Академический Документы
Профессиональный Документы
Культура Документы
Network B
Securely means
Confidentiality
-Only A and B see bits Integrity -Message intact -Really from A -Order? Availability -B gets it in time
C
Network B
-Confidentiality -Integrity -Availability Someone attempts to subvert the goals -Fun -Commercial gain
-Curiosity Snooping By insiders -Often motivated by curiosity Determined attempt to make money -May not even be an insider Commercial or military espionage -This is very big business!
Cryptography
Goal: Keep information from those who arent
supposed to see it -Do this by scrambing the data Use a well-known algorithm to scramble data -Algorithm has two inputs: data & key -key is known only to authorized users
Cryptography basics
Algorithms (E,D) are widely known Keys (Ke,Kd) may be less widely distributed For this to be effective the ciphertext should be the only information thats available to the world Plaintext is known only to the people with the keys
( in an ideal world )
Encryption Key Ke E PlainText Encryption Decryption CipherText Kd D Decryption Key PlainText
-The letters of the message are replaced by other letters or by numbers or symbols. Example- Caesar Cipher Transposition techniques -Performing some sort of permutation on the messages letters Example- Monoalphabetic Cipher
Computational Security
An encryption scheme is secure if it takes very long
time to break the ciphertext Lifetime is defined in each application , for example: -Military orders=1 hour to 3 years -Check transaction=1 year -Business agreement=10-15 years
-Uses 56 bit keys -Same key is used to encrypt & decrypt -Key used to be difficult to guess
Public Key
Asymmetric key
Two keys:
-Public key -Private key Trapdoor one way function -Having fk(m) it is so hard to find either k or m
Digital Signature
A handwritten signature is a function of the signer
only, not the message Handwritten signature can be copied and forged The digital equivalent of a handwritten signature would be useless in eCommerce How can A prove his identity over the internet?
Digital Signature
A digital signature is a function of both the signer and
the message A digital signature is a digest of the message encryted with the signers private key
One way hash function Original document Hash result encrypted Digital signature Original Original document document
Hash
Receiver gets
Network Security
Firewalls
-Solve poor internal security using the network Intrusion Detection -Detect non-network security breaches accomplished via the network -Early start on forensics
-Scaling issues -Autonomy Distributed Cooperation -Commit -Fault tolerance Availability -Denial of service
Mail Forwading
Web server
DNS(DMZ)
File Server
Web server
Firewall
Mail server DNS(internal)
-Internet -Intranet -DMZ Network Boundaries -Firewall ---Filtering firewall: Based on packet headers ---Audit mechanism -Proxy ---Proxy firewall: Gives external views that hides intranet
Issues
IP: Intranet hidden from outside world
-Internal addresses can be real -Proxy maps between real address and firewall -Fake addresses: 10.b.c.d. 172.[16-31].c.d 192.168.c.d -Network Address Translation Protocol maps internal to assigned address Mail Forwarding -Hide internal addresses -Map incoming mail to real server -Additional incoming /outgoing checks
Firewalls: Configuration
External Firewall
.External source: IP restrictions .What type of traffic : Port ( e.g. SMTP, HTTP) -Proxy between DMZ servers and internet -Proxy between inner and outer firewall
Internal Firewall
DMZ Administration
Direct console access requires?
-Real hassle Special access -SSH connections allowed from internal to DMZ administration connections -Only from specified internal IPs -Only through internal firewall
Network Attacks
Flooding
-Overwhelm TCP stack on target machine -Prevent legitimate connections Routing -Misdirect traffic Spoofing -Imitate legitimate source
Solution Ideas
Limit connection from one source?
-But source is in packet, can be faked Ignore connection from illegitimate source -If you know who is legitimate -Can figure it quickly -And the attacker doesnt know this Drop oldest connection attempts -Adaptive timeout
Netwok Solution
TCP intercept
-Router establishes connection to client -When connected establish with server Synkill -Monitor machine as firewell -Good addresses: history of successful connections -Bad adresses: previous timeout attempt -Block and terminate attempts from bad addresses