1 / 52

UNIT -5

UNIT -5. Password Management Firewall Design Principles. Password Management. Password Protection. User ID and password: User authorized to gain access to the system Privileges accorded to the user Discretionary access control . Password Protection.

papina
Télécharger la présentation

UNIT -5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UNIT -5 Password Management Firewall Design Principles.

  2. Password Management NETWORK SECURITY By: Homera Durani

  3. Password Protection User ID and password: • User authorized to gain access to the system • Privileges accorded to the user • Discretionary access control NETWORK SECURITY By: Homera Durani

  4. Password Protection • Unix system (user ID, cipher text password, plain text salt) • password 8 printable characters - 56-bit value (7-bit ASCII) • encryption routine (crypt(3)) based on DES • modified DES algorithm with 12-bit salt value (related to time of password assignment) • 25 encryptions with 64-bit block of zeros input • 64-bit - 11 character sequence NETWORK SECURITY By: Homera Durani

  5. Loading A New Password NETWORK SECURITY By: Homera Durani

  6. Password Protection Purposes of salt: • Prevents duplicate passwords from being visible • Effectively increases password length without the user needing to remember additional 2 characters (possible passwords increased by 4096) • Prevent use of hardware DES implementation for a brute-force guessing attack NETWORK SECURITY By: Homera Durani

  7. Observed Password LengthsIn a Purdue Study NETWORK SECURITY By: Homera Durani

  8. Passwords Cracked From A Sample Set easy pickin’s NETWORK SECURITY By: Homera Durani

  9. Access Control One Method: Deny access to password file • Systems susceptible to unanticipated break-ins • An accidentin protection may render the password file readable compromising all accounts • Users have accounts in other protection domains using the same passwords NETWORK SECURITY By: Homera Durani

  10. Access Control • Answer:Force users to select passwords that are difficult to guess • Goal:Eliminate guessable passwords while allowing the user to select a password that is memorable NETWORK SECURITY By: Homera Durani

  11. Password Selection Strategies(Basic Techniques) • User education • Users may ignore the guidelines • Computer-generated passwords • Poor acceptance by users • Difficult to remember passwords NETWORK SECURITY By: Homera Durani

  12. Password Selection Strategies • Reactive password checking • System runs its own password cracker • Resource intensive • Existing passwords remain vulnerable until reactive checker finds them • Proactive password checking • Password selection is guided by the system • Strike a balance between user accessibility and strength • May provide guidance to password crackers (what not to try) • Dictionary of bad passwords (space and time problem) NETWORK SECURITY By: Homera Durani

  13. Proactive Password Checker There are two techniques currently in use: • Markov Model – search for guessable password • Bloom Filter – search in password dictionary NETWORK SECURITY By: Homera Durani

  14. Markov Model Probability that b follows a M = {states, alphabet, prob, order} NETWORK SECURITY By: Homera Durani

  15. Markov Model • “Is this a bad password?”…same as… • “Was this password generated by this Markov model?” • Passwords that are likely to be generated by the model are rejected • Good results for a second-order model NETWORK SECURITY By: Homera Durani

  16. Bloom Filter A probabilistic algorithm to quickly test membership in a large set using multiple hash functions into a single array of bits Developed in 1970 but not used for about 25 years Used to find words in a dictionary also used for web caching Small probability of false positives which can be reduced for different values of k, # hash funcs NETWORK SECURITY By: Homera Durani

  17. Bloom Filter Bit Vector: v • A vector v of N bits • k independent hash functions. Range 0 to N-1 • For each element x, compute hash functions H1(x), H2(x)…Hk(x) • Set corresponding bits to 1 • Note: A bit in the resulting vector may be set to 1 multiple times Element: x 1 H1(x)=P1 1 H2(x)=P2 N bits 1 H3(x)=P3 H4(x)=P4 1 NETWORK SECURITY By: Homera Durani

  18. Bloom Filter • To query for existence of an entry x, compute H1(x), H2(x)…Hk(x) and check if the bits at the corresponding locations are 1 • If not, x is definitely not a member • Otherwise there may be a false positive (passwords not in the dictionary but that produce a match in the hash table). The probability of a false positive can be reduced by choosing k and N NETWORK SECURITY By: Homera Durani

  19. Performance of Bloom Filter NETWORK SECURITY By: Homera Durani Dictionary of 1 million words with 0.01 probability of rejecting a password We need a hash table of 9.6 X 106 bits

  20. Firewall NETWORK SECURITY By: Homera Durani

  21. Outline • Firewall Design Principles • Firewall Characteristics • Types of Firewalls • Firewall Configurations NETWORK SECURITY By: Homera Durani

  22. Firewalls • Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet NETWORK SECURITY By: Homera Durani

  23. Firewall DesignPrinciples • Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) • Strong security features for all workstations and servers not established NETWORK SECURITY By: Homera Durani

  24. Firewall DesignPrinciples • The firewall is inserted between the premises network and the Internet • Aims: • Establish a controlled link • Protect the premises network from Internet-based attacks • Provide a single choke point NETWORK SECURITY By: Homera Durani

  25. Firewall Characteristics • Design goals: • All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) • Only authorized traffic (defined by the local security police) will be allowed to pass NETWORK SECURITY By: Homera Durani

  26. Firewall Characteristics • Design goals: • The firewall itself is immune to penetration (use of trusted system with a secure operating system) NETWORK SECURITY By: Homera Durani

  27. Firewall Characteristics • Four general techniques: • Service control • Determines the types of Internet services that can be accessed, inbound or outbound • Direction control • Determines the direction in which particular service requests are allowed to flow NETWORK SECURITY By: Homera Durani

  28. Firewall Characteristics • User control • Controls access to a service according to which user is attempting to access it • Behavior control • Controls how particular services are used (e.g. filter e-mail) NETWORK SECURITY By: Homera Durani

  29. Types of Firewalls • Three common types of Firewalls: • Packet-filtering routers • Application-level gateways • Circuit-level gateways • (Bastion host) NETWORK SECURITY By: Homera Durani

  30. Types of Firewalls • Packet-filtering Router NETWORK SECURITY By: Homera Durani

  31. Types of Firewalls • Packet-filtering Router • Applies a set of rules to each incoming IP packet and then forwards or discards the packet • Filter packets going in both directions • The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header • Two default policies (discard or forward) NETWORK SECURITY By: Homera Durani

  32. Types of Firewalls • Advantages: • Simplicity • Transparency to users • High speed • Disadvantages: • Difficulty of setting up packet filter rules • Lack of Authentication NETWORK SECURITY By: Homera Durani

  33. Types of Firewalls • Possible attacks and appropriate countermeasures • IP address spoofing • Source routing attacks • Tiny fragment attacks NETWORK SECURITY By: Homera Durani

  34. Types of Firewalls • Application-level Gateway NETWORK SECURITY By: Homera Durani

  35. Types of Firewalls • Application-level Gateway • Also called proxy server • Acts as a relay of application-level traffic NETWORK SECURITY By: Homera Durani

  36. Types of Firewalls • Advantages: • Higher security than packet filters • Only need to scrutinize a few allowable applications • Easy to log and audit all incoming traffic • Disadvantages: • Additional processing overhead on each connection (gateway as splice point) NETWORK SECURITY By: Homera Durani

  37. Types of Firewalls • Circuit-level Gateway NETWORK SECURITY By: Homera Durani

  38. Types of Firewalls • Circuit-level Gateway • Stand-alone system or • Specialized function performed by an Application-level Gateway • Sets up two TCP connections • The gateway typically relays TCP segments from one connection to the other without examining the contents NETWORK SECURITY By: Homera Durani

  39. Types of Firewalls • Circuit-level Gateway • The security function consists of determining which connections will be allowed • Typically use is a situation in which the system administrator trusts the internal users • An example is the SOCKS package NETWORK SECURITY By: Homera Durani

  40. Types of Firewalls • Bastion Host • A system identified by the firewall administrator as a critical strong point in the network´s security • The bastion host serves as a platform for an application-level or circuit-level gateway NETWORK SECURITY By: Homera Durani

  41. Firewall Configurations • In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible • Three common configurations NETWORK SECURITY By: Homera Durani

  42. Firewall Configurations • Screened host firewall system (single-homed bastion host) NETWORK SECURITY By: Homera Durani

  43. Firewall Configurations • Screened host firewall, single-homed bastion configuration • Firewall consists of two systems: • A packet-filtering router • A bastion host NETWORK SECURITY By: Homera Durani

  44. Firewall Configurations • Configuration for the packet-filtering router: • Only packets from and to the bastion host are allowed to pass through the router • The bastion host performs authentication and proxy functions NETWORK SECURITY By: Homera Durani

  45. Firewall Configurations • Greater security than single configurations because of two reasons: • This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) • An intruder must generally penetrate two separate systems NETWORK SECURITY By: Homera Durani

  46. Firewall Configurations • This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) NETWORK SECURITY By: Homera Durani

  47. Firewall Configurations • Screened host firewall system (dual-homed bastion host) NETWORK SECURITY By: Homera Durani

  48. Firewall Configurations • Screened host firewall, dual-homed bastion configuration • The packet-filtering router is not completely compromised • Traffic between the Internet and other hosts on the private network has to flow through the bastion host NETWORK SECURITY By: Homera Durani

  49. Firewall Configurations • Screened-subnet firewall system NETWORK SECURITY By: Homera Durani

  50. Firewall Configurations • Screened subnet firewall configuration • Most secure configuration of the three • Two packet-filtering routers are used • Creation of an isolated sub-network NETWORK SECURITY By: Homera Durani

More Related