Documente Academic
Documente Profesional
Documente Cultură
6/13/2011 ms
Contact Information
6/13/2011 ms
Course Administration
Class Meetings: Tuesday 07:20 10:00 PM in Engineering Building RM 1203 Instructor Office Hours: by appointment Examinations: All Examinations are in class, individual (no collaborations), closed book, neighbor and notes.
6/13/2011 ms
Course Description
This course is an in-depth introduction to the theory inand practice of network security. It assumes basic knowledge of cryptography and its applications in modern network protocols. The course studies firewalls architectures and virtual private networks and provides deep coverage of widely used network security protocols such as SSL, TLS, SSH, Kerberos, IPSec, IKE, and LDAP. It covers countermeasures to distributed denial of service attacks, security of routing protocols and the Domain Name System, e-mail security and spam ecountermeasures, wireless security, multicast security, and trust negotiation. Prerequisites: ISA 562 and CS 555 or permission of instructor.
4 6/13/2011 ms
Course Material
Course Text : Network Security, Private Communication in a Public World 2nd Edition by C. Kaufman, R. Perlman and M. Speciner.
6/13/2011 ms
Grading Policy
Weights: 5-6 quizzes for total of 30%, Two midterm 5Exams 30% each, Final exam 40%. No exam make up will be given Incompletes: No Incompletes will be given. Except extreme case Honor Code Violations: All violators will be reported under all circumstances, and results in a course grade of F, in addition to any other penalties imposed by the university and/or the ISE department. Two students submitting a common or significantly similar copy of homework is a honor code violation.
6/13/2011 ms
Course Schedule
7
Network Security Overview Internet Protocol Vulnerability Review Hackers and Malicious Software Intrusion Detection Cryptography Overview Authentication and Access Control Internet Firewall Network Layer Security (IPSec) Router Security Wireless Security Transport Layer Security (SSL, SET) Application Layer Security (Email, SSH, FTP, VOIP and DNS)
6/13/2011 ms
Security Facts
Two fundamental security facts:
All complex software programs have flaw/bugs The extraordinarily difficult to build hardware/software not vulnerable to attack
6/13/2011 ms
Security Objectives
Confidentiality: only sender, intended receiver should understand message contents sender encrypts message receiver decrypts message Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to authorized users Authentication: sender, receiver want to confirm identity of each other NonNon-repudiation (Accountability):Assurance that any transaction that takes place can subsequently be proved to have taken place. Both the sender and the receiver agree that the exchange took place.
9 6/13/2011 ms
10
6/13/2011 ms
Threats
Unauthorized Disclosure
exposure, interception, inference, intrusion
Deception
masquerade, falsification, repudiation
Disruption
incapacitation, corruption, obstruction
Misconduct
misappropriation, misuse
11
6/13/2011 ms
Virus writers and releasers Script kiddies: limited but numerous Criminals are growing rapidly Employees, Consultants, and Contractors Cyberterrorism and Cyberwar
12 6/13/2011 ms
Types Attacks
Classify as passive or active
Passive attacks are eavesdropping
Release of message contents Traffic analysis Are hard to detect so aim to prevent
Goals of Security
Prevention
Prevent attackers from violating security policy
Detection
Detect attackers violation of security policy
Recovery
Stop attack, assess and repair damage Continue to function correctly even if attack succeeds
14
6/13/2011 ms
15
6/13/2011 ms
Operational Issues
Cost-Benefit Analysis Cost Is it cheaper to prevent or recover?
Risk Analysis
Should we protect something? How much should we protect this thing?
16
6/13/2011 ms
Threat Analysis
Step 1 2 3 4 5 6 7 Threat Cost if attack succeeds Probability of occurrence Threat severity Countermeasure cost Value of protection Apply countermeasure? Priority A $500,000 80% $400,000 $100,000 $300,000 Yes 1 B $10,000 20% $2,000 $3,000 ($1,000) No NA C $100,000 5% $5,000 $2,000 $3,000 Yes 2 D $10,000 70% $7,000 $20,000 ($13,000) No NA
17
6/13/2011 ms
Human Issues
Organizational Problems
Power and responsibility Financial benefits
People problems
Outsiders and insiders Social engineering
18
6/13/2011 ms
Security Mechanisms
Cryptographic techniques Data Integrity Authentication Access Control Internet Firewalls Intrusion detection Network, Transport and application layer security
6/13/2011 ms
19
Cryptographic Techniques
Secret Key Algorithm Public Key Algorithm Secure Hash Function Digital Signature
20
6/13/2011 ms
ec e Key
ec e Key
21
6/13/2011 ms
lice's Pu lic e
Alice's Private e
cr Clear ext
ecr
22
6/13/2011 ms
Digital Signature
Clear Text
23
6/13/2011 ms
Hash F cti
N Sec re Netw rk
C mpare ? Alice
24
6/13/2011 ms
Authentication
Authentication procedure
Two-Party Authentication Two One-Way Authentication One Two-Way Authentication Two-
Single Sign ON
User can access several network resources by logging on once to a security system.
25 6/13/2011 ms
Access Control
The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner Central element of computer security Assume have users and groups
authenticate to system assigned access rights to certain resources on system
26
6/13/2011 ms
Role-based access control (RBAC) Role Based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.
27
6/13/2011 ms
Internet Firewall
A firewall is to control traffic flow between networks. Firewall uses the following techniques:
Packet Filters/Inspection Stateful Inspection Application Proxy Socks servers
28
6/13/2011 ms
29
6/13/2011 ms
P cket ilterin
Screened D Su net
P cket ilterin
30
6/13/2011 ms
31
Audit Records
A fundamental tool for intrusion detection Two variants:
Native audit records - provided by O/S
Always available but may not be optimum
Detection-specific audit records - IDS specific Detection Additional overhead but specific to IDS task Often log individual elementary actions
e.g. may contain fields for: subject, action, object, exceptionexception-condition, resource-usage, time-stamp resourcetime-
33
6/13/2011 ms
Secure Tunnel
A secure channel between the secure network and an external trusted server through a nonnonsecure network (e.g., Internet) Encrypts the data between the Firewall and the external trusted host Also identifies of the session partners and the messages authenticity
34
6/13/2011 ms
Internet
ser er
ser er
Branch Office
VPN
or st t on
ser er
35
outer
to
outer
to
6/13/2011 ms
or st t on
VPN
outer
to
Security Trends
36
6/13/2011 ms
37
6/13/2011 ms
38
6/13/2011 ms
References
Computer Security: Principles and Practice, by W. Stallings and L. Brown. Corporate Computer and Network Security, by R. Panko Network Security Essentials 3rd Edition by W. Stallings. Cryptography and Network Security 4th Edition by W. Stallings Computer Security, Art and Science, by Matt Bishop Security in Computing, 4/e, by C. Pfleeger and S. Pfleeger Network Security, Private Communication in a Public World 2nd Edition by C. Kaufman, R. Perlman and M. Speciner. Data Communications and Networking, 4th, B. Forouzan Computer Networking, 3rd, by J. Kurose and K. Ross Applied Cryptography 2nd Edition by B. Schneier Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone. Designing Network Security by M. Kaeo Cisco Press
39 6/13/2011 ms