... Lecture 10. Network Security I. Information & Communication Security. Prof. Dr. Kai Rannenberg

Similar documents
Agenda. Introduction. Security Protocols Wireless / Mobile Security. Lecture 10. Network Security I

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

CIT 380: Securing Computer Systems. Network Security Concepts

Network Security. Thierry Sans

IPSec. Overview. Overview. Levente Buttyán

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CTS2134 Introduction to Networking. Module 08: Network Security

IP Security. Cunsheng Ding HKUST, Kong Kong, China

CSE509: (Intro to) Systems Security

HP Instant Support Enterprise Edition (ISEE) Security overview

Virtual Private Networks (VPN)

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

INTERNET & WORLD WIDE WEB (UNIT-1) MECHANISM OF INTERNET

Advanced Security and Mobile Networks

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Network Encryption 3 4/20/17

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

CSC Network Security

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Creating VPN s with IPsec

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

AIT 682: Network and Systems Security

CSE543 Computer and Network Security Module: Network Security

CSC 6575: Internet Security Fall 2017

Application Firewalls

The IPsec protocols. Overview

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Computer and Network Security

CSC 4900 Computer Networks: Security Protocols (2)

Solved MCQ of Computer networking. Set-1

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSE 565 Computer Security Fall 2018

Wireless-G Router User s Guide

IP Security IK2218/EP2120

BABU MADHAV INSTITUTE OF INFORMATION TECHNOLOGY, UTU 2017

Indicate whether the statement is true or false.

CSCE 715: Network Systems Security

CS 356 Internet Security Protocols. Fall 2013

Lecture 19. Principles behind data link layer services Framing Multiple access protocols

Operating Systems CS 571

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Network Interconnection

Network Security Fundamentals

Data and Computer Communications. Chapter 2 Protocol Architecture, TCP/IP, and Internet-Based Applications

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

IP Security. Have a range of application specific security mechanisms

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Corso di Network Security a.a. 2012/2013. Solutions of exercises on the second part of the course

Additional Material. Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science Information Network I/No.

Administrator's Guide

Layering in Networked computing. OSI Model TCP/IP Model Protocols at each layer

CIT 480: Securing Computer Systems

Network Reference Models

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Networks and Communications MS216 - Course Outline -

Firewalls, Tunnels, and Network Intrusion Detection

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

The Applications and Gaming Tab - Port Range Forward

8. Network Layer Contents

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Chapter 8 Network Security

Network Security and Cryptography. December Sample Exam Marking Scheme

Introduction to Security

Virtual Private Networks.

System Programming. Introduction to computer networks

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Administrator's Guide

Internet Security: Firewall

Cisco Secure PIX Firewall Advanced (CSPFA)

Industrial Control System Security white paper

Cryptography and Network Security. Sixth Edition by William Stallings

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

10 Defense Mechanisms

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

Why Firewalls? Firewall Characteristics

06/02/ Local & Metropolitan Area Networks 0. INTRODUCTION. 1. History and Future of TCP/IP ACOE322

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

CyberP3i Course Module Series

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Hands-On TCP/IP Networking

Slides for Chapter 3: Networking and Internetworking

Data Communication and Network. Introducing Networks

Time Synchronization Security using IPsec and MACsec

Innovation and Cryptoventures. Technology 101. Lee Jacobs and Campbell R. Harvey. February 22, 2017

Transcription:

Lecture 10 Network Security I Information & Communication Security (SS 2011) Prof. Dr. Kai Rannenberg T-Mobile Chair of Mobile Business & Multilateral Security Goethe University Frankfurt a. M.

Agenda Introduction Network Organisation Security Protocols Wireless / Mobile Security 2

Layered Communication Ich mag Hasen J aime les lapins I like rabbits I like rabbits Fax: # I like rabbits Fax: # I like rabbits medium Based on [Ta96] 3

ISO/OSI Reference Model Application Layer Presentation Layer Session Layer Transportation Layer Network Layer Data Link Layer Physical Layer Information technology Open Systems Interconnection Basic Reference Model 7-Layer-Model First version ISO/IEC 7498-1:1984 Current version ISO/IEC 7498-1:1994 4

Internet Reference Model Application Layer Transport Layer Network Layer Data Link Layer Physical Layer [Ta96] 5

Communication Example [Ta96] 6

Physical Layer Application Layer Transport Layer Network Layer Data Link Layer Tasks: Bit transfer Mechanic (connector, medium) Electronic (signal durability of a bit, voltage) Physical Layer 7

Data Link Layer Application Layer Transport Layer Network Layer Data Link Layer Tasks: data transmission between stations in the direct neighbourhood error detection and elimination flow control Medium access control (MAC) Physical Layer 8

Example: Ethernet Bus-Network Developed by XEROX Additional nodes can easily be added. Protocol: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) 9

Example: Ethernet CSMA/CD: Carrier Sense: Multiple Access: Collision Detection: Based on [Ta96, p.282] 10

Eavesdropping of all frames i.e. Ethereal: Frame sniffing composite packets of higher protocol layers [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 11

Network Layer Application Layer Transport Layer Network Layer Data Link Layer Tasks: End-to-end connections between systems Routing Addressing Typically connectionless For example: IP Physical Layer 12

Transport Layer Application Layer Transport Layer Network Layer Data Link Layer Physical Layer Tasks: Connection between source and target Optimisation of quality of service and service costs Flow control Connection management For example: TCP, UDP 13

Application Layer Application Layer Transport Layer Network Layer Data Link Layer Tasks: provides services to the user/applications Examples (service/protocol): E-Mail / SMTP, WWW / HTTP, file transfer / FTP Physical Layer SMTP: Simple Mail Transfer Protocol HTTP: Hyper Text Transfer Protocol FTP: File Transfer Protocol 14

Agenda Introduction Network Organisation Firewalls Demilitarized i Zone Intrusion Detection Security Protocols Wireless / Mobile Security 15

Agenda Introduction Network Organisation Firewalls Demilitarized i Zone Intrusion Detection Security Protocols Wireless / Mobile Security 16

Firewall A firewall is an internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be inside the firewall) and thus protects that network s system resources against threats from the other network (the one that is said to be outside the firewall). [RFC 2828] 17

Firewall Private local network Firewall Internet 18

Agenda Introduction Network Organisation Firewalls Demilitarized i Zone Intrusion Detection Security Protocols Wireless / Mobile Security 19

Demilitarized Zone (DMZ) The DMZ is a portion of a network, that t separates a purely internal network from an external network. [Bi05] The outer firewall sits between the Internet and the internal network. The DMZ provides limited public access to various servers. The inner firewall sits between the DMZ and the subnets not to be accessed by the public. 20

Network using a DMZ [Bi05] 21

Example: CamWebSIM Additional Channel for Login Authorisation User view????? Login MyBank Confirm Cancel Alarm 22

Example: WiTness Security Module for Login Authorisation System view DMZ Information Provider System HTTP(S) HTML R/3 App Browser Web bapplication Server - Corporate Access Point JAAS Mapping Service RFC/SNC DB Security Module HTTP(S) HTML Challenge Provider JAAS = Java Authentication and Authorization Service 23

Agenda Introduction Network Organisation Firewalls Demilitarized Zone Intrusion Detection Security Protocols Wireless / Mobile Security 24

Computer System Characteristics Computer systems that are not under attack exhibit several characteristics [Bi05]: 1. The actions of users and processes generally conform to a statistically ypredictable pattern. A user who does only word processing when using the computer is unlikely to perform a system maintenance function. 2. The actions of users and processes do not include sequences of commands to subvert the security policy of the system. In theory, any such sequence is excluded; in practice, only sequences known to subvert the system can be detected. 3. The actions of processes conform to a set of specifications describing actions that the processes are allowed to do (or not allowed to do). Denning [De87] hypothesized that systems under attack fail to meet at least one of these characteristics. 25

Attack Tool An attack tool is an automated script designed to violate a security policy. Example: Rootkit [Bi05] 26

Rootkit Exists for many versions of the UNIX operating system Is designed d to sniff passwords from the network and to conceal its presence Includes tools to automate t the installation ti procedure and has modified versions of system utilities Can eliminate many errors arising from incorrect installation and perform routine steps to clean up detritus of the attack [Bi05] 27

Goals of Intrusion Detection Systems Detect t a wide variety of intrusions: i Inside and outside attacks Known and previously unknown attacks should be detected. Adapt to new kinds of attacks Detect intrusions in a timely fashion Present the analysis in a simple, easy to understand format Be accurate: False positives reduce confidence in the correctness of the results. False negatives are even worse, since the purpose of an IDS is to report attacks. [Bi05] 28

Anomaly Detection Anomaly detection analyzes a set of characteristics of the system and compares their behavior with a set of expected values. It reports when the computed statistics do not match the expected measurements. [Bi05] 29

Misuse Detection Misuse detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it reports a potential intrusion. Example: Network Flight Recorder (NFR) [Bi05] 30

Network Flight Recorder (NFR) NFR has three components: The packet sucker reads packets off the network. The decision engine uses filters written in a language called N-code to extract information. The backend writes the data generated by the filters to disk. [Bi05] 31

Specification Based Detection Specification-based detection determines whether or not a sequence of instructions ti violates a specification of how a program, or system, should execute. If so, it reports a potential intrusion. Example threat t source to be controlled: The Unix program rdist [Bi05] 32

Autonomous Agents An autonomous agent is a process that can act independently of the system of which it is a part. Example: The Autonomous Agents for Intrusion Detection (AAFID) [Bi05] 33

Intrusion Detection System [Bi05] 34

Agenda Introduction Network Organisation Security Protocols Virtual Private Networks Secure Socket Layer IPsec Wireless / Mobile Security 35

Agenda Introduction Network Organisation Security Protocols Virtual Private Networks Secure Socket Layer IPsec Wireless / Mobile Security 36

Communication without a VPN HTTP/ FTP/ TCP IP Ethernet Router IP Ethernet HTTP/ FTP/ TCP IP Ethernet [Based on: J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 37

VPN HTTP/ FTP/ TCP IP Ethernet Tunnelling Protocol UDP IP Ethernet Virtual Tunnel Router IP Ethernett Tunnelling Protocol UDP IP Ethernet HTTP/ FTP/ TCP IP Ethernet Local Network Internet Local Network [Based on: J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 38

Agenda Introduction Network Organisation Security Protocols Virtual Private Networks Secure Socket Layer IPsec Wireless / Mobile Security 39

Example: Online-Banking www.my-bank.de/kontostand.html t d Actions of the browser: 1. DNS-Request 2. http-request DNS server get www.my-bank.de Kontostand.html 142.254.112.17 142.254. 112.17 40 [based on: J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt]

DNS spoofing Possible attacks: 1. Compromise of DNS (DNS spoofing) Server authentication DNS server 142.254.112.17 www.my-bank.de 23.17.34.16 get Kontostand.html 142.254. 112.17 23.17. 34.16 [based on: J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 41

HTTP sniffing Possible attacks: 1. Compromise of DNS 2. Eavesdropping Encryption (SSL/TLS) DNS server 142.254.112.17 www.my-bank.de? get Kontostand.html 23.17. 34.16 142.254. 112.17 42 [based on: J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt]

SSL/TLS (simplified): Hello! Server authentication SSL/TLS Key exchange data (encrypted) [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 142.254. 112.17 43

SSL/TLS SSL/TLS: Server- and client-authentication Key exchange for symmetric encryption MACs to secure integrity Security Goal http https (SSL/TLS) Authenticity (mostly server only) Non-Repudiation Confidentiality Integrity Date documentation Based on [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 44

Agenda Introduction Network Organisation Security Protocols Virtual Private Networks Secure Socket Layer IPsec Wireless / Mobile Security 45

Packet sniffing Attacker is able to eavesdrop IP packets. Ideally: at the gateway of sender or recipient 01 46 Based on: [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt]

IPsec Encapsulating Security Payload (ESP) Data Packet IP-Header IP-Payload ESP- ESP-Transport-Mode IP-Header IP-Payload Header New IP- ESP- Header Header encrypted ESP- Trailer ESP-Tunnel-Mode IP-Header IP-Payload Payload encrypted ESP- Trailer [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 47

IP-Spoofing Attacker sends IP-packets with a faked sender address. 01 [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 48

IP-Spoofing Attacker impersonates the recipient. 01 [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 49

IPsec Authentication Header (AH) Data Packet IP-Header IP-Payload AH-Transport-Mode IP-Header AH IP-Payload authenticated AH-Tunneling-Mode New IP- Header AH IP-Header IP-Payload authenticated ti t Based on [J. Buchmann: Lecture Public Key Infrastrukturen, FG Theoretische Informatik, TU Darmstadt] 50

References [Bi05] Matt Bishop: Introduction ti to Computer Security. Boston: Addison Wesley, 2005, pp. 455-516 [De87] Dorothy Denning: An Intrusion- Detection Model, IEEE Transactions on Software Engineering, 13 (2), pp. 222-232 [RFC 2828] Network Working Group: Request for Comments 2828 - Internet Security Glossary, 2000, www.faqs.org/ftp/rfc/pdf/rfc2828.txt.pdf txt pdf [Ta96] A.S. Tanenbaum: Computer Networks, 3rd Edition, 1996 [4th edition available] 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback