290 likes | 440 Views
Lab 1 Network Security. CPSC 441 University of Calgary Department of Computer Science. Hello world. Name: Keynan Pratt Contact: keynan21@gmail.com Website: http://pages.cpsc.ucalgary.ca/~kjpratt Research Area: Network / Systems Bandwidth optimization Software Defined Networking (SDN)
E N D
Lab 1Network Security CPSC 441 University of Calgary Department of Computer Science
Hello world Name: Keynan Pratt Contact: keynan21@gmail.com Website: http://pages.cpsc.ucalgary.ca/~kjpratt Research Area: Network / Systems • Bandwidth optimization • Software Defined Networking (SDN) • Distributed Cache / Security Models
Ground Rules • I will respond to emails within 48 hours • Provided it’s not within 72 hours of an assignment deadline • I’ll gladly answer any question you have about computer networking. • Sometimes the answer will be “I’ll get back to you.” or “We covered that last week.”
Network Security • The field of network security is about: • how bad guys can attack computer networks • how we can defend networks against attacks • how to design architectures that are immune to attacks • Internet not originally designed with (much) security in mind • original vision: “a group of mutually trusting users attached to a transparent network”
Goals of Network Security Confidentiality: only sender, intended receiver should “understand” message contents • sender encrypts message • receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users
There are bad guys (and girls) out there! Q: What can a “bad guy” do?
There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: A lot! • eavesdrop: intercept messages • actively insert messages into connection • impersonation: can fake (spoof) source address in packet (or any field in packet) • hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place • denial of service: prevent service from being used by others (e.g., by overloading resources)
target Bad guys can attack servers and network infrastructure • Denial of service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic select target break into hosts around the network (see botnet) send packets toward target from compromised hosts
src:B dest:A payload The bad guys can sniff packets Packet sniffing: • broadcast media (shared Ethernet, wireless) • promiscuous network interface reads/records all packets (e.g., including passwords!) passing by C A B • Wireshark software used for end-of-chapter labs is a (free) packet-sniffer
src:B dest:A payload The bad guys can use false source addresses • IP spoofing: send packet with false source address C A B
The bad guys can record and playback • record-and-playback: sniff sensitive info (e.g., password), and use later • password holder is that user from system point of view C A src:B dest:A user: B; password: foo B
Trojan horse Hidden part of some otherwise useful software Today often on a Web page (Active-X, plugin) Virus infection by receiving object (e.g., e-mail attachment), actively executing self-replicating: propagate itself to other hosts, users Bad guys can put malware into hosts via Internet • Worm • infection by passively receiving object that gets itself executed • self- replicating: propagates to other hosts, users Sapphire Worm: aggregate scans/sec in first 5 minutes of outbreak (CAIDA, UWisc data)
Friends and enemies: Alice, Bob, Trudy • well-known in network security world • Bob, Alice (lovers!) want to communicate “securely” • Trudy (intruder) may intercept, delete, add messages Alice Bob data, control messages channel secure sender secure receiver data data Trudy
Alice’s encryption key Bob’s decryption key encryption algorithm decryption algorithm ciphertext plaintext plaintext K K A B The language of cryptography m plaintext message KA(m) ciphertext, encrypted with key KA m = KB(KA(m))
Security Techniques • Cryptography • Encrypted messages provide confidentially • Message Digests provide integrity • Digital Signatures provide authentication • Authorization / Access control • Firewalls • File permissions • User rights
+ + digital signature (encrypt) K K B B K CA Certification Authorities • Certification authority (CA): binds public key to particular entity, E. • E (person, router) registers its public key with CA. • E provides “proof of identity” to CA. • CA creates certificate binding E to its public key. • certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information
DigiNotar CA Breach • Story: A hacker (or a group of hackers) hacked the DigiNotar CA servers and issued more than 500 fraudulent certificates. • The certificates has been later used to spy on some 300,000 Iranians. • DigiNotar filed for bankruptcy in a Netherland court.
DigiNotar CA Breach • Dutch government announced that because of the breach, "it could not guarantee the security of its own Web sites.” • The list of fraudulent certificates contains Google, Skype, Microsoft, Mozilla, yahoo, tor as well as the CIA, Israel’s Mossad and the UK’s MI6. • All of the major browser makers -- Apple, Google, Microsoft, Mozilla and Opera -- issued updates and considered DigiNotar issued certificates invalid.
DigiNotar CA Breach • The Fox-IT report states that: • The most critical servers contain malicious software that can normally be detected by anti-virus software • CA-servers, although physically very securely placed, were accessible over the network from the management LAN. • The password was not very strong and could easily be brute-forced. All CA servers were members of one Windows domain, i.e. they were accessible using one obtained user/pass combination.
Supplementary Resources • OWASP Top 10 (Open Web Application Security Project) Top 10 most common vulnerabilities • Frequently brought up in tech interviews
Review Questions • What’s the difference between Packet Switching and Circuit Switching?
Review Questions • What’s the difference between Packet Switching and Circuit Switching? • What are the four sources of packet delay?
Review Questions • What’s the difference between Packet Switching and Circuit Switching? • What are the four sources of packet delay? • What are the 5/7 layers in networking?
Review Questions • What’s the difference between Packet Switching and Circuit Switching? • What are the four sources of packet delay? • What are the 5/7 layers in networking? • Name a protocol at each layer?
Review Questions • What’s the difference between Packet Switching and Circuit Switching? • What are the four sources of packet delay? • What are the 5/7 layers in networking? • Name a protocol at each layer? • What layer do switches/routers ‘talk’ with?