Академический Документы
Профессиональный Документы
Культура Документы
WelcometoSpring2011!
Someadminstuff
SubjectCoordinatorDr.RichardXu Lecturer:RichardXu Tutors:HasanMuhammadAbul,ZhiyuanThomasTanandThanhDai Tran(TBA) 2Quiz (25%:12.5%each) atunifiedtime,week5,week10, 30 40min(Iwillinformyouthetime2weeksbefore,please makearrangements) 1Project (20%)goingtobeagroupbased.3versions different topreviousyears Exam (55%) 31252Tue16:00students,toofewstudents;abouttocancel.
Otheradmin
Textbook http://williamstallings.com/NetSec/NetSec4e.html WilliamStalling,NetworkSecurityEssential,4th Edition
Whynetworksecurity?
Importanttopicasthesizeofthenetworkexpands 979jobscontainsthewordnetworksecurityin SEEK.comon01/08/10 1,402jobscontainstheword"networksecurity" SEEK.com@02/03/11 1,435jobscontainstheword"networksecurity" SEEK.com@31/07/11 Prerequisitetomanyothersubjects Paststudentfeedback AresearchpathinIntrusionDetectionSystem
ADefinition
NetworkSecurityconsistsofmeasures toprevent,detect,andcorrectsecurityviolations thatinvolvethetransmissionofinformation.
Pictorialrepresentation
Coursecontent
1. Securitygoals 2. EncryptionMathematicsandEncryptionTechniques 3. SymmetricEncryptionandMessageConfidentiality 4. PublicKeyCryptographyandMessageAuthentication 5. AuthenticationApplications KerberosandX.509 6. Firewall 7. ElectronicMailSecurity 8. WebSecurity(SSL,TLS) 9. VPNsandIPSecurity 10.WirelessLANSecurity 11.NetworkManagementSecurity 12.IntrudersandViruses 13.IntrusionDetectionSystem
Analternativetaxonomy
Labourdaypublicholiday
TodaysLecture Introduction
SecurityGoals(veryimportant!) SecurityPolicies Organisationsandindividualsinvolvedin NetworkSecuritydevelopment. Attacks,threats,vulnerabilitiesand weaknesses.
AbstractGoalsofNetworkSecurity
MajorGoals Confidentiality Integrity Availability OtherGoals EntityAuthentication MessageOriginAuthentication Timeliness NonRepudiation Authorisation AccessControl
GoalsofNetworkSecurity (1)Confidentiality
AandBdonotwanttheirmessagesreadbyotherpeople. Thisisthenetworksecuritygoalof confidentiality. Thegeneraltechniqueusedtoensureconfidentialityis encryption ofmessages. Anexampleofabreachofconfidentiality:Someonereads theplaintextpacketsbeingexchangedbetweenAandB byrunningaprogramsuchasWireshark. Ifthepacketsaresecurelyencryptedeventhoughtheyare capturedtheycannotberead.
GoalsofNetworkSecurity (2)Integrity
AandBdonotwanttheirmessageschangedbyother people.Thisisthenetworksecuritygoalofintegrity. Thegeneraltechniquesusedtoensureintegrityarehashes andMessageAuthenticationCodes(MAC). ThetermMessageAuthenticationisalsousedasa synonymforintegrity.
GoalsofNetworkSecurity (3)Availability
Availability referstotheabilityforaservicetobeavailable. AwantstobeabletoconnecttoB(ignoringconsiderations ofentityauthenticationetc.).AsituationwhereBis deliberatelysentalargenumberoffalserequestsorother unnecessarytraffic,makingitdifficultfora legitimaterequestforaconnectionisaDenialofService (DOS)attack.Whenalotcomputersareinvolvedin sendingtheunnecessarytraffictoB,itisaDistributed DenialofService(DDOS).
GoalsofNetworkSecurity (4)EntityAuthentication
AwantstobesurethattheentitysayingitisBreallyisB andnotanimposter.Similarly,Bwantstobesurethatthe entitythatsaysitsAreallyisA. Thegeneraltechniquesusedtoensureentity authenticationarepasswords,authenticationprotocols, keyexchangeprotocolsandthirdpartycertificates. EntityAuthenticationisalsorelevantinthecontextof usersidentifyingthemselvestouseresourcesonanetwork ortologontoaparticularhost.Entityauthenticationis alsocalledidentification.
GoalsofNetworkSecurity (5)MessageOriginAuthentication
Awantstobesurethatthemessagessupposedlycoming toitfromB,reallyarecomingfromB.SimilarlyBwantsto besurethatmessagessupposedlycomingfromAreallyare comingfromA.ThisisMessageOriginAuthentication.Itis sometimescalledDataOriginAuthentication. Techniquesusedtoverifytheoriginofamessageinclude MessageAuthenticationCodes(MACs),digitalsignatures andappendinganauthenticatortoamessagebefore encryption.
GoalsofNetworkSecurity (6)Timeliness
IfAandBconductacompletelysecureconversation overanetwork,itisconceivablethatathirdpartymay copytheconversationanduseittomasqueradeaseither AorBinafutureconversation.Thisisknownasareplay attack. Timelinessmeansthatasecureconversationcannotbe usedasabasisforareplayattack.Someofthetechniques usedtopreventareplayattackincludetimestamps, nonces andrandomnumbers.
GoalsofNetworkSecurity (9)Authorisation
Authorizationisofficialpermissiontocarryoutcertain actions.Forexample,aparticularcomputeronanetwork hasresourcesthatareavailabletoaparticularsetofusers. Notallusersofthenetworkareauthorisedusersofthe particularcomputer. Authorisationallowsuserstodocertainthings. Passwordsareanauthorisationtechnique.Uponentering theirusernameandpassword,authorisedusersaregiven accesstosomeresourcesonthecomputer.Theconceptis relatedtobutdifferentfromaccesscontrol.
GoalsofNetworkSecurity (10)AccessControl
Accesscontrolreferstotheabilitytorestrictaccessto resourcestocertainusers.Theconceptiscloselyrelated toauthorisationbutdifferent.Accesscontrolrestrictsusers fromdoingcertainthings. Agoodexampleofaccesscontrolistherightsgrantedto usersofdatabasesystems differentusersarerestrictedin whattablestheycanreadandwhattablestheycanwriteto. Onlythedatabaseadministratorhasfullrightsoverall tables.Therestrictionoftheprivilegesofnormaldatabase usersisanexampleofaccesscontrol.
SummaryofTerms
ThetermswehavelookedatasSecurityGoals arewidelyusedinNetworkSecurityliterature. Thedifferencesbetweensomeofthemare oftenquitesubtle. Youshouldunderstandeachofthemclearly. Theycanoftenapplyinnoncomputing scenarios. Particularscenariosofteninvolvethe interactionofanumberofsecuritygoals.
Anoncomputingscenarioinvolving securitygoals
Agroupofstudentsdoinganexamareonly allowedintotheexamroomafterproducingtheir studentcardandbeingmatchedwiththephoto (entityauthentication,authorisationandaccess control).Duringtheexamtheyarewatchedto makesurethereisnocommunicationbetween students(integrityofanswers).Studentssignthe frontpageofeachanswerbook(nonrepudiation oforigin).Aftertheexam,thequestionpapersas wellastheanswersarekeptbytheexaminers (confidentiality).
LectureTopics
SecurityGoals SecurityPolicies Organisationsandindividualsinvolvedin NetworkSecuritydevelopment. Attacks,threats,vulnerabilitiesand weaknesses. SecurityArchitectures
TheeconomicrealitiesofNetwork Security
SecurityPolicy
Inordertomaximisethelikelihoodthatsecuritygoalswillbe met,organisationsneedtohaveasecuritypolicy. SecurityPolicy:Asetofprinciplesthatguidesdecisionmaking processesandenablesleadersinanorganisationtodistribute authorityconfidently. Extentanddetailvarieswith: businesstype,itssize,numberofusers,threatstothe organisationandvulnerabilities.
SecurityPolicyGoals
1. Informsusers,staffandmanagementofduties andobligations. 2. Providesamechanismforattainingsecurity goals. 3. Providesabaselinetoauditsystemsfor compliancetothepolicy. 4. Myexperience
LectureTopics
SecurityGoals SecurityPolicies Organisationsandindividualsinvolvedin NetworkSecuritydevelopment. Attacks,threats,vulnerabilitiesand weaknesses. SecurityArchitectures
Someofthepartiesinvolvedin NetworkSecurity
StandardsBodies IETF ITUT Governmentsandtheiragencies USgovernmentandothers Academics,Researchers,CivilLibertarians Networkresearchers,mathematicians,cryptographers,ethical hackers Businessesandotherorganisations Organisationsspecialisinginnetworksecurityservices. Businesseswithasignificantinterestinnetworksecurity Malfeasors Hackers,crackers,scriptkiddies
PartiesinvolvedinNetworkSecurity StandardsOrganisations
IETF:InternetEngineeringTaskForce Thisorganisationisresponsiblefortheprotocols thatruntheinternet(includingthoseconcerned withsecurity)e.g.ssh,IPSec,SSL/TLSandSNMP. ITUT:InternationalTelecommunicationUnion TelecommunicationSector AUNspecialisedagency.Releasessome standardsrelevanttonetworksecurity.In particulartheX.509PKI(PublicKey Infrastructure)standardandtheX.800Security ArchitectureStandard.
PartiesinvolvedinNetworkSecurity Governmentsandtheiragencies
Governmentshaveahugeinterestinall aspectsofnetworksecurity. Protectionoftheirownsystems(websites, data,etc.). Providinglegalframeworkforenforcementof lawsconcernedwithnetworksecurity. Espionageandcyberwarfare. Somegovernmentsalsoprovideencryption andhashstandardse.g.DESandAES.
PartiesinvolvedinNetworkSecurity Academics,ResearchersandCivilLibertarians
Academics(notjustinsideuniversitiesbutingovernment, businessandprivateorganisations) Academicshavebeenactiveinresearchingallaspects ofnetworksecurity.Inparticular,thehavedonemost ofthemathematicalworkinvolvedinthedevelopment ofcryptographictechniques. ResearchersandCivilLibertarians Someindividualresearchers(BruceSchneier,Phillip Zimmerman)andOrganisations(ElectronicFrontiers Foundation)havemadesignificantcontributionsto NetworkSecurity.
PartiesinvolvedinNetworkSecurity Businessesandotherorganisations
BusinessesprovidingSecurityServices Manybusinessesprovidesecurityservicesofone sortoranotherandsomearealsoactivein research.TwowellknownexamplesareRSA SecurityandCounterpane. NonprofitSecurityOrganisations Theseprovidefreeadviceoncomputersecurity andinsomecasestrainingandformal certifications.ExampleorganisationsareCERT (ComputerEmergencyResponseTeam)andI2SC (InternetInformationSecurityCouncil)
PartiesinvolvedinNetworkSecurity Malfeasors
Thistermreferstoindividualswhobreachoneormoreofthesecurity goalsoutlinedinthefirstpartofthelecture.Itincludesawiderangeof individuals,goalsandmotives.Thereisnotalwaysacleardelineation betweenthedifferentgroups. ScriptKiddies:usuallyyoung.Usescriptsdownloadedfrominternet.Main motiveiscuriosity. Crackers/Hackers:Moreknowledgeablethanscriptkiddies.Mainmotive isstatuswithfellowcrackers. CareerCriminals:Mayhavesomeknowledge,butoftenuseservicesof crackers.Mainmotiveismakingmoneythroughillegalcomputerrelated activities. Terrorists:Variousterroristgroupsmayusecyberattacksasanadjunctto moreconventionalterroristactivities.Mainmotiveisdisruptionof computeractivitiesofthosetheyareopposedto. Governments:Governmentssponsorhacking(Cyberwarfare).Thisismore commonthanisgenerallythought.Naturally,allgovernmentswilldenyor minimisetheirownactivitiesinthisarea.Mainmotiveispoliticale.g. attackingnetworkresourcesofstatesororganisationstheydislike.
Attacks(threats)andVulnerabilities
TypeofSecurityAttacks
SecurityAttack: Anyactionthatcompromisesthesecurityofinformation.
Letsseefourcommontypeofattacks:
36
SecurityAttack(1):Interruption
SecurityAttack(1):Interruption
SecurityAttack(2):Interception
SecurityAttack(2):Interception
SecurityAttack(3):Modification
SecurityAttack(3):Modification
SecurityAttack(4):Fabrication
SecurityAttack(4):Fabrication
Vulnerabilities
Vulnerabilitiesareweaknessesincomputersand networksthatcanpotentiallybeattacked. Vulnerabilitiescanbeclassifiedas: 1. TechnologicalVulnerabilities:Weaknessesin networkingprotocols,operatingsystems,software andnetworkequipment. 2. ConfigurationWeaknesses:Weaknessesthatcome aboutbecauseofhumanerrorintheconfigurationof hardwareandsoftware 3. PolicyWeaknesses:Theseareshortcomingsinthe securitypolicy(orevenatotallackofasecurity policy)thatleadtoinconsistenciesandweaknessesin networks,computersandsecuritysystems.