E N D
Slide 1:Network/Information Security
“The terms network security and information security refer in a broad sense to confidence that information and services available on a network cannot be accessed by unauthorized users.” (Comer 1995) Need to protect Physical resources (disks, computers, cables, bridges, routers, etc.) Abstract resources (information)
Slide 2:Security Requirements
Data integrity - protecting information from unauthorized change. Data availability - guaranteeing that outsiders cannot prevent legitimate data access. Confidentiality/Privacy - preventing unauthorized listening.
Slide 3:Security Requirements (contd..)
Authentication - ensuring that a message indeed originated from its apparent source. Non-repudiation - ensuring that a party to a transaction cannot subsequently deny that this transaction took place.
Slide 4:Internet Security Mechanisms
Authentication Mechanisms: IP source authentication, Public key encryption Privacy Mechanism: Encryption Access Control Mechanisms: Internet firewall Authentication and privacy mechanisms can be added to application programs. Access control requires basic changes to Internet infrastructure.
Slide 5:IP Source Authentication
Server maintains a list of valid IP source addresses. Weak because it can be broken easily. An imposter can gain control of an intermediate router and impersonate an authorized client. An imposter can also impersonate a server.
Slide 6:Public Key Encryption System
Each end-entity has a cryptographic key pair a private key that is kept secret at that end-entity, and a public key which is distributed. Keys, which are large integers, are used to encode and decode messages. A message encoded using one key can be decoded using the other.
Slide 7:Public Key Encryption System (contd.)
Message encrypted by a public key can only be decrypted by the holder of the corresponding private key. Private key can be used to generate a digital signature and anyone knowing the public key can authenticate it. Guessing or calculating the secret private key is an extremely difficult task.
Slide 8:Public Key Encryption System (contd.)
Public key encryption scheme can also handle the problem of privacy. Sender uses the receiver’s public key to encode the message. Receiver uses it’s private key to decode the message. Messages can be encoded twice to authenticate the sender and to enforce privacy. First with the sender’s private key and then with the receiver’s public key.
Slide 9:Certificates and Certification Authorities
To ensure authenticity, public keys are generally distributed in the form of certificates. A certificate contains a public key value identity of the holder of the corresponding private key digital signature of the certification authority (CA)
Slide 10:Certificates and Certification Authorities (contd.)
A CA is a trusted party whose public key is known, e.g., VeriSign, Inc. The recipient uses the public key of the CA, to decrypt the sender's public key in the certificate. The most vulnerable part of this method is the CA’s private key, which is used to digitally sign the certificate.
Slide 11:SSL Handshake
Slide 12:Secure Sockets Layer (SSL)
The leading security protocol on the internet. Developed by Netscape. At the start of an SSL session, the browser sends its public key to the server. Server uses the browser’s public key to encrypt a secret key and sends it to the browser. During the session, the server and browser exchange data via secret key encryption.
Slide 13:SSL (contd.)
SSL has merged with other protocols and authentication methods to create a new protocol known as Transport Layer Security (TLS). Typically only server authentication is done. Authentication of browser’s (user’s) identity requires certificates to be issued to users.
Slide 14:Internet Firewalls
Firewall protects an organization’s internal networks, routers, computers, and data against unauthorized access. Security perimeter involves installing a firewall at each external connection. For effective control all firewalls must use exactly the same access restrictions.
Slide 15:Internet Firewall Implementation
A firewall must handle datagrams at the same speed as the connection to the outside world. To operate at network speeds, routers include a high-speed filtering mechanism. Filters form the basic building blocks of a firewall.
Slide 16:Packet Filters
Provides a basic level of network security at the IP level. Filtering is based on any combination of source IP address, destination IP address, protocol, source protocol port number, and destination protocol port number. Packet filters do not maintain context or understand the application they are dealing with.
Slide 17:Packet Filters
Specifying the datagrams that should be filtered is not very effective. Instead we specify which datagrams to admit. Security concerns IP spoofing (mimicing IP addresses of trusted machines) IP tunneling (one datagram is temporarily encapsulated in another)
Slide 18:Packet Filters
“If an organization’s firewall restricts incoming datagrams except for ports that correspond to services the organization makes available externally, an arbitrary application inside the organization cannot become a client of a server outside the organization.” (Comer, 1995)
Slide 19:Proxy Firewalls
Most secure form of firewall All incoming traffic is tunneled to the appropriate proxy gateway for mail, HTTP, FTP, etc. Proxies then direct the information to the internal network. Proxies are applications that make decisions based on context, authorization, & authentication rules instead of IP addresses.
Slide 20:Proxy Firewalls (contd.)
Proxy firewall operates at the highest level of the protocol stack. Proxies are relays between the Internet and the organization’s private network. Proxy’s firewall address is the only one available to the outside world. Some firewalls combine router and proxy techniques to provide more security.