1 / 20

Network/Information Security

Network/Information Security. “The terms network security and information security refer in a broad sense to confidence that information and services available on a network cannot be accessed by unauthorized users.” (Comer 1995) Need to protect

gizi
Télécharger la présentation

Network/Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network/Information Security • “The terms network security and information security refer in a broad sense to confidence that information and services available on a network cannot be accessed by unauthorized users.” (Comer 1995) • Need to protect • Physical resources (disks, computers, cables, bridges, routers, etc.) • Abstract resources (information)

  2. Security Requirements • Data integrity - protecting information from unauthorized change. • Data availability - guaranteeing that outsiders cannot prevent legitimate data access. • Confidentiality/Privacy - preventing unauthorized listening.

  3. Security Requirements (contd..) • Authentication - ensuring that a message indeed originated from its apparent source. • Non-repudiation - ensuring that a party to a transaction cannot subsequently deny that this transaction took place.

  4. Internet Security Mechanisms • Authentication Mechanisms: IP source authentication, Public key encryption • Privacy Mechanism: Encryption • Access Control Mechanisms: Internet firewall • Authentication and privacy mechanisms can be added to application programs. Access control requires basic changes to Internet infrastructure.

  5. IP Source Authentication • Server maintains a list of valid IP source addresses. • Weak because it can be broken easily. • An imposter can gain control of an intermediate router and impersonate an authorized client. • An imposter can also impersonate a server.

  6. Public Key Encryption System • Each end-entity has a cryptographic key pair • a private key that is kept secret at that end-entity, and • a public key which is distributed. • Keys, which are large integers, are used to encode and decode messages. • A message encoded using one key can be decoded using the other.

  7. Public Key Encryption System (contd.) • Message encrypted by a public key can only be decrypted by the holder of the corresponding private key. • Private key can be used to generate a digital signature and anyone knowing the public key can authenticate it. • Guessing or calculating the secret private key is an extremely difficult task.

  8. Public Key Encryption System (contd.) • Public key encryption scheme can also handle the problem of privacy. • Sender uses the receiver’s public key to encode the message. Receiver uses it’s private key to decode the message. • Messages can be encoded twice to authenticate the sender and to enforce privacy. First with the sender’s private key and then with the receiver’s public key.

  9. Certificates and Certification Authorities • To ensure authenticity, public keys are generally distributed in the form of certificates. • A certificate contains • a public key value • identity of the holder of the corresponding private key • digital signature of the certification authority (CA)

  10. Certificates and Certification Authorities (contd.) • A CA is a trusted party whose public key is known, e.g., VeriSign, Inc. • The recipient uses the public key of the CA, to decrypt the sender's public key in the certificate. • The most vulnerable part of this method is the CA’s private key, which is used to digitally sign the certificate.

  11. Messages exchanged in a typical SSL handshake CLIENT SERVER ClientHello A list of cipher suites supported ServerHello Server selects a cipher suite, usually RSA Certificate Server sends its certificate ClientKeyExchange A random challenge, encrypted with the server’s public key HTTP communication begins over the secure channel Source: Abbott, S. 1999. The Debate for Secure E-Commerce. Performance Computing, February 1999, p.p.. 37-42. SSL Handshake

  12. Secure Sockets Layer (SSL) • The leading security protocol on the internet. Developed by Netscape. • At the start of an SSL session, the browser sends its public key to the server. • Server uses the browser’s public key to encrypt a secret key and sends it to the browser. • During the session, the server and browser exchange data via secret key encryption.

  13. SSL (contd.) • SSL has merged with other protocols and authentication methods to create a new protocol known as Transport Layer Security (TLS). • Typically only server authentication is done. Authentication of browser’s (user’s) identity requires certificates to be issued to users.

  14. Internet Firewalls • Firewall protects an organization’s internal networks, routers, computers, and data against unauthorized access. • Security perimeter involves installing a firewall at each external connection. • For effective control all firewalls must use exactly the same access restrictions.

  15. Internet Firewall Implementation • A firewall must handle datagrams at the same speed as the connection to the outside world. • To operate at network speeds, routers include a high-speed filtering mechanism. • Filters form the basic building blocks of a firewall.

  16. Packet Filters • Provides a basic level of network security at the IP level. • Filtering is based on any combination of source IP address, destination IP address, protocol, source protocol port number, and destination protocol port number. • Packet filters do not maintain context or understand the application they are dealing with.

  17. Packet Filters • Specifying the datagrams that should be filtered is not very effective. • Instead we specify which datagrams to admit. • Security concerns • IP spoofing (mimicing IP addresses of trusted machines) • IP tunneling (one datagram is temporarily encapsulated in another)

  18. Packet Filters • “If an organization’s firewall restricts incoming datagrams except for ports that correspond to services the organization makes available externally, an arbitrary application inside the organization cannot become a client of a server outside the organization.” (Comer, 1995)

  19. Proxy Firewalls • Most secure form of firewall • All incoming traffic is tunneled to the appropriate proxy gateway for mail, HTTP, FTP, etc. • Proxies then direct the information to the internal network. • Proxies are applications that make decisions based on context, authorization, & authentication rules instead of IP addresses.

  20. Proxy Firewalls (contd.) • Proxy firewall operates at the highest level of the protocol stack. • Proxies are relays between the Internet and the organization’s private network. • Proxy’s firewall address is the only one available to the outside world. • Some firewalls combine router and proxy techniques to provide more security.

More Related