Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Similar documents
IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Network Security and Cryptography. December Sample Exam Marking Scheme

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Introduction and Overview. Why CSCI 454/554?

Firewalls, Tunnels, and Network Intrusion Detection

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CSC 4900 Computer Networks: Security Protocols (2)

EEC-682/782 Computer Networks I

IPSec. Overview. Overview. Levente Buttyán

Lecture 1 Applied Cryptography (Part 1)

Cryptography and Network Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Distributed Systems. Lecture 14: Security. 5 March,

Network Encryption 3 4/20/17

Sample excerpt. Virtual Private Networks. Contents

HP Instant Support Enterprise Edition (ISEE) Security overview

KALASALINGAM UNIVERSITY

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

(2½ hours) Total Marks: 75

COSC4377. Chapter 8 roadmap

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Cryptography and Network Security

Cryptographic Concepts

14. Internet Security (J. Kurose)

Fundamentals of Network Security v1.1 Scope and Sequence

Overview. SSL Cryptography Overview CHAPTER 1

Chapter 8 Network Security

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Configuring Security for VPNs with IPsec

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Network Security Chapter 8

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Service Managed Gateway TM. Configuring IPSec VPN

VPN Overview. VPN Types

The IPsec protocols. Overview

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Most Common Security Threats (cont.)

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Firepower Threat Defense Site-to-site VPNs

Network Security and Cryptography. 2 September Marking Scheme

CompTIA Security+ E2C (2011 Edition) Exam.

Internet and Intranet Protocols and Applications

Securing Networks with Cisco Routers and Switches

IP Security. Have a range of application specific security mechanisms

Network Security. Chapter 8. MYcsvtu Notes.

PROTECTING CONVERSATIONS

Chapter 5: Network Layer Security

The Security Problem

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Index. Numerics 3DES (triple data encryption standard), 21

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

VPNs and VPN Technologies

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

CS 425 / ECE 428 Distributed Systems Fall 2017

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

CSCE 715: Network Systems Security

Second Semester Examination Higher National Diploma in Information Technology First Year

Remote Connectivity for SAP Solutions over the Internet Technical Specification

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

e-commerce Study Guide Test 2. Security Chapter 10

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Internet security and privacy

Table of Contents 1 IKE 1-1

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Jaringan Komputer (IF8505) Pengamanan jaringan komputer. Cryptography

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Virtual Private Networks.

IPsec NAT Transparency

UNIT - IV Cryptographic Hash Function 31.1

IBM i Version 7.2. Security Virtual Private Networking IBM

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Secure Communications on VoIP Networks

Lecture 13 Page 1. Lecture 13 Page 3

The following chart provides the breakdown of exam as to the weight of each section of the exam.

CTS2134 Introduction to Networking. Module 08: Network Security

CSC 6575: Internet Security Fall 2017

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Module 13 Network Security. Version 1 ECE, IIT Kharagpur

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

David Wetherall, with some slides from Radia Perlman s security lectures.

Configuration of an IPSec VPN Server on RV130 and RV130W

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Cryptography and Network Security. Sixth Edition by William Stallings

Transcription:

Lecture 13: Security Architecture Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 13-1

Network Assets and Security Threats Assets: Hardware (PC, workstation, etc) Servers Network devices (routers, hubs, ) Software (OS, programs, ) Services (applications, networking services) Data (stores, in-transit, databases, ) Threats: Unauthorized access to assets. Unauthorized disclosure of information Denial of service Theft (data, hardware, software ) Corruption of data, viruses, worms Physical damage Prof. Shervin Shirmohammadi CEG 4185 13-2

Security Network Security: Protection of network and its services from unauthorized access, modification, destruction, or disclosure. Necessary for the network performing its critical functions correctly. Requirements: Confidentiality: data should be accessible to authorized parties only. Integrity: data can only be modified by authorized parties. Authenticity: receiver should be able to verify the identity of sender. Typically cryptography is used for fulfilling these requirements. Prof. Shervin Shirmohammadi CEG 4185 13-3

Cryptography The encryption model for a symmetric-key cipher. Prof. Shervin Shirmohammadi CEG 4185 13-4

Passive Attacks Eavesdropping on transmissions to obtain information Release of message contents Outsider learns content of transmission Traffic analysis By monitoring frequency and length of messages, even encrypted, nature of communication may be guessed Difficult to detect Can be prevented Prof. Shervin Shirmohammadi CEG 4185 13-5

Active Attacks Masquerade Pretending to be a different entity Replay Modification of messages Denial of Service More easy to detect Detection may lead to deterrent Hard to prevent Prof. Shervin Shirmohammadi CEG 4185 13-6

Substitution Ciphers Two types of Ciphers: substitution; transposition Substitution: Replace each symbol with another symbol A substitution cipher: a b c d e f g h i j k l m n o p q r s t u v w x y z q w e r t y u i o p a s d f g h j k l z x c v b n m attack QZZQEA Broken using statistical properties of the language. English: e, t, o, a, n, i; th, in, er, re, an; the, ing, and, ion Prof. Shervin Shirmohammadi CEG 4185 13-7

Transposition Ciphers A transposition cipher: Prof. Shervin Shirmohammadi CEG 4185 13-8

Symmetric-Key Algorithms Uses a shared secret key between the sender and the receiver. DES The Data Encryption Standard AES The Advanced Encryption Standard Each technique comes with a number of different Cipher Modes for specific situations. Prof. Shervin Shirmohammadi CEG 4185 13-9

Data Encryption Standard 1977 standard of NSA. Uses 56- bit keys. Takes in 64-bit plaintext segments. (a) General outline (b) details of one iteration Prof. Shervin Shirmohammadi CEG 4185 13-10

DES problems 56-bit key too short; these days it can be broken by a submillion dollar machine in under 1 day. NSA (National Security Agency) suspected of incorporating secret design to easily break DES for itself. Age of universe 20 billion years = 2 10 10 years Prof. Shervin Shirmohammadi CEG 4185 13-11

Electronic Code Book Mode Cipher Modes add more security for specific situations. The plaintext of a file encrypted as 16 DES blocks: Con: one can switch parts of ciphertext undetectably. Prof. Shervin Shirmohammadi CEG 4185 13-12

Cipher Block Chaining Mode Cipher block chaining. (a) Encryption. (b) Decryption. Con: need to wait for complete C 0 (typically 64-bit) before decryption can occur Prof. Shervin Shirmohammadi CEG 4185 13-13

Cipher Feedback Mode (a) Encryption. (b) Decryption. Con: 1 bit error will lead to an 8-byte transmission error Prof. Shervin Shirmohammadi CEG 4185 13-14

Stream Cipher Mode & Counter Mode Stream Cipher Mode: (a) Encryption. (b) Decryption. Counter Mode: allows for Random Access - the ability to decrypt a specific part of the message. Prof. Shervin Shirmohammadi CEG 4185 13-15

Public-Key Algorithms Also known as asymmetric algorithm. Uses a pair of keys, one public and one private. The idea is to give away your public key! Encrypt your messages using the public key and you can decrypt it using the private key, and vice versa! Public-key algorithm can be used for both authentication and confidentiality; although differently for each. Main disadvantage: slow processing. Prof. Shervin Shirmohammadi CEG 4185 13-16

Digital Signatures Similar to a signature on a document, a digital signature validates the authenticity of its signee: It was indeed the signee (and not someone else) who singed this document It was indeed this document (and not some other document), that the signee signed. Upon receiving such digital signature, one can prove, in a court of law, that the document is indeed signed by the person indicated by his/her signature. Typically uses Message Digests Prof. Shervin Shirmohammadi CEG 4185 13-17

Message Digests Creates a unique, fixed-sized, one-way digest using the 1 2 3 message. MD5: takes 512 bit blocks and gives a 128-bit digest Essentially a hash converter. Digital signatures using message digests and public-key encryption: Prof. Shervin Shirmohammadi CEG 4185 13-18

SHA-1 SHA: Secure Hash Algorithm Takes 512 bit blocks and gives a 160-bit digest Use of SHA-1 and RSA for signing non-secret messages. Prof. Shervin Shirmohammadi CEG 4185 13-19

PK Management: Certificates Who to get the certificate from? Certificate Authority (CA) A possible certificate and its signed hash Issued by a CA Prof. Shervin Shirmohammadi CEG 4185 13-20

PK Management: X.509 What format to use for the certificate: One possible one: ITU X.509 The basic fields of an X.509 certificate: Prof. Shervin Shirmohammadi CEG 4185 13-21

PK Management: Public-Key Infrastructures Obviously we can t have one server for the CA for the whole planet Scalability problems Solution: use multiple servers, but make sure there is a hierarchical infrastructure to maintain integrity and reliability. A hierarchical PKI. Regional Authority Prof. Shervin Shirmohammadi CEG 4185 13-22

Security Administration Similar to requirements and flow analysis, it is important to find out what security threats affect the network, and how we can protect against them. Consists of two components: Threat analysis In consultation with users, administrators, an operators, assets and risks are recorded and analysed. Policies and procedures Rules of system usage (what to do, and what not to do) Prof. Shervin Shirmohammadi CEG 4185 13-23

Threat Analysis Effect/ Prob. Unauthorized Access Unauthorized Disclosure Denial of Service User Devices B/A B/C B/B Servers B/B B/B B/B Network Elements C/B C/C B/B Software A/B A/B B/B Services B/C B/C B/B Data A/B A/B D/D Theft A/D B/D B/B A/B C/C A/B Corruption A/C B/C C/C A/B D/D A/B Viruses B/B B/B B/B B/B B/C D/D Physical Damage A/D B/C C/C D/D D/D D/D Effect: A=Destructive B=Disabling C=Disruptive D=No Impact Probability: A=Certain B=Unlikely C=Likely D=Impossible Prof. Shervin Shirmohammadi CEG 4185 13-24

Policies and Procedures Formal statements on rules for system, network, and information access and use. Understand possible security breaches, and implement policies to deal with these breaches Common security philosophies: Deny specifics/permit all else (open network philosophy) Permit specifics/deny all else (closed network philosophy) Policies should include: Privacy statement (monitoring, logging, access) Accountability statement (auditing, responsibility) Authentication statement (password policies, remote access) Reporting violations (procedures, contact info) Prof. Shervin Shirmohammadi CEG 4185 13-25

Security Mechanisms 1. Physical Security and Awareness Protection of devices from physical access Security Awareness in order to educate persons 2. Protocol and Application Security Packet filters SNMPv3 IPSec 3. Encryption / Decryption 4. Network Perimeter Firewalls and NAT 5. Remote Access security Not all mechanisms are appropriate/needed for all environments Degree of protection it provides Expertise required for installation and configuration Cost of purchasing, implementing and operating it Amounts of administration and maintenance required Prof. Shervin Shirmohammadi CEG 4185 13-26

Physical Security and Awareness Physical security Protected access (e.g. to server rooms etc.) Backup power source and power conditioning Off-site storage and retrieval Alarm systems (fire, also illegal entry) Awareness Educating users and their involvement in all aspects of security Training, knowledge of breaches Bulletins and newsletters Prof. Shervin Shirmohammadi CEG 4185 13-27

Protocol and Application Security Most common mechanisms in this category: IPsec Secures anything that goes in the IP datagram All layers above and including IP will benefit from this Disadvantage? SNMPv3 NOT SNMPv1 or SNMPv2 (they have no security) Only secures network management Packet filtering Port or IP blocking. Prof. Shervin Shirmohammadi CEG 4185 13-28

IPsec A protocol used to enhance IP with security. Establishes a simplex connection, known as Security Association (SA). Unlike normal IP, that is connectionless. It s a simplex connection, so we d need two SAs for a full-duplex secure connection. Provides Authentication Header (AH), and Encapsulating Security Payload (ESP). AH is used for authentication, ESP is used for : authentication and confidentiality. Used in transport mode (host-to-host), or tunnel mode (gateway-to-gateway). Prof. Shervin Shirmohammadi CEG 4185 13-29

IPsec AH The IPsec authentication header in transport mode for IPv4. HMAC: Hashed Message Authentication Code Packet, and some IP header fields, are hashed together with a private key to form a digital signature. How to let the receiver know that this packet is an IPsec packet? Set the protocol field in the IP header to be IPsec (value 51) Prof. Shervin Shirmohammadi CEG 4185 13-30

IPsec ESP Used for both authentication and confidentiality. ESP header has fields similar to the AH header, plus some more for encryption purposes. HMAC is a trailer (rather than a header) due to easier hardware implementation (like Ethernet s CRC). (a) ESP in transport mode. (b) ESP in tunnel mode. (Host to host) (gateway to gateway) Prof. Shervin Shirmohammadi CEG 4185 13-31

SNMPv3 Security at the message level Authentication Privacy of message via secure communication Flexible access control Who can access? What can be accessed? What MIB views? SNMP Engine (identified by snmpengineid) Dispatcher Message Processing Subsystem Security Subsystem Access Control Subsystem Prof. Shervin Shirmohammadi CEG 4185 13-32

Packet Filtering Prof. Shervin Shirmohammadi CEG 4185 13-33

Encryption / Decryption Provides protection of the information from being used by an attacker. Other security mechanisms concentrate on protection against unauthorized access and destruction of resources. Most of these mechanisms work on either symmetric key or asymmetric key encryption. Cons Degrades network performance 15-85% Hardware solution speed things up Administration and maintenance is required Expensive Prof. Shervin Shirmohammadi CEG 4185 13-34

192.168.0.1 192.168.0.2 Network Perimeter Protects the external interfaces of your network: the components in your network that act as connectors to the external networks. Network Address Translation (NAT) is the most commonly used technique to achieve this security NAT was originally developed to solve IP address exhaustion problem by introducing private networks: 10.0.0.0 10.255.255.255 (class A) 172.16.0.0 172.31.255.255 (class B) 192.168.0.0 192.168.255.255 (class C) S-port=8777 S-IP=192.168.0.2 S-port=63211 S-IP=137.122.20.1 Router NAT Internet 137.122.20.1 D-port=8777 D-IP=192.168.02 D-port=63211D-IP=137.122.20.1 192.168.0.10 NAT port = 63210 port=5113 S-IP=192.168.0.10 NAT port = 63211 port=8777 S-IP=192.168.0.2 NAT port = 63212 port=6522 S-IP=192.168.0.1 Prof. Shervin Shirmohammadi CEG 4185 13-35

Firewall Firewalls are combinations of one or more security mechanisms, placed at strategic locations within a network. E.g. port filtering, plus NAT Can be standalone devices, or part of other equipment (routers, gateways, etc.) May require knowledge of users requirements (telnet, ftp, etc.) Network performance degradation up to 30% Can complicate LAN/MAN/WAN troubleshooting Prof. Shervin Shirmohammadi CEG 4185 13-36

Remote Access Security Remote access is a common operation where users need access to internal resources via dial-in, point-to-point sessions, and VPNs. Commonly known as AAAA Authentication, Authorization, Accountability, and Allocation Considerations Server types and locations (DMZs) Interactions with DNS, address pools, other services. PPP/PPPoE Network Network Internet User Computer dial Network Access Server (NAS) RADIUS Server User Computer PPP RADIUS Prof. Shervin Shirmohammadi CEG 4185 13-37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback