Application of Cryptographic Systems. Securing Networks. Chapter 3 Part 4 of 4 CA M S Mehta, FCA

Similar documents
HP Instant Support Enterprise Edition (ISEE) Security overview

Network Security and Cryptography. 2 September Marking Scheme

Chapter 6: Security of higher layers. (network security)

Security+ SY0-501 Study Guide Table of Contents

Networks and Communications MS216 - Course Outline -

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Network Security and Cryptography. December Sample Exam Marking Scheme

IC32E - Pre-Instructional Survey

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Transport Level Security

PCI DSS Compliance. White Paper Parallels Remote Application Server

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CompTIA Network+ Study Guide Table of Contents

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Overview. SSL Cryptography Overview CHAPTER 1

XenApp 5 Security Standards and Deployment Scenarios

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

CompTIA Security+ (Exam SY0-401)

Google Cloud Platform: Customer Responsibility Matrix. April 2017

E-commerce security: SSL/TLS, SET and others. 4.1

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Indicate whether the statement is true or false.

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

CompTIA Security+ Certification

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

Configuration Example

INTERNET & WORLD WIDE WEB (UNIT-1) MECHANISM OF INTERNET

HikCentral V.1.1.x for Windows Hardening Guide

E-Commerce. Infrastructure I: Computer Networks

Network Integration Guide Planning

E-commerce security: SSL/TLS, SET and others. 4.2

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Chapter 8 Web Security

COPYRIGHTED MATERIAL. Con t e n t s. Chapter 1 Introduction to Networking 1. Chapter 2 Overview of Networking Components 21.

HikCentral V1.3 for Windows Hardening Guide

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Simple and Powerful Security for PCI DSS

CS 356 Internet Security Protocols. Fall 2013

T Yritysturvallisuuden seminaari

IT Foundations Networking Specialist Certification with Exam

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

CyberP3i Course Module Series

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Information Security in Corporation

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Transport Layer Security

CompTIA Network+ Course

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Virtual private networks

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Security: Focus of Control

Network Services Internet VPN

Security Assessment Checklist

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Objective Applications, Devices, Protocols Applications, Devices, Protocols Classifying Network Components Objective 1.

Fundamentals of Network Security v1.1 Scope and Sequence

SonicOS Enhanced Release Notes

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Network Security Policy

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Total Security Management PCI DSS Compliance Guide

Children s Health System. Remote User Policy

Electrical and Telecommunications Engineering Technology_TCET3142/TC570 NEW YORK CITY COLLEGE OF TECHNOLOGY THE CITY UNIVERSITY OF NEW YORK

Sample Exam IT-Security Foundation

Cryptography and Network Security

Security

The Common Controls Framework BY ADOBE

Chapter 8 Information Technology

Managing Site-to-Site VPNs: The Basics

CSE543 Computer and Network Security Module: Network Security

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

CND Exam Blueprint v2.0

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Ready Theatre Systems RTS POS

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security: Focus of Control. Authentication

CPSC 467: Cryptography and Computer Security

Transaction Security Challenges & Solutions

Layer Security White Paper

April Appendix 3. IA System Security. Sida 1 (8)

SECURITY PRACTICES OVERVIEW

Syllabus: The syllabus is broadly structured as follows:

University of Sunderland Business Assurance PCI Security Policy

Chapter 1 B: Exploring the Network

Networking interview questions

Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE

E-guide Getting your CISSP Certification

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

Transcription:

Application of Cryptographic Systems Securing Networks Chapter 3 Part 4 of 4 CA M S Mehta, FCA 1

Application of Cryptographic Systems Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security..cryptography Knowledge Statements 1.4 Knowledge of Telecommunications and Network security..cryptography etc. 1.5 Knowledge of concepts related to Applied Cryptography 2

Application of Cryptographic Topics Covered Systems Use of Cryptographic Systems Secure Socket Layer/Transport Layer Security Secure Hyper Text Transfer Protocol (HTTPS) VPN, IPSec, SSH, SET, S-MIME Generic Network Architecture in Banks Risks & Controls in implementing Network Security Guidelines on Auditing Networks 3

Cryptographic Systems Cryptographic systems are techniques which use one or more forms of cryptography and/or PKI to secure electronic transmissions from threats relating to confidentiality, integrity, authentication and non repudiation 4

The Problem Ram and Rahim want to talk to each other, or Ram wants to log on to Rahim s website But they're worried about security in terms of: How do you know you're talking to the right person? How do you know people can't listen to your conversation? How do you know people can't change your conversation? We want to build a system that protects against these Security Concerns 5

Resolution To resolve these problems, we have many applications of cryptographic systems like: Secure Socket Layer/Transport Layer Security Secure Hyper Text Transfer Protocol (HTTPS) IPSec SSH Secure Electronic Transaction Secure Multipurpose Internet Mail Extension (SMIME) 6

Secure Socket Layer ( SSL) / Transport Layer Security(TLS) SSL was first developed by Netscape subsequently became Internet standard known as TLS (Transport Layer Security) A cryptographic protocol to secure network across a connection-oriented layer Any program using TCP can be modified to use SSL connection SSL is flexible in choice of which symmetric encryption, message digest, and authentication can be used SSL provides built in data compression 7

TLS/ SSL TLS and SSL are an integral part of most Web browsers It authenticates the Websites to Web Browser users Optionally authenticate the client to the server Use public key encryption techniques to generate shared secret Establish an encrypted SSL connection 8

How does TLS/ SSL work? 1. Initiate a Secure Session Server s public key Web Server Server 2. Server responds with Server Certificate and Public Key 9

How does TLS/ SSL work? Server s public key Server 3. Server Certificate is checked Symmetric key Server s public key 5. Encrypted symmetric key is sent to Server 4. Symmetric key is generated and encrypted Web Server 10

How does TLS/ SSL work? SSL 7. A secure session is established Web Server 6. Symmetric key is decrypted using Server private key Server private key 11

TLS/SSL-Where Used Secure online credit card transactions. Secure system logins and any sensitive information exchanged online. e.g. Secure Internet Banking Session Secure cloud-based computing platforms. Secure connection between E-mail Client & E-mail Server. Secure transfer of files over https and FTP(s) services Secure intranet based traffic such as internal networks, file sharing, extranets, and database connections. 12

Hyper Text Transfer Protocol Secure (HTTPS) For Secure browsing - encrypt data sent and received over the Web so that monetary and other sensitive transactions are secure e.g. Income Tax Site, online banking HTTPS: HTTP over SSL (or TLS) Typically on port 443 (regular http on port 80) 13

Virtual Private Networks (VPNs) VPN is used to establish a secured tunnel for communications across an untrusted network. VPN can link two networks or two individual systems. Can link clients, servers, routers, firewalls, and switches. Individual networks could be private networks or the Internet. VPN provides confidentiality and integrity over insecure or untrusted intermediate networks. 14

Internet Protocol Security (IPsec) IPsec is encryption at IP (network layers), protects any application data across IP Network, Application need not be specifically designed for use of IPsec IPSec is a framework for a set of protocols which both sides agree upon Goals Used in VPNs, IPsec is implemented at end routers/firewalls. To verify sources of IP packets authentication To protect integrity and/or confidentiality of packets data Integrity/Data Encryption 15

IPsec IPsec provides security in three situations: Host-to-host, host-to-gateway and gateway-to-gateway IPsec operates in two modes: Transport mode (for end-to-end encryption) the data is encrypted but the header of the packet is not encrypted Tunnel mode (for VPN point to point encryption)the entire IP packet is encrypted and a new header is added to the packet for transmission through the tunnel. 16

Secure Shell (SSH) SSH is an end-to-end encryption technique Secure Shell, SSH, is Telnet + SSL + other features SSH is a protocol for secure remote login and execute commands over an insecure network SSH is usually used for Unix systems and encrypts the commands getting transmitted. It works in a client server mode and both ends of the client/server connection are authenticated using a digital certificate. 17

Secure Electronic Transactions (SET) Uses a system of Dual Signature, uses combination of RSA public key cryptography and DES private key cryptography and digital certificates to secure electronic transactions. SET provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer s credit provider, Seller s bank. Provides trust by the use of X.509v3 certificates The Dual signature allows proof that: Merchant has received Order Information (OI). Bank has received Payment Information (PI) Customer has linked OI and PI and can prove later that PI was not related to a different purchase. 18

Secure Electronic Transactions (SET) Key M & Key P Key M (OI+MD) + Key P (PI +MD) Merchant Card Holder Internet OI Key P (PI)+MD Issuer Certificate Authority Internet Payment Network PI Acquirer Payment gateway 19

Secure Multipurpose Internet Mail Extension (S/MIME) Secure method of sending e-mail and Attachments that uses the RSA encryption system. S/MIME provides the following cryptography security services: Authentication. } Message Integrity. } By using digital signing Non-repudiation of origin } Privacy and data security. By using encryption In Outlook Go to Message > Option > other options> Properties> Security Settings 20

Generic Enterprise-wide Network Architecture in a Bank 21

Generic Enterprise-wide Network Architecture in a Bank Any organization-wide technology deployment strategy will depend upon the following factors:- Business Services comprise of focus would Services would comprise of front end services supported with back-end processes. Risk Management Requirements adequate protection from; Operational & Systemic Risk Credit Risk Liquidity & Market Risk Governance compliance requirements Financial control Audit Reporting and The applications which are not a part of Core Banking solution are integrated to it. 22

Layers of network architecture in a Bank WAN Network Topology Security Interface to service delivery Channels and Internet 23

WAN Network Topology There are broad two approaches to the WAN topology Centralized Aggregation of Network Traffic All branches network connections converge directly at the Data Centre/DR Centre. Decentralized Aggregation of Network Traffic The branches network connections converge at regional aggregation points These points converge at the DC and the DRC. 24

WAN Network Topology (contd.) Decentralized environment is difficult to maintain. Most banks prefer the centralized approach. Networks are now used for data, voice and video. The backbone is usually MPLS technology(multiprotocol label switching):- That provides high availability, Economies of scale, and Flexibility of implementing QoS (Quality of Service) for managing different types of traffic 25

WAN Network Topology (contd.) Service provider provides Back-bone. Usually an optical fiber with redundant routes. Central conduits designed to transfer network traffic at high speeds, maximize the reliability and performance of large-scale, long-distance data communications. The last mile primary links are the leased lines backed up with secondary link connect the branch to the nearby POP (Point of Presence) of the Service Provider. 26

WAN Network Topology (contd.) The DC and the DRC in different seismic zones The bank may have a nearby DC To minimize or bring to almost zero the data loss in case of non-availability of data at primary site due to a disaster. Need for nearby DC is determined by The RPO (Recovery point objective) Up to what point in time can the data be recovered? The RTO (Recovery time objective) What is maximum allowable or maximum tolerable outage? 27

WAN Network Topology (contd.) Near-site DC connected over point to point redundant links with DC through two or more different service providers for zero data loss. DC and DR connected to the WAN cloud (MPLS) through primary and the secondary links using routers in High Availability mode. 28

WAN Network Topology (contd.) DC and DR are connected through redundant replication links. When the production site fails, the nearby Near Data Center would contain all transactions. Near Data Center is linked to DC & DR through redundant links. In the event of a DC failure backup site brings its database up-to-date by establishing a session with the Near Data Center. It then downloads the changes that took place. 29

REPLICATION LINE DR SITE ISDN BACKUP ROUTER NETWORK PRIMARY WIRELESS LINE Near Site Optical Fibre Link Router ISDN BACKUP ROUTER FIREWALL PRIMARY LEASED LINE ROUTER SERVER FARMS DATA CENTRE 30

Security Private /Public domain servers are hosted in DC, DR and near-site DC in different demilitarized zones(dmz). DMZs are created through sets of firewalls and VLANs All data is encrypted. 31

Security (contd.) Layers of security is implemented over all secured assets through:- Firewalls, intrusion detection and prevention systems, database activity monitoring tools, anti-virus solutions, end-point security tools, access control systems etc Applications servers to be accessed from the Internet are placed in the DMZ between the Internet and the internal enterprise network To access internet, minimum two links from different Internet Service Providers are commissioned at DC. 32

Interface to service delivery channels & internet Banks WANs are connected to INFINET ( Indian Financial Network), communication backbone for the National Payments System, Banks WAN networks are also interfaced with the following: NPCI, ATM Switch, SWIFT Credit & Debit Card Agency Utility service network like telephone companies etc., Government Tax Departments and regulatory offices 33

INTERNET & THIRD PARTIES Chat, Internet, call center, ATM, Smartphone SERVICE PROVIDERS Insurance, Payment Transfers, Online Banking, Stock Market POS MPLS WAN BANKING APPLICATIONS CRM, Security, CBS, E-mail BRANCHES CONTROLLING OFFICES A generic pictorial depiction of banking services over the WAN 34

Risks and Controls - Enterprise Networks Risks through enterprise networks could be in terms of loss of privacy, confidentiality, integrity, availability and breaches of statutory or regulatory compliances. Controls needed to ensure: Access control Integrity Privacy Keeping assets available 35

Securing Enterprise Networks Internet connections Perimeter firewall Public servers Remote access Network Devices Server farms User services Wireless networks Firewalls, Authentication, Authorisations, Physical Security, Defining and hardening any egress or ingress points, VPNs, SSL Proper configurations Firewalls, DMZs, OS with updated patches, Only required services - Front end servers. VPN, Authentication, Encryption, One Time Passwords. Access Control to devices through Authentication, using secure protocols. Authentication, IDS, Patching known OS Vulnerabilities, Firewalls. Security policy, Personal firewalls, Anti-virus Software. Firewalls, Encrypted protocols, VPN 36

Auditing Enterprise Network Review Network security and infrastructure Assessing the Network design analysis and network diagram, to verify that Networks are secured. Access to Networks is in accordance with Network Policy of the organisation. Proper Segregation in networks is in place 37

Auditing Enterprise Network Review firewall, IDS and related controls Network firewalls, whether properly configured Proper Routing controls are implemented for networks. For monitoring internal network traffic, Intrusion Detection Systems are in place 38

References http://resources.infosecinstitute.com/role-of-cryptography/ http://en.wikibooks.org/wiki/cryptography http://www.moserware.com/2009/06/first-few-milliseconds-ofhttps.html http://www.di-mgt.com.au/rsa_alg.html#simpleexample www.howstuffworks.com www.youtube.com www.whatis.com www.webopedia.com www.google.com www.wikipedia.com 39

Overview of this elearning course 40

We have learnt about I S Infrastructure Overview of Components of IS Infrastructure Components of Computer & Peripheral Devices Data Representation in Computer Hardware Asset Management Auditing 41

We have learnt about Systems Software Operating Systems Access Control in Windows Other Types of System Software Software Asset Management Digital Rights Management 42

We have learnt about DBMS DBMS models Database Languages/SQL Roles and Duties of DBA Database Controls User Creation and Access Rights in DBMS Auditing DBMS 43

Hardware/Software Deployment We have learnt about Strategies Different Deployment Strategies - Centralised/distributed IT Components of a Data Centre in Centralised CBS environment Configuration Management Hardening of Systems Auditing IS Infrastructure 44

We have learnt about Network Basics Basics of Communication Transmission Modes Network Categories- LAN, WAN, MAN Network Classifications- Client Server or Peer to Peer LAN Topologies and Network Components WAN Message Transmission Technologies Selecting a Suitable Network Topology 45

Network Standards and Protocols We have learnt about Network Standards and Protocols OSI Architecture overview TCP/IP Wireless Networks 46

We have learnt about The IP Networks IP Networks Network Services On-demand Computing Factors Impacting Quality of Network Services 47

We have learnt about Firewalls Firewall-Types, Functionalities & Categories Common Implementations of a firewall Firewall ProductTypes Limitations of Firewalls UnifiedThreat Management Firewall Lifecycle Baseline Configuration for Firewalls 48

Configuring Personal Firewalls We have learnt about and Understanding IDS Personal Firewalls Configuration of Personal Firewall in Windows Environment General Controls in Firewalls IDS 49

Cryptography and PKI We have learnt about Cryptography Need for Cryptography Digital Signatures Public Key Infrastructure (PKI) Cryptanalysis 50

Application of Cryptographic Systems We have learnt about Use of Cryptographic Systems Secure Socket Layer/Transport Layer Security Secure Hyper Text Transfer Protocol (HTTPS) IPSec, SSH, SET, S-MIME Generic Network Architecture in Banks Risks & Controls in implementing Network Security Guidelines on Auditing Networks 51

Application of Cryptographic Systems Thank You 52

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback