330 likes | 468 Views
Security in Networks— Their design, development, usage…. Barbara Endicott-Popovsky CSSE592/491 In collaboration with: Deborah Frincke, Ph.D. Director, Center for Secure and Dependable Systems University of Idaho. Text Book. Both broad survey and focused Chapters 1-2 lay groundwork
E N D
Security in Networks—Their design, development, usage… Barbara Endicott-PopovskyCSSE592/491 In collaboration with: Deborah Frincke, Ph.D. Director, Center for Secure and Dependable Systems University of Idaho
Text Book • Both broad survey and focused • Chapters 1-2 lay groundwork • Chapters 3 –7 Software • Chapter 7 • Contrast to standalone environments • Threats • Controls • Tools: Firewalls, Intrusion detection, Secure e-mail • Chapter 9 Privacy, ethics, the law • Chapter 10 Cryptography – the how
In this section of the course we will look at… • Networks—their design, development, usage • The Basics • Threats • Controls • Tools • Firewalls • Intrusion Detection • Secure e-mail Source: Pfleeger & Pfleeger
Agenda • I. The Basics • II. Threats • III. Controls • IV. Tools Source: Pfleeger & Pfleeger
I. The Basics • Terms • Topology • Media • Analog/digital • Protocols • LAN/WAN • Internet • Distributed System • API’s Source: Pfleeger & Pfleeger
ISO/OSI Model Source: Pfleeger & Pfleeger
TCP/IP vs. OSI Source: Pfleeger & Pfleeger
TCP/IP Source: Pfleeger & Pfleeger
Issues • ISO/OSI:Slows things down • TCP/IP:More efficientOpen • Results:TCP/IP used over InternetIntroduces security issues NOTE:Study this part of the Chapter Source: Pfleeger & Pfleeger
II. Threats • Vulnerabilities • Attackers • Threats • Precursors • In transit • Protocol flaws • Impersonation • Spoofing • Message Confidentiality / Integrity threats • Web Site Defacement • Denial of Service (DOS) • Distributed Denial of Service (DDOS) • Active or Mobile Code Threats • Complex Attacks Source: Pfleeger & Pfleeger
Vulnerabilities • Anonymity • Many points of attacks—targets and origins • Sharing • Complexity of system • Unknown perimeter • Unknown path Source: Pfleeger & Pfleeger
Attackers • Kiddiescripters • Industrial spies • Information warfare • Cyber terrorists • “Hactivists” • Wardrivers, etc. Profile—see Mittnick Source: Pfleeger & Pfleeger
Threat Spectrum Source: Deb Frincke
From CSI/FBI Report 2002 • 90% detected computer security breaches • 80% acknowledged financial losses • 44% (223) were willing / able to quantify losses: $455M • Most serious losses: theft of proprietary information and fraud • 26 respondents: $170M • 25 respondents: $115M • 74% cited Internet connection as a frequent point of attack • 33% cited internal systems as a frequent point of attack • 34% reported intrusions to law enforcement. (up from 16%-1996) Source: Deb Frincke
More from CSI/FBI 2002 • 40% detected external penetration • 40% detected DOS attacks. • 78% detected employee abuse of Internet • 85% detected computer viruses. • 38% suffered unauthorized access on Web sites • 21% didn’t know. • 12% reported theft of information. • 6% reported financial fraud (up from 3%-- 2000). Source: Deb Frincke
Threats: Precursors • Port Scan • Social Engineering • Reconnaissance • OS Fingerprinting • Bulletin Boards / Chats • Available Documentation Source: Pfleeger & Pfleeger
Threats: In Transit • Packet Sniffing • Eavesdropping • Wiretapping • Microwaves • Satellites • Fiber • Wireless Source: Pfleeger & Pfleeger
Threats: Protocol Flaws • Public protocols • Flaws public • Human errors Source: Pfleeger & Pfleeger
Threats: Impersonation • Guessing • Stealing • Wiretapping • Eavesdropping • Avoid authentication • Nonexistent authentication • Known authentication • Trusted authentication • Delegation • MSN Passport Source: Pfleeger & Pfleeger
Threats: Spoofing • Masquerade • Session hijacking • Man-in-the Middle attack Source: Pfleeger & Pfleeger
Threats: Message Confidentiality/Integrity • Misdelivery • Exposure • Traffic flow analysis • Falsification of messages • Noise Source: Pfleeger & Pfleeger
Threats: Web Site Defacement • Buffer overflows • Dot-Dot and address problems • Server-Side include Source: Pfleeger & Pfleeger
Threats: Denial of Service (DOS) • Transmission failure • Connection flooding • Echo-chargen • Ping of death • Smurf attack • Syn flood • Traffic redirection • DNS attack • BIND Service Source: Pfleeger & Pfleeger
Threats: Distributed Denial of Service (DDOS) • Trojan horses planted • Zombies attack Source: Pfleeger & Pfleeger
Threats: Active/Mobile Code(Code Pushed to the Client) • Cookies • Per-session • Persistent • Scripts • Active code • Hostile applet • Auto Exec by type Source: Pfleeger & Pfleeger
Threats: Complex Attacks • Script Kiddies • Building Blocks Source: Pfleeger & Pfleeger
III. Controls • Design • Architecture • Segmentation • Redundancy • Single points of failure • Encryptions • Link encryption • End-to-end encryption • VPN’s • PKI and Certificates • SSH and SSL encryption • IPSec • Signed code • Encrypted e-mail Source: Pfleeger & Pfleeger
Controls(cont’d.) • Content Integrity • Error correcting codes • Cryptographic Checksum • Strong Authentication • One-time password • Challenge-Response systems • Digital distributed authentication • Kerberos • Access controls • ACL’s on routers • Firewalls • Alarms and Alerts • Honeypots • Traffic Flow Security • Onion routing Source: Pfleeger & Pfleeger
IV. Tools • Firewalls • Intrusion Detection Systems • Secure e-Mail Source: Pfleeger & Pfleeger
Firewalls • Packet filtering gateway • Stateful inspection firewall • Application proxy gateway • Guard • Personal firewalls Source: Pfleeger & Pfleeger
Intrusion Detection Systems • Signature-based IDS • Heuristic IDS • Stealth mode Source: Pfleeger & Pfleeger
IDS Characteristics • Goals • Detect all attacks • Little performance impacts • Alarm response • Monitor and collect data • Protect • Call administrator • Limitations • Avoidance strategies • Sensitivity • Only as good as the process/people Source: Pfleeger & Pfleeger
Secure e-Mail • Designs • Confidentiality—encryption • Message integrity checks • Examples • PGP • S/MIME Source: Pfleeger & Pfleeger