else

allow only authorized access to inside network

set of authenticated users/hosts

three types of firewalls:

stateless packet filters

stateful packet filters

application gateways

39

Network Security

Stateless packet filtering

internal network connected to Internet via router firewall

router filters packet-by-packet, decision to forward/drop packet based on:

source IP address, destination IP address

TCP/UDP source and destination port numbers

ICMP message type

TCP SYN and ACK bits

40

Network Security

Stateful packet filtering

stateless packet filter: heavy handed tool

admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established:

action source address dest address protocol source port dest port flag bit
allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK

stateful packet filter: track status of every TCP connection

track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense”

timeout inactive connections at firewall: no longer admit packets

41

Network Security

Application gateways

filters packets on application data as well as on IP/TCP/UDP fields.

example: allow select internal users to telnet outside.

1. require all telnet users to telnet through gateway.

2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections

3. router filter blocks all telnet connections not originating from gateway.

42

Network Security

Limitations of firewalls, gateways

IP spoofing: router can’t know if data “really” comes from claimed source

if multiple app’s. need special treatment, each has own app. gateway

client software must know how to contact gateway.

e.g., must set IP address of proxy in Web browser

filters often use all or nothing policy for UDP

tradeoff: degree of communication with outside world, level of security

many highly protected sites still suffer from attacks

43

Network Security

Intrusion detection systems

packet filtering:

operates on TCP/IP headers only

no correlation check among sessions

IDS: intrusion detection system

deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings)

examine correlation among multiple packets

port scanning

network mapping

DoS attack

44

Network Security

Intrusion detection systems

multiple IDSs: different types of checking at different locations

45

Network Security

Network Security (summary)

basic techniques…...

cryptography (symmetric and public)

message integrity

end-point authentication

…. used in many different security scenarios

secure email

secure transport (SSL)

IP sec

Wi-Fi Security 802.11

operational security: firewalls and IDS

46