1 / 10

Internet security threats

Internet security threats. Mapping: before attacking: gather information – find out what services are implemented on network Use ping to determine what hosts have addresses on network

orlando-lynch
Télécharger la présentation

Internet security threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet security threats Mapping: • before attacking: gather information – find out what services are implemented on network • Use ping to determine what hosts have addresses on network • Port-scanning: try to establish TCP connection (e.g. socket programming) to each port in sequence (see what happens) • nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing” Mapping:countermeasures • record traffic entering network • look for suspicious activity (IP addresses, ports being scanned sequentially)

  2. C A src:B dest:A payload B Internet security threats Packet sniffing: • broadcast media • promiscuous network interface card reads all packets passing by • can read all unencrypted data (e.g. passwords) • e.g.: C sniffs B’s packets Packet sniffing: countermeasures • all hosts in organization run software that checks periodically if host interface in promiscuous mode. • encrypt all data.

  3. C A src:B dest:A payload B Internet security threats IP Spoofing: • can generate “raw” IP packets directly from application, putting any value into IP source address field • receiver can’t tell if source is spoofed • e.g.: C pretends to be B IP Spoofing: ingress filtering • routers should not forward outgoing packets with invalid source addresses (= ingress filtering), e.g. datagram source address not in router’s network. • great, but ingress filtering can not be mandated for all networks

  4. C A SYN SYN SYN SYN SYN SYN SYN B Denial of service (DOS): • flood of maliciously generated packets “swamp” receiver (e.g. TCP SYN-attack, incomplete IP datagram) • Distributed DOS (DDOS): multiple coordinated sources swamp receiver: e.g., C and remote host TCP SYN-attack A Denial of service (DOS): countermeasures • Difficult to filter bad from good packets because of IP spoofing • filter out flooded packets (e.g., TCP SYN) before reaching host: throw out good with bad • traceback to source of floods (most likely an innocent, compromised machine), current research

  5. Why security and many layers? Security in many layers (upper layer services may take advantage of lower level security) 1. Secure email (application layer) 2. Secure sockets (transport layer) 3. IPsec (network layer) 4. Security in 802.11 (link layer) • Lower layers cannot offer user-level security, • A commerce site need to authenticate customers • Easier to deploy services, including security, at the higher layers • Security is not broadly deployed at the network layer • E.g. IP spoofing • IPsec (with source authentication, hence no IP spoofing) is many years away • Performance?

  6. . . KS( ) KS( ) + + + - KB(KS ) KB(KS ) KB KB + - KS KS(m ) KS(m ) m m KS Internet KS . . + - KB( ) KB( ) Secure e-mail • Alice wants to send confidential e-mail, m, to Bob. • Alice: • generates random symmetric private session key, KS. • encrypts message with KS (for efficiency) • also encrypts KS with Bob’s public key. • sends both KS(m) and KB(KS) to Bob. • Bob: • uses his private key to decrypt and recover KS • uses KS to decrypt KS(m) to recover m

  7. + - KA KA + - . . + - KA( ) KA( ) . . - - KA(H(m)) KA(H(m)) H(m ) m H( ) H( ) compare Internet m H(m ) m Secure e-mail (continued) • Alice wants to provide sender authentication and message integrity. • Alice digitally signs message. • sends both message (in the clear) and digital signature.

  8. . KS( ) + + - KB(KS ) KA KB + + KS m . - KA( ) . - KA(H(m)) H( ) m Internet KS . + KB( ) Secure e-mail (continued) • Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric session key

  9. Internet e-mail encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described on previous slides provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight. Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- Pretty good privacy (PGP) A PGP signed message:

  10. Network Security (summary) Basic techniques…... • cryptography (symmetric and public) • authentication • message integrity • key distribution …. used in many different security scenarios • secure email • secure transport (SSL) • IP sec • 802.11

More Related