BY ASHADUL ROLL- MSS /07 NITTTR,KOLKATA

Network security what is it? A

What is the purpose of a

Network? -Move Bits -From A -To B -Securely .

Network B

Securely means
Confidentiality

-Only A and B see bits Integrity -Message intact -Really from A -Order? Availability -B gets it in time
C

Network B

Network Security Confidentiality

-Encryption Integrity -Digital Signature -Retransmission -Order? Availability -Quality of service

Security environment: threats

Operating systems have goals

-Confidentiality -Integrity -Availability Someone attempts to subvert the goals -Fun -Commercial gain

What kinds of intruders are there?

Casual prying by nontechnical users

-Curiosity Snooping By insiders -Often motivated by curiosity Determined attempt to make money -May not even be an insider Commercial or military espionage -This is very big business!

Cryptography
Goal: Keep information from those who arent

supposed to see it -Do this by scrambing the data Use a well-known algorithm to scramble data -Algorithm has two inputs: data & key -key is known only to authorized users

Cryptography basics
Algorithms (E,D) are widely known Keys (Ke,Kd) may be less widely distributed For this to be effective the ciphertext should be the only information thats available to the world Plaintext is known only to the people with the keys

( in an ideal world )
Encryption Key Ke E PlainText Encryption Decryption CipherText Kd D Decryption Key PlainText

Classical Encryption Techniques

Substitution Techniques

-The letters of the message are replaced by other letters or by numbers or symbols. Example- Caesar Cipher Transposition techniques -Performing some sort of permutation on the messages letters Example- Monoalphabetic Cipher

Computational Security
An encryption scheme is secure if it takes very long

time to break the ciphertext Lifetime is defined in each application , for example: -Military orders=1 hour to 3 years -Check transaction=1 year -Business agreement=10-15 years

Modern encryption Algorithm

Data Encryption Standard(DES)

-Uses 56 bit keys -Same key is used to encrypt & decrypt -Key used to be difficult to guess

Current algorithm (AES)

-Use 128 bit keys -Adding one bit to the key makes it twice as hard to guess -Must try 2^ 127 keys ,on average to find the right one -At 10^15 keys per second , this would require over 10^21 seconds or 1000 billion years

Public Key
Asymmetric key
Two keys:

-Public key -Private key Trapdoor one way function -Having fk(m) it is so hard to find either k or m

Digital Signature
A handwritten signature is a function of the signer

only, not the message Handwritten signature can be copied and forged The digital equivalent of a handwritten signature would be useless in eCommerce How can A prove his identity over the internet?

Digital Signature
A digital signature is a function of both the signer and

the message A digital signature is a digest of the message encryted with the signers private key
One way hash function Original document Hash result encrypted Digital signature Original Original document document

Hash

Receiver gets

Digital Signature Key

Network Security
Firewalls

-Solve poor internal security using the network Intrusion Detection -Detect non-network security breaches accomplished via the network -Early start on forensics

Network Security: What is interesting?

Distributed Authentication

-Scaling issues -Autonomy Distributed Cooperation -Commit -Fault tolerance Availability -Denial of service

Typical corporate network

Firewall
intranet

Mail Forwading
Web server

DNS(DMZ)

File Server

Web server

Firewall
Mail server DNS(internal)

Internet User Machine

Typical network : Term

Network Regions

-Internet -Intranet -DMZ Network Boundaries -Firewall ---Filtering firewall: Based on packet headers ---Audit mechanism -Proxy ---Proxy firewall: Gives external views that hides intranet

Issues
IP: Intranet hidden from outside world

-Internal addresses can be real -Proxy maps between real address and firewall -Fake addresses: 10.b.c.d. 172.[16-31].c.d 192.168.c.d -Network Address Translation Protocol maps internal to assigned address Mail Forwarding -Hide internal addresses -Map incoming mail to real server -Additional incoming /outgoing checks

Firewalls: Configuration
External Firewall

-What traffic allowed

.External source: IP restrictions .What type of traffic : Port ( e.g. SMTP, HTTP) -Proxy between DMZ servers and internet -Proxy between inner and outer firewall
Internal Firewall

-Traffic restriction: Ports, From/to IP -Proxy between intranet and outside

DMZ Administration
Direct console access requires?

-Real hassle Special access -SSH connections allowed from internal to DMZ administration connections -Only from specified internal IPs -Only through internal firewall

Network Attacks
Flooding

-Overwhelm TCP stack on target machine -Prevent legitimate connections Routing -Misdirect traffic Spoofing -Imitate legitimate source

Solution Ideas
Limit connection from one source?

-But source is in packet, can be faked Ignore connection from illegitimate source -If you know who is legitimate -Can figure it quickly -And the attacker doesnt know this Drop oldest connection attempts -Adaptive timeout

Netwok Solution
TCP intercept

-Router establishes connection to client -When connected establish with server Synkill -Monitor machine as firewell -Good addresses: history of successful connections -Bad adresses: previous timeout attempt -Block and terminate attempts from bad addresses