Overview of Network Security

ISA 656 Mohamed Sharif

6/13/2011 ms

Contact Information

Mohamed Sharif, PhD. E-mail: msherif@gmu.edu Home: 571.333.8555

6/13/2011 ms

Course Administration
Class Meetings: Tuesday 07:20 10:00 PM in Engineering Building RM 1203 Instructor Office Hours: by appointment Examinations: All Examinations are in class, individual (no collaborations), closed book, neighbor and notes.

6/13/2011 ms

Course Description
This course is an in-depth introduction to the theory inand practice of network security. It assumes basic knowledge of cryptography and its applications in modern network protocols. The course studies firewalls architectures and virtual private networks and provides deep coverage of widely used network security protocols such as SSL, TLS, SSH, Kerberos, IPSec, IKE, and LDAP. It covers countermeasures to distributed denial of service attacks, security of routing protocols and the Domain Name System, e-mail security and spam ecountermeasures, wireless security, multicast security, and trust negotiation. Prerequisites: ISA 562 and CS 555 or permission of instructor.
4 6/13/2011 ms

Course Material
Course Text : Network Security, Private Communication in a Public World 2nd Edition by C. Kaufman, R. Perlman and M. Speciner.

6/13/2011 ms

Grading Policy
Weights: 5-6 quizzes for total of 30%, Two midterm 5Exams 30% each, Final exam 40%. No exam make up will be given Incompletes: No Incompletes will be given. Except extreme case Honor Code Violations: All violators will be reported under all circumstances, and results in a course grade of F, in addition to any other penalties imposed by the university and/or the ISE department. Two students submitting a common or significantly similar copy of homework is a honor code violation.

6/13/2011 ms

Course Schedule

7

Network Security Overview Internet Protocol Vulnerability Review Hackers and Malicious Software Intrusion Detection Cryptography Overview Authentication and Access Control Internet Firewall Network Layer Security (IPSec) Router Security Wireless Security Transport Layer Security (SSL, SET) Application Layer Security (Email, SSH, FTP, VOIP and DNS)
6/13/2011 ms

Security Facts
Two fundamental security facts:
All complex software programs have flaw/bugs The extraordinarily difficult to build hardware/software not vulnerable to attack

6/13/2011 ms

Security Objectives
Confidentiality: only sender, intended receiver should understand message contents sender encrypts message receiver decrypts message Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to authorized users Authentication: sender, receiver want to confirm identity of each other NonNon-repudiation (Accountability):Assurance that any transaction that takes place can subsequently be proved to have taken place. Both the sender and the receiver agree that the exchange took place.
9 6/13/2011 ms

What do we need to protect

Data Resources Reputation

10

6/13/2011 ms

Threats
Unauthorized Disclosure
exposure, interception, inference, intrusion

Deception
masquerade, falsification, repudiation

Disruption
incapacitation, corruption, obstruction

Misconduct
misappropriation, misuse

11

6/13/2011 ms

Who are the Attackers?

Elite hackers
Characterized by technical expertise and dogged persistence, not just a bag of tools

Virus writers and releasers Script kiddies: limited but numerous Criminals are growing rapidly Employees, Consultants, and Contractors Cyberterrorism and Cyberwar
12 6/13/2011 ms

Types Attacks
Classify as passive or active
Passive attacks are eavesdropping
Release of message contents Traffic analysis Are hard to detect so aim to prevent

Active attacks modify/fake data

13

Masquerade Replay Modification Denial of service Hard to prevent so aim to detect

6/13/2011 ms

Goals of Security
Prevention
Prevent attackers from violating security policy

Detection
Detect attackers violation of security policy

Recovery
Stop attack, assess and repair damage Continue to function correctly even if attack succeeds

14

6/13/2011 ms

Policies and Mechanisms

Policy says what is, and is not, allowed
This defines security for the site/system/etc. site/system/etc.

Mechanisms is a method or tools that enforces policies

15

6/13/2011 ms

Operational Issues
Cost-Benefit Analysis Cost Is it cheaper to prevent or recover?

Risk Analysis
Should we protect something? How much should we protect this thing?

Laws and Customs

Are desired security measures illegal? Will people do them?

16

6/13/2011 ms

Threat Analysis
Step 1 2 3 4 5 6 7 Threat Cost if attack succeeds Probability of occurrence Threat severity Countermeasure cost Value of protection Apply countermeasure? Priority A $500,000 80% $400,000 $100,000 $300,000 Yes 1 B $10,000 20% $2,000 $3,000 ($1,000) No NA C $100,000 5% $5,000 $2,000 $3,000 Yes 2 D $10,000 70% $7,000 $20,000 ($13,000) No NA

17

6/13/2011 ms

Human Issues
Organizational Problems
Power and responsibility Financial benefits

People problems
Outsiders and insiders Social engineering

18

6/13/2011 ms

Security Mechanisms
Cryptographic techniques Data Integrity Authentication Access Control Internet Firewalls Intrusion detection Network, Transport and application layer security
6/13/2011 ms

19

Cryptographic Techniques
Secret Key Algorithm Public Key Algorithm Secure Hash Function Digital Signature

20

6/13/2011 ms

Secret Key Algorithm

ec e Key

ec e Key

Enc y ion Clea ex ob Ciphe ex

ec y ion Clea lice ex

21

6/13/2011 ms

Public Key Algorithm

lice's Pu lic e

Alice's Private e

cr Clear ext

tion Cipher ext

ecr

tion Clear ext lice

22

6/13/2011 ms

Digital Signature

Alice's Pri ate Key

Alice's P lic Key

crypti Clear Text Alice Cipher Text

Decrypti & A the ticati B

Clear Text

23

6/13/2011 ms

Secure Hash Function

Ke Messag Digest Clear Text Hash F cti Ke Origi al Clear Text Origi al Clear Text

C mp ted Messag Digest

Hash F cti

Origi al Message Digest B

N Sec re Netw rk

Origi al Message Digest

C mpare ? Alice

24

6/13/2011 ms

Authentication
Authentication procedure
Two-Party Authentication Two One-Way Authentication One Two-Way Authentication Two-

Third-Party Authentication Third KDC X.509

Single Sign ON
User can access several network resources by logging on once to a security system.
25 6/13/2011 ms

Access Control
The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner Central element of computer security Assume have users and groups
authenticate to system assigned access rights to certain resources on system

26

6/13/2011 ms

Access Control Policies

Discretionary Access Control (DAC)
The owner of the object is responsible for setting the access right.

Mandatory Access Control (MAC)

The system defines access right based on how the subject and object are classified.

Role-based access control (RBAC) Role Based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

27

6/13/2011 ms

Internet Firewall
A firewall is to control traffic flow between networks. Firewall uses the following techniques:
Packet Filters/Inspection Stateful Inspection Application Proxy Socks servers

Screened Subnet Architecture Secure Tunnel

28

6/13/2011 ms

Screened Subnet Architecture

The DMZ (perimeter network) is set up between the secure and non-secure networks non It is accessible from both networks and contains machines that act as gateways for specific applications

29

6/13/2011 ms

Screened Subnet Architecture

Sock Ser er FTP Pro Ser er

Nonu Net ork

P cket ilterin

Screened D Su net

P cket ilterin

Secure Net ork

HTTP Pro Ser er

Telent Pro Ser er

Demilit rized Zone (DMZ)

30

6/13/2011 ms

Intrusion Detection System

4. Alarm Network Administrator Intrusion Detection System 1. Suspicious Packet Internet Attacker 3. Log Packet Hardened Server

2. Suspicious Packet Passed

Log File Corporate Network

6/13/2011 ms

31

Intrusion Detection System

Assume intruder behavior differs from legitimate users
Expect overlap as shown Observe deviations from past history Problems of:
False positives False negatives Must compromise
32 6/13/2011 ms

Audit Records
A fundamental tool for intrusion detection Two variants:
Native audit records - provided by O/S
Always available but may not be optimum

Detection-specific audit records - IDS specific Detection Additional overhead but specific to IDS task Often log individual elementary actions
e.g. may contain fields for: subject, action, object, exceptionexception-condition, resource-usage, time-stamp resourcetime-

33

6/13/2011 ms

Secure Tunnel
A secure channel between the secure network and an external trusted server through a nonnonsecure network (e.g., Internet) Encrypts the data between the Firewall and the external trusted host Also identifies of the session partners and the messages authenticity

34

6/13/2011 ms

Secure Tunnel Cont..

Remote Access Business Partner Coporate Intranet

N VP
or st t on

Internet

ser er

ser er

Branch Office
VPN

or st t on

ser er

35

outer

to

outer

to

6/13/2011 ms

or st t on

VPN

outer

to

Security Trends

36

6/13/2011 ms

Computer Security Losses

37

6/13/2011 ms

Security Technologies Used

38

6/13/2011 ms

References
Computer Security: Principles and Practice, by W. Stallings and L. Brown. Corporate Computer and Network Security, by R. Panko Network Security Essentials 3rd Edition by W. Stallings. Cryptography and Network Security 4th Edition by W. Stallings Computer Security, Art and Science, by Matt Bishop Security in Computing, 4/e, by C. Pfleeger and S. Pfleeger Network Security, Private Communication in a Public World 2nd Edition by C. Kaufman, R. Perlman and M. Speciner. Data Communications and Networking, 4th, B. Forouzan Computer Networking, 3rd, by J. Kurose and K. Ross Applied Cryptography 2nd Edition by B. Schneier Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Designing Network Security by M. Kaeo Cisco Press
39 6/13/2011 ms