220 likes | 238 Views
Chapter 7 Networking & Distributed Security. Outline. Overview of Networking Threats Wiretapping, impersonation, message interruption/modification, DoS Controls Encryption, authentication, distributed authentication, traffic control Email privacy: PEM, PGP Firewalls Multilevel networks.
E N D
Outline • Overview of Networking • Threats Wiretapping, impersonation, message interruption/modification, DoS • Controls Encryption, authentication, distributed authentication, traffic control • Email privacy: PEM, PGP • Firewalls • Multilevel networks Sawma V., Computer Security and Their Data
Networking and Security • Network threats arise at different points based on different technologies. So the controls must also relate to specific technologies. • The incorporation of a new technology may bring new vulnerability into a system. • Examples: • Web (closed medium, open nature) • wireless networking (open medium, closed nature) • wireless Web (open medium, open nature) Sawma V., Computer Security and Their Data
Networking Concepts • Communications, networks, distributed systems • A simple view of network: • Fig. 7-1, 7-2 Client, Server, Host Node, Link Terminal, Workstation Gateway, Router Hub, Repeater, switch Sawma V., Computer Security and Their Data
Networking Concepts • Digital vs analog communications • Communication media Copper wires (coaxial, twisted pair) Optical fiber Airwave (wireless networks) Microwave Satellite communications • The underlying communication media are usually transparent to the users of a network. Sawma V., Computer Security and Their Data
Networking Concepts • Communication protocols • Protocol stack: • a layered architecture for communications • composed of both s/w and h/w • Example: • ISO OSI Network Model • TCP/IP Network Model Sawma V., Computer Security and Their Data
Application Presentation Application Session Transport Transport Network Data Link Internet Physical Physical Networking Concepts TCP/IP Network Model ISO/OSI Model Sawma V., Computer Security and Their Data
Networking Concepts • Addressing schemes MAC addresses IP addresses Port number Sawma V., Computer Security and Their Data
Networking Concepts • Types of networks: LAN WAN The Internet Intranet Extranet Wireless networks WLAN Mobile network Sawma V., Computer Security and Their Data
Networking Concepts • Network topologies: Bus topology Star topology Ring topology What kind(s) of topology does Ethernet use? What network uses the ring topology? Bus Topology Ring Topology Star Topology Sawma V., Computer Security and Their Data
Networking Concepts • Distributed information systems • What can be distributed? • Processing • Data • Components • Etc. • Desired features of a distributed information system? • Transparency (location, underlying communications, protocols, topology, software, hardware, …) • Reliability • Security • Etc. Sawma V., Computer Security and Their Data
Threats in Networks • Unique security issues in networking • Shared asset • Complexity (interconnections, software, hardware, media) • Unknown perimeter • Multiple points of vulnerabilities • Anonymity • Multiple, dynamically selected paths Sawma V., Computer Security and Their Data
Threats in Networks • What a malicious user can do in a network? The answer: A lot! Fig. 7-12 • Methods of attacks: Wiretapping Impersonation message interruption message modification hacking DoS Sawma V., Computer Security and Their Data
Methods of Attacks • Wiretapping Passive vs active wiretappings • Wiretapping on different media • Cables • Airwaves: microwave, WLAN (802.11b) • Satellite communications • Optical fibers • The fiber itself is more secure than other media. • But there are other vulnerability points. • A valid assumption: All communication links can be broken. So? Sawma V., Computer Security and Their Data
Methods of Attacks • Impersonation Stealing of identity Attacks at authentication mechanisms By guessing By eavesdropping By avoidance By using a trusted system An identity that requires no authentication Well-known (default) authentication Sawma V., Computer Security and Their Data
Methods of Attacks • Denial of service (DoS) Flooding by spurious messages Flooding by modifying routing tables Sawma V., Computer Security and Their Data
Network Security Controls: Encryptions • Host-level (link) encryption: • Link encryption occurs at layer 1 (physical) or layer 2 (data link) in the OSI model. • Data is encrypted before the system places it on the physical communication link. • Data is decrypted when entering the destination host. + Encryption is performed by efficient and reliable hardware. + Encryption is invisible to the OS and the application. • Data are “in the clear” at the higher layers (layer 3 and above). • Data need to be decrypted by the intermediate hosts. Q: How many intermediate hosts are there? Sawma V., Computer Security and Their Data
Network Security Controls: Encryptions • Application-level (end-to-end) encryption: • Encryption is performed between the sending application and the receiving application. • The encryption can be done by hardware device (between the user and the host) or by software. • A message is transmitted in encrypted form throughout the network. a secure virtual tunnel + No cleartext exposure in any host. Is this true? + No exposure in intermediate hosts. • slower than link level encryption • If symmetric keys are used, totally n * (n-1) / 2 keys are needed between every n applications. Sawma V., Computer Security and Their Data
Network Security Controls: Encryptions • Comparison of link and end-to-end encryption Sawma V., Computer Security and Their Data
VPN (Virtual Private Network) • There are two common types of VPNs: • Remote-Access • Also called a Virtual Private Dial-up Network (VPDN) • a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations • Typically, a corporation that wishes to set up a large remote-access VPN provides some form of Internet dial-up account to their users using an ISP. • Site-to-Site • Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. • Use of VPN to secure wireless LAN Sawma V., Computer Security and Their Data
Network Security Controls: Authentication / Access Control • Two goals of access control in a network: • To protect a single system from unauthorized users • To prevent unauthorized users to access a computer by passing through another computer (distributed authentication) Sawma V., Computer Security and Their Data
Network Security Controls: Distributed authentication • Two issues: • To protect a single system from unauthorized remote users distributed user authentication • To protect a network node from unauthorized access coming from other nodes computer-to-computer authentication • Several approaches: • Distributed Authentication (by Digital, DEC) • Kerberos (by MIT) • DCE - Distributed Computing Environment (by OSF) • SESAME (a European R&D project) • CORBA –Common Object Request Broker Architecture (by OMG) Sawma V., Computer Security and Their Data