NetworkSecurity

WelcometoSpring2011!

Someadminstuff
SubjectCoordinatorDr.RichardXu Lecturer:RichardXu Tutors:HasanMuhammadAbul,ZhiyuanThomasTanandThanhDai Tran(TBA) 2Quiz (25%:12.5%each) atunifiedtime,week5,week10, 30 40min(Iwillinformyouthetime2weeksbefore,please makearrangements) 1Project (20%)goingtobeagroupbased.3versions different topreviousyears Exam (55%) 31252Tue16:00students,toofewstudents;abouttocancel.

Otheradmin
Textbook http://williamstallings.com/NetSec/NetSec4e.html WilliamStalling,NetworkSecurityEssential,4th Edition

Whynetworksecurity?
Importanttopicasthesizeofthenetworkexpands 979jobscontainsthewordnetworksecurityin SEEK.comon01/08/10 1,402jobscontainstheword"networksecurity" SEEK.com@02/03/11 1,435jobscontainstheword"networksecurity" SEEK.com@31/07/11 Prerequisitetomanyothersubjects Paststudentfeedback AresearchpathinIntrusionDetectionSystem

ADefinition
NetworkSecurityconsistsofmeasures toprevent,detect,andcorrectsecurityviolations thatinvolvethetransmissionofinformation.

Pictorialrepresentation

Coursecontent
1. Securitygoals 2. EncryptionMathematicsandEncryptionTechniques 3. SymmetricEncryptionandMessageConfidentiality 4. PublicKeyCryptographyandMessageAuthentication 5. AuthenticationApplications KerberosandX.509 6. Firewall 7. ElectronicMailSecurity 8. WebSecurity(SSL,TLS) 9. VPNsandIPSecurity 10.WirelessLANSecurity 11.NetworkManagementSecurity 12.IntrudersandViruses 13.IntrusionDetectionSystem

Open Systems Interconnection (OSI) model

Willvisit againinthe lastlecture

Analternativetaxonomy

Labourdaypublicholiday

TodaysLecture Introduction
SecurityGoals(veryimportant!) SecurityPolicies Organisationsandindividualsinvolvedin NetworkSecuritydevelopment. Attacks,threats,vulnerabilitiesand weaknesses.

AbstractGoalsofNetworkSecurity
MajorGoals Confidentiality Integrity Availability OtherGoals EntityAuthentication MessageOriginAuthentication Timeliness NonRepudiation Authorisation AccessControl

GoalsofNetworkSecurity (1)Confidentiality
AandBdonotwanttheirmessagesreadbyotherpeople. Thisisthenetworksecuritygoalof confidentiality. Thegeneraltechniqueusedtoensureconfidentialityis encryption ofmessages. Anexampleofabreachofconfidentiality:Someonereads theplaintextpacketsbeingexchangedbetweenAandB byrunningaprogramsuchasWireshark. Ifthepacketsaresecurelyencryptedeventhoughtheyare capturedtheycannotberead.

GoalsofNetworkSecurity (2)Integrity
AandBdonotwanttheirmessageschangedbyother people.Thisisthenetworksecuritygoalofintegrity. Thegeneraltechniquesusedtoensureintegrityarehashes andMessageAuthenticationCodes(MAC). ThetermMessageAuthenticationisalsousedasa synonymforintegrity.

GoalsofNetworkSecurity (3)Availability
Availability referstotheabilityforaservicetobeavailable. AwantstobeabletoconnecttoB(ignoringconsiderations ofentityauthenticationetc.).AsituationwhereBis deliberatelysentalargenumberoffalserequestsorother unnecessarytraffic,makingitdifficultfora legitimaterequestforaconnectionisaDenialofService (DOS)attack.Whenalotcomputersareinvolvedin sendingtheunnecessarytraffictoB,itisaDistributed DenialofService(DDOS).

GoalsofNetworkSecurity (4)EntityAuthentication
AwantstobesurethattheentitysayingitisBreallyisB andnotanimposter.Similarly,Bwantstobesurethatthe entitythatsaysitsAreallyisA. Thegeneraltechniquesusedtoensureentity authenticationarepasswords,authenticationprotocols, keyexchangeprotocolsandthirdpartycertificates. EntityAuthenticationisalsorelevantinthecontextof usersidentifyingthemselvestouseresourcesonanetwork ortologontoaparticularhost.Entityauthenticationis alsocalledidentification.

GoalsofNetworkSecurity (5)MessageOriginAuthentication
Awantstobesurethatthemessagessupposedlycoming toitfromB,reallyarecomingfromB.SimilarlyBwantsto besurethatmessagessupposedlycomingfromAreallyare comingfromA.ThisisMessageOriginAuthentication.Itis sometimescalledDataOriginAuthentication. Techniquesusedtoverifytheoriginofamessageinclude MessageAuthenticationCodes(MACs),digitalsignatures andappendinganauthenticatortoamessagebefore encryption.

GoalsofNetworkSecurity (6)Timeliness
IfAandBconductacompletelysecureconversation overanetwork,itisconceivablethatathirdpartymay copytheconversationanduseittomasqueradeaseither AorBinafutureconversation.Thisisknownasareplay attack. Timelinessmeansthatasecureconversationcannotbe usedasabasisforareplayattack.Someofthetechniques usedtopreventareplayattackincludetimestamps, nonces andrandomnumbers.

GoalsofNetworkSecurity (7)Nonrepudiation(origin) (8)Nonrepudiation(destination)

AmaywanttobesurethatBcannotdenyhavingsenta particularmessagetoA.ThisfeatureisNonrepudiation (origin). AwantstobesurethatBreallyreceivedaparticular messagethatAsent.ThisfeatureisNonrepudiation (destination).

GoalsofNetworkSecurity (9)Authorisation
Authorizationisofficialpermissiontocarryoutcertain actions.Forexample,aparticularcomputeronanetwork hasresourcesthatareavailabletoaparticularsetofusers. Notallusersofthenetworkareauthorisedusersofthe particularcomputer. Authorisationallowsuserstodocertainthings. Passwordsareanauthorisationtechnique.Uponentering theirusernameandpassword,authorisedusersaregiven accesstosomeresourcesonthecomputer.Theconceptis relatedtobutdifferentfromaccesscontrol.

GoalsofNetworkSecurity (10)AccessControl
Accesscontrolreferstotheabilitytorestrictaccessto resourcestocertainusers.Theconceptiscloselyrelated toauthorisationbutdifferent.Accesscontrolrestrictsusers fromdoingcertainthings. Agoodexampleofaccesscontrolistherightsgrantedto usersofdatabasesystems differentusersarerestrictedin whattablestheycanreadandwhattablestheycanwriteto. Onlythedatabaseadministratorhasfullrightsoverall tables.Therestrictionoftheprivilegesofnormaldatabase usersisanexampleofaccesscontrol.

SummaryofTerms
ThetermswehavelookedatasSecurityGoals arewidelyusedinNetworkSecurityliterature. Thedifferencesbetweensomeofthemare oftenquitesubtle. Youshouldunderstandeachofthemclearly. Theycanoftenapplyinnoncomputing scenarios. Particularscenariosofteninvolvethe interactionofanumberofsecuritygoals.

Anoncomputingscenarioinvolving securitygoals
Agroupofstudentsdoinganexamareonly allowedintotheexamroomafterproducingtheir studentcardandbeingmatchedwiththephoto (entityauthentication,authorisationandaccess control).Duringtheexamtheyarewatchedto makesurethereisnocommunicationbetween students(integrityofanswers).Studentssignthe frontpageofeachanswerbook(nonrepudiation oforigin).Aftertheexam,thequestionpapersas wellastheanswersarekeptbytheexaminers (confidentiality).

LectureTopics
SecurityGoals SecurityPolicies Organisationsandindividualsinvolvedin NetworkSecuritydevelopment. Attacks,threats,vulnerabilitiesand weaknesses. SecurityArchitectures

TheeconomicrealitiesofNetwork Security

SecurityPolicy
Inordertomaximisethelikelihoodthatsecuritygoalswillbe met,organisationsneedtohaveasecuritypolicy. SecurityPolicy:Asetofprinciplesthatguidesdecisionmaking processesandenablesleadersinanorganisationtodistribute authorityconfidently. Extentanddetailvarieswith: businesstype,itssize,numberofusers,threatstothe organisationandvulnerabilities.

SecurityPolicyGoals
1. Informsusers,staffandmanagementofduties andobligations. 2. Providesamechanismforattainingsecurity goals. 3. Providesabaselinetoauditsystemsfor compliancetothepolicy. 4. Myexperience

LectureTopics
SecurityGoals SecurityPolicies Organisationsandindividualsinvolvedin NetworkSecuritydevelopment. Attacks,threats,vulnerabilitiesand weaknesses. SecurityArchitectures

Someofthepartiesinvolvedin NetworkSecurity
StandardsBodies IETF ITUT Governmentsandtheiragencies USgovernmentandothers Academics,Researchers,CivilLibertarians Networkresearchers,mathematicians,cryptographers,ethical hackers Businessesandotherorganisations Organisationsspecialisinginnetworksecurityservices. Businesseswithasignificantinterestinnetworksecurity Malfeasors Hackers,crackers,scriptkiddies

PartiesinvolvedinNetworkSecurity StandardsOrganisations
IETF:InternetEngineeringTaskForce Thisorganisationisresponsiblefortheprotocols thatruntheinternet(includingthoseconcerned withsecurity)e.g.ssh,IPSec,SSL/TLSandSNMP. ITUT:InternationalTelecommunicationUnion TelecommunicationSector AUNspecialisedagency.Releasessome standardsrelevanttonetworksecurity.In particulartheX.509PKI(PublicKey Infrastructure)standardandtheX.800Security ArchitectureStandard.

PartiesinvolvedinNetworkSecurity Governmentsandtheiragencies
Governmentshaveahugeinterestinall aspectsofnetworksecurity. Protectionoftheirownsystems(websites, data,etc.). Providinglegalframeworkforenforcementof lawsconcernedwithnetworksecurity. Espionageandcyberwarfare. Somegovernmentsalsoprovideencryption andhashstandardse.g.DESandAES.

PartiesinvolvedinNetworkSecurity Academics,ResearchersandCivilLibertarians
Academics(notjustinsideuniversitiesbutingovernment, businessandprivateorganisations) Academicshavebeenactiveinresearchingallaspects ofnetworksecurity.Inparticular,thehavedonemost ofthemathematicalworkinvolvedinthedevelopment ofcryptographictechniques. ResearchersandCivilLibertarians Someindividualresearchers(BruceSchneier,Phillip Zimmerman)andOrganisations(ElectronicFrontiers Foundation)havemadesignificantcontributionsto NetworkSecurity.

PartiesinvolvedinNetworkSecurity Businessesandotherorganisations
BusinessesprovidingSecurityServices Manybusinessesprovidesecurityservicesofone sortoranotherandsomearealsoactivein research.TwowellknownexamplesareRSA SecurityandCounterpane. NonprofitSecurityOrganisations Theseprovidefreeadviceoncomputersecurity andinsomecasestrainingandformal certifications.ExampleorganisationsareCERT (ComputerEmergencyResponseTeam)andI2SC (InternetInformationSecurityCouncil)

PartiesinvolvedinNetworkSecurity Malfeasors
Thistermreferstoindividualswhobreachoneormoreofthesecurity goalsoutlinedinthefirstpartofthelecture.Itincludesawiderangeof individuals,goalsandmotives.Thereisnotalwaysacleardelineation betweenthedifferentgroups. ScriptKiddies:usuallyyoung.Usescriptsdownloadedfrominternet.Main motiveiscuriosity. Crackers/Hackers:Moreknowledgeablethanscriptkiddies.Mainmotive isstatuswithfellowcrackers. CareerCriminals:Mayhavesomeknowledge,butoftenuseservicesof crackers.Mainmotiveismakingmoneythroughillegalcomputerrelated activities. Terrorists:Variousterroristgroupsmayusecyberattacksasanadjunctto moreconventionalterroristactivities.Mainmotiveisdisruptionof computeractivitiesofthosetheyareopposedto. Governments:Governmentssponsorhacking(Cyberwarfare).Thisismore commonthanisgenerallythought.Naturally,allgovernmentswilldenyor minimisetheirownactivitiesinthisarea.Mainmotiveispoliticale.g. attackingnetworkresourcesofstatesororganisationstheydislike.

Attacks(threats)andVulnerabilities

TypeofSecurityAttacks

SecurityAttack: Anyactionthatcompromisesthesecurityofinformation.

Letsseefourcommontypeofattacks:

36

SecurityAttack(1):Interruption

Interruption: resourcesnotmadeavailable Thisisanattackon

SecurityAttack(1):Interruption

Interruption: resourcesnotmadeavailable Thisisanattackon Availability

SecurityAttack(2):Interception

Interception: dataisreadbyunauthorizedpeople Thisisanattackon

SecurityAttack(2):Interception

Interception: dataisreadbyunauthorizedpeople Thisisanattackon confidentiality

SecurityAttack(3):Modification

Modification: existingdataischangedby unauthorizedpeople Thisisanattackon

SecurityAttack(3):Modification

Modification: existingdataischangedby unauthorizedpeople Thisisanattackon integrity

SecurityAttack(4):Fabrication

Fabrication: falsedataiscreated Thisisan attackon

SecurityAttack(4):Fabrication

Fabrication: falsedataiscreated Thisisan attackon messageoriginauthentication

Vulnerabilities
Vulnerabilitiesareweaknessesincomputersand networksthatcanpotentiallybeattacked. Vulnerabilitiescanbeclassifiedas: 1. TechnologicalVulnerabilities:Weaknessesin networkingprotocols,operatingsystems,software andnetworkequipment. 2. ConfigurationWeaknesses:Weaknessesthatcome aboutbecauseofhumanerrorintheconfigurationof hardwareandsoftware 3. PolicyWeaknesses:Theseareshortcomingsinthe securitypolicy(orevenatotallackofasecurity policy)thatleadtoinconsistenciesandweaknessesin networks,computersandsecuritysystems.