Application of Cryptographic Systems Securing Networks Chapter 3 Part 4 of 4 CA M S Mehta, FCA 1
Application of Cryptographic Systems Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security..cryptography Knowledge Statements 1.4 Knowledge of Telecommunications and Network security..cryptography etc. 1.5 Knowledge of concepts related to Applied Cryptography 2
Application of Cryptographic Topics Covered Systems Use of Cryptographic Systems Secure Socket Layer/Transport Layer Security Secure Hyper Text Transfer Protocol (HTTPS) VPN, IPSec, SSH, SET, S-MIME Generic Network Architecture in Banks Risks & Controls in implementing Network Security Guidelines on Auditing Networks 3
Cryptographic Systems Cryptographic systems are techniques which use one or more forms of cryptography and/or PKI to secure electronic transmissions from threats relating to confidentiality, integrity, authentication and non repudiation 4
The Problem Ram and Rahim want to talk to each other, or Ram wants to log on to Rahim s website But they're worried about security in terms of: How do you know you're talking to the right person? How do you know people can't listen to your conversation? How do you know people can't change your conversation? We want to build a system that protects against these Security Concerns 5
Resolution To resolve these problems, we have many applications of cryptographic systems like: Secure Socket Layer/Transport Layer Security Secure Hyper Text Transfer Protocol (HTTPS) IPSec SSH Secure Electronic Transaction Secure Multipurpose Internet Mail Extension (SMIME) 6
Secure Socket Layer ( SSL) / Transport Layer Security(TLS) SSL was first developed by Netscape subsequently became Internet standard known as TLS (Transport Layer Security) A cryptographic protocol to secure network across a connection-oriented layer Any program using TCP can be modified to use SSL connection SSL is flexible in choice of which symmetric encryption, message digest, and authentication can be used SSL provides built in data compression 7
TLS/ SSL TLS and SSL are an integral part of most Web browsers It authenticates the Websites to Web Browser users Optionally authenticate the client to the server Use public key encryption techniques to generate shared secret Establish an encrypted SSL connection 8
How does TLS/ SSL work? 1. Initiate a Secure Session Server s public key Web Server Server 2. Server responds with Server Certificate and Public Key 9
How does TLS/ SSL work? Server s public key Server 3. Server Certificate is checked Symmetric key Server s public key 5. Encrypted symmetric key is sent to Server 4. Symmetric key is generated and encrypted Web Server 10
How does TLS/ SSL work? SSL 7. A secure session is established Web Server 6. Symmetric key is decrypted using Server private key Server private key 11
TLS/SSL-Where Used Secure online credit card transactions. Secure system logins and any sensitive information exchanged online. e.g. Secure Internet Banking Session Secure cloud-based computing platforms. Secure connection between E-mail Client & E-mail Server. Secure transfer of files over https and FTP(s) services Secure intranet based traffic such as internal networks, file sharing, extranets, and database connections. 12
Hyper Text Transfer Protocol Secure (HTTPS) For Secure browsing - encrypt data sent and received over the Web so that monetary and other sensitive transactions are secure e.g. Income Tax Site, online banking HTTPS: HTTP over SSL (or TLS) Typically on port 443 (regular http on port 80) 13
Virtual Private Networks (VPNs) VPN is used to establish a secured tunnel for communications across an untrusted network. VPN can link two networks or two individual systems. Can link clients, servers, routers, firewalls, and switches. Individual networks could be private networks or the Internet. VPN provides confidentiality and integrity over insecure or untrusted intermediate networks. 14
Internet Protocol Security (IPsec) IPsec is encryption at IP (network layers), protects any application data across IP Network, Application need not be specifically designed for use of IPsec IPSec is a framework for a set of protocols which both sides agree upon Goals Used in VPNs, IPsec is implemented at end routers/firewalls. To verify sources of IP packets authentication To protect integrity and/or confidentiality of packets data Integrity/Data Encryption 15
IPsec IPsec provides security in three situations: Host-to-host, host-to-gateway and gateway-to-gateway IPsec operates in two modes: Transport mode (for end-to-end encryption) the data is encrypted but the header of the packet is not encrypted Tunnel mode (for VPN point to point encryption)the entire IP packet is encrypted and a new header is added to the packet for transmission through the tunnel. 16
Secure Shell (SSH) SSH is an end-to-end encryption technique Secure Shell, SSH, is Telnet + SSL + other features SSH is a protocol for secure remote login and execute commands over an insecure network SSH is usually used for Unix systems and encrypts the commands getting transmitted. It works in a client server mode and both ends of the client/server connection are authenticated using a digital certificate. 17
Secure Electronic Transactions (SET) Uses a system of Dual Signature, uses combination of RSA public key cryptography and DES private key cryptography and digital certificates to secure electronic transactions. SET provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer s credit provider, Seller s bank. Provides trust by the use of X.509v3 certificates The Dual signature allows proof that: Merchant has received Order Information (OI). Bank has received Payment Information (PI) Customer has linked OI and PI and can prove later that PI was not related to a different purchase. 18
Secure Electronic Transactions (SET) Key M & Key P Key M (OI+MD) + Key P (PI +MD) Merchant Card Holder Internet OI Key P (PI)+MD Issuer Certificate Authority Internet Payment Network PI Acquirer Payment gateway 19
Secure Multipurpose Internet Mail Extension (S/MIME) Secure method of sending e-mail and Attachments that uses the RSA encryption system. S/MIME provides the following cryptography security services: Authentication. } Message Integrity. } By using digital signing Non-repudiation of origin } Privacy and data security. By using encryption In Outlook Go to Message > Option > other options> Properties> Security Settings 20
Generic Enterprise-wide Network Architecture in a Bank 21
Generic Enterprise-wide Network Architecture in a Bank Any organization-wide technology deployment strategy will depend upon the following factors:- Business Services comprise of focus would Services would comprise of front end services supported with back-end processes. Risk Management Requirements adequate protection from; Operational & Systemic Risk Credit Risk Liquidity & Market Risk Governance compliance requirements Financial control Audit Reporting and The applications which are not a part of Core Banking solution are integrated to it. 22
Layers of network architecture in a Bank WAN Network Topology Security Interface to service delivery Channels and Internet 23
WAN Network Topology There are broad two approaches to the WAN topology Centralized Aggregation of Network Traffic All branches network connections converge directly at the Data Centre/DR Centre. Decentralized Aggregation of Network Traffic The branches network connections converge at regional aggregation points These points converge at the DC and the DRC. 24
WAN Network Topology (contd.) Decentralized environment is difficult to maintain. Most banks prefer the centralized approach. Networks are now used for data, voice and video. The backbone is usually MPLS technology(multiprotocol label switching):- That provides high availability, Economies of scale, and Flexibility of implementing QoS (Quality of Service) for managing different types of traffic 25
WAN Network Topology (contd.) Service provider provides Back-bone. Usually an optical fiber with redundant routes. Central conduits designed to transfer network traffic at high speeds, maximize the reliability and performance of large-scale, long-distance data communications. The last mile primary links are the leased lines backed up with secondary link connect the branch to the nearby POP (Point of Presence) of the Service Provider. 26
WAN Network Topology (contd.) The DC and the DRC in different seismic zones The bank may have a nearby DC To minimize or bring to almost zero the data loss in case of non-availability of data at primary site due to a disaster. Need for nearby DC is determined by The RPO (Recovery point objective) Up to what point in time can the data be recovered? The RTO (Recovery time objective) What is maximum allowable or maximum tolerable outage? 27
WAN Network Topology (contd.) Near-site DC connected over point to point redundant links with DC through two or more different service providers for zero data loss. DC and DR connected to the WAN cloud (MPLS) through primary and the secondary links using routers in High Availability mode. 28
WAN Network Topology (contd.) DC and DR are connected through redundant replication links. When the production site fails, the nearby Near Data Center would contain all transactions. Near Data Center is linked to DC & DR through redundant links. In the event of a DC failure backup site brings its database up-to-date by establishing a session with the Near Data Center. It then downloads the changes that took place. 29
REPLICATION LINE DR SITE ISDN BACKUP ROUTER NETWORK PRIMARY WIRELESS LINE Near Site Optical Fibre Link Router ISDN BACKUP ROUTER FIREWALL PRIMARY LEASED LINE ROUTER SERVER FARMS DATA CENTRE 30
Security Private /Public domain servers are hosted in DC, DR and near-site DC in different demilitarized zones(dmz). DMZs are created through sets of firewalls and VLANs All data is encrypted. 31
Security (contd.) Layers of security is implemented over all secured assets through:- Firewalls, intrusion detection and prevention systems, database activity monitoring tools, anti-virus solutions, end-point security tools, access control systems etc Applications servers to be accessed from the Internet are placed in the DMZ between the Internet and the internal enterprise network To access internet, minimum two links from different Internet Service Providers are commissioned at DC. 32
Interface to service delivery channels & internet Banks WANs are connected to INFINET ( Indian Financial Network), communication backbone for the National Payments System, Banks WAN networks are also interfaced with the following: NPCI, ATM Switch, SWIFT Credit & Debit Card Agency Utility service network like telephone companies etc., Government Tax Departments and regulatory offices 33
INTERNET & THIRD PARTIES Chat, Internet, call center, ATM, Smartphone SERVICE PROVIDERS Insurance, Payment Transfers, Online Banking, Stock Market POS MPLS WAN BANKING APPLICATIONS CRM, Security, CBS, E-mail BRANCHES CONTROLLING OFFICES A generic pictorial depiction of banking services over the WAN 34
Risks and Controls - Enterprise Networks Risks through enterprise networks could be in terms of loss of privacy, confidentiality, integrity, availability and breaches of statutory or regulatory compliances. Controls needed to ensure: Access control Integrity Privacy Keeping assets available 35
Securing Enterprise Networks Internet connections Perimeter firewall Public servers Remote access Network Devices Server farms User services Wireless networks Firewalls, Authentication, Authorisations, Physical Security, Defining and hardening any egress or ingress points, VPNs, SSL Proper configurations Firewalls, DMZs, OS with updated patches, Only required services - Front end servers. VPN, Authentication, Encryption, One Time Passwords. Access Control to devices through Authentication, using secure protocols. Authentication, IDS, Patching known OS Vulnerabilities, Firewalls. Security policy, Personal firewalls, Anti-virus Software. Firewalls, Encrypted protocols, VPN 36
Auditing Enterprise Network Review Network security and infrastructure Assessing the Network design analysis and network diagram, to verify that Networks are secured. Access to Networks is in accordance with Network Policy of the organisation. Proper Segregation in networks is in place 37
Auditing Enterprise Network Review firewall, IDS and related controls Network firewalls, whether properly configured Proper Routing controls are implemented for networks. For monitoring internal network traffic, Intrusion Detection Systems are in place 38
References http://resources.infosecinstitute.com/role-of-cryptography/ http://en.wikibooks.org/wiki/cryptography http://www.moserware.com/2009/06/first-few-milliseconds-ofhttps.html http://www.di-mgt.com.au/rsa_alg.html#simpleexample www.howstuffworks.com www.youtube.com www.whatis.com www.webopedia.com www.google.com www.wikipedia.com 39
Overview of this elearning course 40
We have learnt about I S Infrastructure Overview of Components of IS Infrastructure Components of Computer & Peripheral Devices Data Representation in Computer Hardware Asset Management Auditing 41
We have learnt about Systems Software Operating Systems Access Control in Windows Other Types of System Software Software Asset Management Digital Rights Management 42
We have learnt about DBMS DBMS models Database Languages/SQL Roles and Duties of DBA Database Controls User Creation and Access Rights in DBMS Auditing DBMS 43
Hardware/Software Deployment We have learnt about Strategies Different Deployment Strategies - Centralised/distributed IT Components of a Data Centre in Centralised CBS environment Configuration Management Hardening of Systems Auditing IS Infrastructure 44
We have learnt about Network Basics Basics of Communication Transmission Modes Network Categories- LAN, WAN, MAN Network Classifications- Client Server or Peer to Peer LAN Topologies and Network Components WAN Message Transmission Technologies Selecting a Suitable Network Topology 45
Network Standards and Protocols We have learnt about Network Standards and Protocols OSI Architecture overview TCP/IP Wireless Networks 46
We have learnt about The IP Networks IP Networks Network Services On-demand Computing Factors Impacting Quality of Network Services 47
We have learnt about Firewalls Firewall-Types, Functionalities & Categories Common Implementations of a firewall Firewall ProductTypes Limitations of Firewalls UnifiedThreat Management Firewall Lifecycle Baseline Configuration for Firewalls 48
Configuring Personal Firewalls We have learnt about and Understanding IDS Personal Firewalls Configuration of Personal Firewall in Windows Environment General Controls in Firewalls IDS 49
Cryptography and PKI We have learnt about Cryptography Need for Cryptography Digital Signatures Public Key Infrastructure (PKI) Cryptanalysis 50
Application of Cryptographic Systems We have learnt about Use of Cryptographic Systems Secure Socket Layer/Transport Layer Security Secure Hyper Text Transfer Protocol (HTTPS) IPSec, SSH, SET, S-MIME Generic Network Architecture in Banks Risks & Controls in implementing Network Security Guidelines on Auditing Networks 51
Application of Cryptographic Systems Thank You 52