1 / 79

EE579T / CS525T Network Security 1: Course Overview and Computer Security Review

EE579T / CS525T Network Security 1: Course Overview and Computer Security Review. Prof. Richard A. Stanley. Overview of Tonight’s Class. Administration Is network security a problem, or just an interesting topic? What is different between computer security and network security?

hao
Download Presentation

EE579T / CS525T Network Security 1: Course Overview and Computer Security Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EE579T / CS525TNetwork Security1: Course Overview and Computer Security Review Prof. Richard A. Stanley WPI

  2. Overview of Tonight’s Class • Administration • Is network security a problem, or just an interesting topic? • What is different between computer security and network security? • Review of computer security WPI

  3. Administration WPI

  4. Organizational Details • Prof. Stanley contact information • Office: A-K 009 • Hours: by appointment • Phone: (508) 276-1060 • Email: rstanley@ece.wpi.edu WPI

  5. Administrivia • Class will normally meet 6:00 - 8:50 PM every Wednesday here. Please be on time. • Break from approx. 7:15 to 7:30 PM • If class is cancelled for bad weather, you should receive notice. Double-check with ECE Dept. (5231) or with me if in doubt. • It may be necessary to cancel a class during the term. If so, you will be notified. WPI

  6. Course Text • Network Security Essentials, William Stallings, Prentice Hall, 1999 ISBN 0-13-016093-8 • Additional material will be in the form of handouts and pointers to research materials WPI

  7. Course Web Page • http://www.ece.wpi.edu/courses/ee579t/ • Slides will be posted to the page before class, barring any unfortunate problems WPI

  8. Grading • Mid-term exam (30%) • Homework (20%) • Class participation (20%) • Course project (30%) WPI

  9. Policies • Homework is due at the class following the one in which it is assigned. It will be accepted up to the second class after that in which it is assigned, but not after that, except in truly emergency situations. By definition, emergencies do not occur regularly. • There is a difference between working in teams and submitting the same work. If work is a team product, it must be clearly labeled as such. WPI

  10. Getting to Know You • Your interests and expertise in this area • My interest and experience in this area • What you would like from the course WPI

  11. Is Network Security Really an Important Problem? WPI

  12. Network Security: What’s the Big Deal? • Not a new problem • Not just a creation of the press • Not just for rocket scientists • As professionals, failure to understand and implement appropriate security can come back to haunt you in terms of liability and reputation WPI

  13. Points to Ponder • 85% of businesses surveyed reported attacks against their networks in 2000 • 64% reported financial losses, totaling $378M -- this represents only the 186 companies willing to share this information! • Theft of proprietary information and financial fraud top the list of losses • Majority of attacks now from outside. Source: "Issues and Trends: 2001 CSI/FBI Computer Crime and Security Survey" WPI

  14. More Statistics • 91% detected employee misuse of systems • 94% detected computer viruses • 40% detected system penetration from outside • 38% detected denial of service attacks • 36% reported intrusions to law enforcement Source: "Issues and Trends: 2001 CSI/FBI Computer Crime and Security Survey" WPI

  15. What’s the Problem? • Financial liability • Due diligence • Simple negligence • Gross negligence • Goodwill • One bad press release cancels 1000 attaboys This is a “you bet your business” issue WPI

  16. Computer SecurityversusNetwork Security WPI

  17. Computer security involves preventing, detecting, and responding to unauthorized actions on a computer system. Network security means the same thing for a group of networked computers To understand network security, you must first understand computer security. There is no “easy” way around this. WPI

  18. One View Network Security Computer Security WWW Security WPI

  19. Why Networks Matter • If computers cannot be secured individually, the network cannot be secure • Networking makes the most individually secure computer on the network only as secure as the least individually secure computer on the network. • Networking offers new vulnerabilities • Speed of mischief increases exponentially WPI

  20. And Most Especially... • Mobile code is a basic staple of the internet, and other networks as well • This a wholly new paradigm • Users are not usually aware of mobile code • Novelty and convenience trump security every time • Consider the dancing pigs WPI

  21. Analogy • One can easily define the security perimeter of a single computer. You can probably even literally “put your arms around it.” • One cannot easily define the perimeter of a group of networked computers, except under a set of trivial conditions that are meaningless in practice. • So, where to put the security? And HOW to make it happen? WPI

  22. Role of Technology • Technology is a useful tool, not a panacea. • A clear policy, evenly enforced, is the most critical element of success. • Don’t ignore the fundamentals. • Caterpillar’s entire network was compromised by not revoking a former employee’s password. • Perfection does not exist in the real world WPI

  23. Why Isn’t This Topic More Theoretical? In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra WPI

  24. Remember the Security Theorem • Proving a computer to be secure required: • Knowledge of the security of each state transition • An exhaustive catalog of all possible states • Knowledge of the initial conditions • Now, how do we apply this approach to a network with changing topology? WPI

  25. Why Is A Proof Elusive? • A secure network must be secure under all conditions of operation • This demands proof that there is no condition under which it could operate that is insecure, i.e. the negative proposition. • However, formal logic teaches us it is impossible to prove a negative • Q.E.D. WPI

  26. Computer Security Review Or: How I Learned to Stop Worrying and Love Uncertainty WPI

  27. Security Requirements • Customers expect “reasonably secure” handling of their sensitive data • The Devil is in the details • What is “reasonable?” • What is “secure?” • What data is “sensitive?” • When is it your responsibility? WPI

  28. A Curious Property of Information • Information is the only thing that can be stolen and still leave the owner in possession of it • This poses some serious problems, which the course will address • Networks increase the seriousness of the problem, as compared to single computers WPI

  29. The Security Dilemma • Security is something most users want, but that most know little about • Security gets in the way of using the network • The tighter the security, the harder the system is to use, and the more likely it is that the users will bypass security measures WPI

  30. The Totally Secure System • Is relatively simple to build • Is provably secure • Is useless for any practical purposes Our job is to learn how to design computer networks to provide the necessary level of security without going overboard. WPI

  31. Confidentiality Integrity Availability Authenticity Reliability and safety Vulnerability assessment Risk management Interception Modification Denial of service Spoofing Dangerous conditions Exploitation of unguarded conditions Wasted resources Security Needs, Threats WPI

  32. Security Objectives Integrity & Authenticity A – I - C Availability Confidentiality Protect, detect and recover from insecurities WPI

  33. Security = Asset protection Risk Analysis Protect Detect Correct Manage WPI

  34. Identification & Authentication • Identification • A unique entity descriptor • Authentication • verifying the claimed identification • These are crucial to network security These are two sides of the same coin, but they are NOT the same thing WPI

  35. Password • Most commonly used • Relatively easy to compromise or break • Many threats • Usability issues • First line of defense, but not a very solid one WPI

  36. Password Problems • Security/sharing • System is only as secure as the weakest link • Vulnerable to brute force attack • Dictionary attacks easy, in any language • Other intelligent searches • Exhaustive attacks • Password file vulnerable • Spoofing, man-in-the middle WPI

  37. Authentication • Validates you are who you claim to be • Something you know • Something you have • Something you are • Something you do • Somewhere you are • An intruder who has the authentication keys looks just like the real user! WPI

  38. Something You Know • Password • PIN • Some other piece of information (e.g. your mother’s maiden name -- very popular) • NB: anyone who obtains this information is -- so far as the computer knows -- you. Is there a problem here? WPI

  39. Something You Have • Physical token • Physical key • Magnetic card • Smart card • Calculator • What if you lose it? WPI

  40. Something You Are • Biometrics • Fingerprints • Face geometry • Voiceprints • Retinal scanning • Hand geometry • False positives, negatives • User acceptance WPI

  41. Something You Do • Mechanical tasks • Signature (pressure, speed) • Joystick • False positives, negatives • Potential for forgery, replay, etc. WPI

  42. Somewhere You Are • Limit use by user location • Vet location by GPS, etc. • Reliability, dependability, complexity WPI

  43. But First: Security Awareness • View the world as if you had to design a security solution for whatever situation you are in • Even paranoiacs have real enemies • Assumptions are your enemy WPI

  44. Access Control • Provides limits on who can do what with objects on the computer • Can’t happen without identification and authentication • Is not the same as identification and authentication WPI

  45. Subjects and Objects • Remember your English grammar • Subjects act • Objects are acted upon • These roles are not graven in stone • If you hit the ball, you are the subject • If the ball hits you, you are the object • It is just the same in computer science WPI

  46. Access Control Model Reference Monitor Subject Request Object WPI

  47. Reference Monitor • Makes access control work • You can tell it • What a subject is allowed to do • What may be done with an object • In order to specify these things, you need to know all the possibilities, or you need to define things narrowly so that what you don't know doesn’t become allowed WPI

  48. Access Control Matrix • A = set of access operations permitted • S = set of subjects • O = set of objects WPI

  49. Security Model Types • Formal (high-assurance computing) • Bell-LaPadula • Biba • Chinese Wall • Informal (policy description) • Clark-Wilson WPI

  50. Bell-LaPadula • Describes access policies and permissions • S is the set of subjects • O is the set of objects • A is the set of access operations = {execute, read, append, write}={e,r,a,w} • L is the set of security levels with partial ordering £ WPI

More Related