Networks and security Data bases

Size: px

Start display at page:

Download "Networks and security Data bases"

Joshua Hart
6 years ago
Views:

1 Networks and security Data bases

2 Networks Concepts Threats Controls Firewalls

3 Protocols A protocol abstracts the communication to a higher level. A layered architecture, a so called protocol stack is used: each layer provides a higher level of communication and hides the underlying details. The Open Systems Interconnection (OSI) model from ISO is a model of a protocol stack with seven layers.

4 Protocols, TCP/IP Used on the Internet and most wide area networks. Four layers: Application, Transport, Internet, Physical. Addressing: a unique name for each host (IP address) and an address (the port number) to each application.

5 Protocols, TCP/IP

6 Protocols, TCP/IP

7 Types of networks LAN, Local Area Network: Small distance, usually a building. Locally controlled. Isolated, physically protected(?). WAN, Wide Area Network: Larger than a LAN: more hosts, longer distances. More physically exposed. Inter-networks (internets): Example: the Internet. Heterogeneous: most operating systems are represented, etc. Physically and logically exposed.

8 Threats in networks Why: Sharing Complexity of system Unknown perimeter Many points of attack Anonymity Unknown path

9 Threats in networks Wiretapping and message confidentiality violations Interception of data transit Insertion of a repeat of a previous communication Break-ins Access to programs or data at remote hosts Running a program at a remote site Code integrity violation Modification of programs or data at remote hosts

10 Threats in networks Message integrity violation Modification of data in transit Impersonation Insertion of communication impersonating a user Denial of service Blocking of selected traffic Blocking of all traffic

11 Wiretapping Wiretap - to intercept communications Passive wiretapping: just listening Active wiretapping: injecting something into the communication Cables: easy if physical access Microwave and satellite: easy Fiber: more secure than cable Always assume that all links can be wiretapped.

12 Impersonation More significant threat in WANs and internets than in LANs. Several ways: Guess the identity and authentication details of the target Pick up the identity and authentication details of the target from a previous communication Circumvent or disable the authentication mechanism at the target computer Use a target that will not be authenticated Use a target whose authentication data is known

13 Message confidentiality violations Both wiretapping and impersonation can lead to violation of the confidentiality of a message Other vulnerabilities: Misdelivery Exposure Traffic flow analysis

14 Message integrity violations Falsification of messages: Change any part of the content of a message Replace a message entirely Reuse an old message Change the apparent source of a message Redirect a message Destroy or delete a message Sources of these attacks: Active wiretap Trojan horse Impersonation Preempted host

15 Code integrity Program threats such as trojan horses, viruses and other malicious code can become a much more serious threat due to networks. Users often download untrusted code and run it. Sometimes code is downloaded and run on a machine without the users knowledge (Java, Javascript, ActiveX, etc.)

16 Denial of Service Connectivity Flooding Routing problems Disruption of Service Erroneous code

17 Network Security Controls Physical separation If intruders can not copy the communication, they can not read it. Encryption Tunnels Authentication Data integrity Redistribution centers (traffic control) Firewalls

18 Encryption Link level encryption Between two hosts End-to-end encryption Between two applications Encrypted tunnels/vpns

19 Link level encryption Encrypted just before the physical layer A message is encrypted during transit In plaintext inside hosts Invisible to the users All messages can be encrypted

20 Link level encryption

21 End-to-end encryption Encrypted by the applications A message is encrypted at all times Covers potential flaws in lower levels User applies encryption Software implementation (can be inefficient)

22 Tunnels Traffic between two networks can be encrypted. Encrypted packets are encapsulated inside other packets. Two machines are set up as tunnel end points. All traffic need to go through these machines. Creates a Virtual Private Network (VPN).

23 Traffic control Sometimes even the existence of a communication is sensitive The attack is called traffic analysis Solutions: Pad traffic Bogus traffic generated to hide the actual traffic pattern Redistribution centers All traffic goes through a trusted third party Combined with pad traffic

24 Data integrity Protocols designed for reliable communication needs to detect messages that are: Duplicates, deleted, out of order, modified, fake Cryptographic checksums or hash values can protect against message tampering Not only the message need to be protected: sequence numbers, destination and source addresses need protection too.

25 Authentication Host-to-host authentication User-to-host authentication Examples: Kerberos Certification hierarchies

26 Kerberos Purpose: to allow users and services to authenticate themselves to each other Passwords are never sent over the network Uses symmetric and public key cryptography (depending on version)

27 Kerberos First step: establish a session with the Kerberos server: The user sends the username to the Kerberos server. The kerberos server randomly generates a session key and returns it to the requesting user, encrypting the key with some information derived from the user's password. The session key is then forwarded to the Ticket Granting Server (TGS) If the user can decrypt the session key, the user is authenticated.

28 Kerberos

29 Kerberos Next, using a service Using the session key, the user requests a ticket for the service from the TGS. The TGS verifies the user's access permissions. A ticket for the service and a session key (used for communicating with the service) is returned to the user. The ticket is encrypted with a key known by the TGS and the service.

30 Kerberos

31 Kerberos No passwords are sent over the network. The Ticket Granting Server and the Kerberos server must be trusted and available at all time. Password guessing still works. Limited period of validity. Time stamps to prevent replay attacks. All applications need to be changed to use Kerberos

32 Certification hierarchies Host to host certification Public key cryptography Each host has a certificate (a digital signature of a public key) of their identity The certificate is signed by a certification agency Other host can verify the certificate with the agency The public key is either: retrieved from the other host and verified if necessary retrieved from the certification agency How to trust the certification agencies? Certify them at a "higher" certification agency.

33 Firewalls A process that filters all traffic between a protected and a less trustworthy network. A special form of reference monitor. A firewall should be Always invoked Tamper-proof Small and simple enough for rigorous analysis All (sensitive) network traffic must pass through the firewall

34 Firewalls Two default modes: "what is not explicitly forbidden is permitted" and "what is not explicitly permitted is forbidden". Users prefer the former, security administrators the latter. Different kinds of firewalls: Screening router, network level firewall, etc. Proxy gateways, guards, application level firewalls, etc.

35 Network level firewalls Often in hardware Makes decisions based on the source, destination addresses and ports in individual packets A specially configured router Very fast Transparent to users

36 Application level firewalls More advanced. Can make decisions based on the actual content of the packets, not just the headers. Acts as a proxy: must "understand" the application protocols used. Needs a proxy server for each application type such as HTTP, FTP, Telnet, etc. Can contain extra authentication and do more logging. Can provide access control.

37 Demilitarized zone A part of the network that is neither directly part of the internal nor external network.

38 Firewalls What firewalls can not block: Can not protect against attacks that doesn't go through the firewall. Information leaks on floppys. Firewalls can easily be bypassed from the inside by using tunnels. Can't protect very well against viruses. Can give a false sense of security: users trusts the firewall. No excuse for bad security internally.

39 Network Intrusion Detection Systems NIDS, IDS Checks traffic against known attacks and attack patterns Keeps a database of attacks and patterns For a large network, it can be a big problem to go through all warnings For a single host on the campus network About 4 alerts per hour in the last days Much more when worms are spreading

40 Databases and security Overview Security requirements Reliability and integrity Sensitive data Multilevel data bases

41 Data bases Why: Shared access Minimal redundancy Data consistency Data integrity Controlled access Operating systems maintain data, a data base maintain information Contents of file is not important for an OS

42 Relational data bases A data base based on the relational model developed by E.F. Codd. Other models: Hierarchical data bases Network data bases Object data bases

43 Tables Each row is called a record, and each column is a field (or element) of that record. A table must only contain one type of records. Each record in a table is unique; there is no duplicates. The possible values of a column is called the domain.

44 Tables Salesforce table: Salesman Name Sales Area Target Number 01 Jones London Smith Paris King New York 25000

45 Relational operations Selection: creates a subset of all the rows in the table. Projection: creates a subset of all the columns in the table. Join: combines two tables. The result is always a new table

46 Selection Select records with a target of or more to produce a new table: Salesman Name Sales Area Target Number 02 Smith Paris King New York 25000

47 Projection A new table is created by selecting some columns: Name JONES SMITH KING Target

48 Join A join combines information from different tables. The join is done by matching values occurring in a pair of columns. The two different columns would usually represent some similar attribute, such as an employee number.

49 Join Salesman Name Sales Area Target Number 01 Jones London Smith Paris King New York Salesman Number Order Number X1143 X4432 X3211 Amount

50 Join Result from a join on the Salesman Number: Salesman Order Name Sales Target Amount Number Number Area 01 X1143 Jones London X4432 Jones London X3211 King New York

51 Data base management system The users interacts with a data base through a program called a data base manager or a data base management system (DBMS) The DBMS is used to read, maintain and provide security for a database. Is usually run as an normal application in an OS.

52 Security requirements Physical data base integrity Logical data base integrity Element/field integrity Auditability Access control User authentication Availability

53 Integrity of the data base Users must be able to trust the accuracy of the values in the data base. So, the DBMS must be assured that updates are performed only by authorized individuals. Data must also be protected from corruption. Malicious programs and users Erroneous code Outside force: e.g. power failures, fire

54 Element Integrity The integrity of elements of a data base is their correctness or accuracy. Examples: Years should have four digits. Salaries should be in specified range. Three ways: Field checks Access control Change log

55 Auditability Audit log, audit record, change log, etc. A log of all accesses (read and write) Two advantages: To see who changed what To see who knows what

56 User Authentication Additional authentication from the authentication performed by the operating system is often required. The DBMS is often run as a normal application, so it must do its own authentication. Addition requirements can also exists, such as time-of-day checks.

57 Access Control Possible access modes: read, change, delete, append to value, add or delete entire fields or records, or reorganized the entire data base. Can not be handled by the operating system controls.

58 Access control example, SQL Users: authenticated by the OS or/and the DBMS Actions: include SELECT, UPDATE, DELETE, INSERT Objects: tables, columns

59 Granting and revocation of privileges GRANT SELECT, UPDATE (Day, Flight) ON TABLE Diary TO Alice, Bob REVOKE UPDATE ON TABLE Diary FROM Bob GRANT SELECT ON TABLE Diary TO Alice WITH GRANT OPTION Revoke can cascade If Alice grants access to Dave, and we revoke Alice s access, Dave s access should be revoked as well

60 Access controls through views Views are derived relations (subsets of tables) Privileges can be granted to views CREATE VIEW business_trips AS SELECT * FROM Diary WHERE Status = 'business' CREATE VIEW business_trips AS SELECT * FROM Diary WHERE Status = 'business' WITH CHECK OPTION A Travel agent have access to the Diary table only through the business_trips view UPDATE business_trips SET Status = 'private' WHERE Name = 'Alice' Not possible if 'WITH CHECK OPTION' was specified, otherwise possible (called a blind write)

61 Availability A DBMS has often very high availability requirements Several problems: Concurrent access to the same records Some unprotected data might have to be withhold in order to avoid revealing protected data

62 Integrity/Confidentiality/Availability Integrity Confidentiality/Secrecy Availability

63 Reliability and integrity Data base integrity Element integrity Element accuracy

64 Protection features from the operating system Access control. I/O checks Special file systems (e.g journaling).

65 Two-Phase update What to do if a failure occur when someone was modifying data? Solution: Two phase commit

66 Two-Phase update/commit Intent phase: During the first phase, the intent phase, the DBMS gathers information necessary resources it needs to perform the update. No changes to the data base is made in this phase. The intent phase can be repeated infinite times. Commit phase: A commit flag is set in the data base. Then the changes are made to the data base. Finally the commit flag is cleared. No steps of the intent phase will be performed while the commit flag is set.

67 Redundancy/Internal consistency Error detection and correction codes Shadow fields Recovery

68 Concurrency/Consistency Data bases is often multiuser systems. Access by two users sharing the same data base must be controlled. Example: Two airline booking agents try to reserve the same seat in airline flight at the same time. One of the reservations should fail. Solution: DBMS should treat the entire queryupdate cycle as a single atomic operation.

69 Monitors A monitor is a unit of a DBMS that is responsible for the structural integrity of the data base. Range comparisons: Examples: the range of dates must be 00-99, 1-12, 1-31 Salaries must be limited to $ State Constraints Some state must always be met. Examples: the commit flag must not be set after a transaction has completed. Only one president listed in the employee data base. Transition Constraints Example: credits for a course can not be entered unless the student is registered for that course.

70 Sensitive Data Secrecy, confidentiality Sensitive data: data that should not be made public. The extremes are easiest: everything public or everything secret/sensitive. Factors that can make data sensitive: Inherently sensitive Declared sensitive An entire column (attribute) or row can be classified as sensitive Sensitive in relation to previously disclosed information

71 Types of disclosures Exact data Bounds Negative Result Existence Probable Value

72 Inference attacks The inference problem: how to infer or derive sensitive data from non-sensitive data. Can be hard to control. The problem arises from mathematical relationships between data and between query results. Mainly an attack against "statistical" data bases

73 Inference attacks Direct attack Form a query that yield few records. Control: Only allow statistical queries that covers a large enough subset

74 Indirect attack Seeks to infer a result based on one or more statistical results. In other words: how to get individual data from some apparently anonymous statistical data. Different kinds of attacks: Sum Count Median Tracker Attacks Linear System Vulnerability

75 Example MIS M Igor 50 7 CS M Homer MBA F Gala MIS F Flora 66 8 CS M Errol MIS M Don CS F Carol CS M Bill 63 8 MBA F Alma Grade Ave. Units Programme Sex Name

76 Example Q1: SELECT COUNT(*) FROM Students WHERE Sex = 'F' AND Programme = 'CS Q2: SELECT AVG(Grade Ave.) From Students WHERE Sex = 'F' AND Programme = 'CS' From Q1: exactly one female CS student From Q2: result of 70 = Carols grade average

77 Example Q1: SELECT COUNT(*) FROM Students WHERE Programme = 'CS' Q2: SELECT COUNT(*) FROM Students WHERE Sex = 'M' AND Programme = 'CS' Q3: SELECT AVG(Grade Ave.) From Students WHERE Programme = 'CS' Q4: SELECT AVG(Grade Ave.) From Students WHERE Sex = 'M' AND Programme = 'CS' Results: Q1 = 4, Q2 = 3, Q3 = 61, Q4 = 58 Combine the four results: 4*61-3*58 = 70

78 Controls for inference attacks Either controls are applied to the queries or to the data items. Query controls are effective primarily against direct attacks. Controls applied to the data items: Suppression: sensitive data values is not provided Concealing: the answer provided is close to the actual value

79 Multilevel data bases Dividing the data into sensitive and nonsensitive data is often not enough The security of a single element might be different from the security of other elements of the same record or column The security of an aggregate such as a sum or the average can be different than the security of the individual elements

80 Multilevel data bases Partitioning Encryption Integrity lock Sensitivity lock

81 Summary Integrity, confidentiality (secrecy) and availability are all very important to data bases. Integrity: of the data base, of the elements and element accuracy. Secrecy can often be broken by inference attacks

82 Next time Administrating security Examples of applications of computer security Secure PGP WEP - IEEE encryption DVD CSS

Overview of Information Security

Overview of Information Security Lecture By Dr Richard Boateng, UGBS, Ghana Email: richard@pearlrichards.org Original Slides by Elisa Bertino CERIAS and CS &ECE Departments, Pag. 1 and UGBS Outline Information