Overview of Network Security

Содержание

Слайд 2

Presentation Content

What is Internet?
What do we need to protect?
Threat Motivation
Attack Types
Security Objectives
Security

Presentation Content What is Internet? What do we need to protect? Threat
mechanisms
References

Слайд 3

What is Internet?

The Internet is a worldwide IP network, that links collection

What is Internet? The Internet is a worldwide IP network, that links
of different networks from various sources, governmental, educational and commercial.

Слайд 4

What do we need to protect

Data
Resources
Reputation

What do we need to protect Data Resources Reputation

Слайд 5

Threat Motivation

Spy
Joyride
Ignorance
Score Keeper
Revenge
Greed
Terrorist

Threat Motivation Spy Joyride Ignorance Score Keeper Revenge Greed Terrorist

Слайд 6

Types of Attacks

Passive
Active
Denial of Services
Social Engineering

Types of Attacks Passive Active Denial of Services Social Engineering

Слайд 7

TCP 3 way handshake

Server

SYN(X)

SYN(Y), ACK(X)

ACK(Y)

Client

X, Y are sequence numbers

Half open

Full open

TCP 3 way handshake Server SYN(X) SYN(Y), ACK(X) ACK(Y) Client X, Y

Слайд 8

TCP Session Hijack

Server

SYN(X)

SYN(Y), ACK(X)

Attacker

Client, 146.135.12.1

Half open

Valid TCP Connection

Initiate TCP with 146.135.12.1

TCP Session Hijack Server SYN(X) SYN(Y), ACK(X) Attacker Client, 146.135.12.1 Half open
as source

Complete TCP Connection

Слайд 9

Security Objectives

Identification
Authentication
Authorization
Access Control
Data Integrity
Confidentiality
Non-repudiation

Security Objectives Identification Authentication Authorization Access Control Data Integrity Confidentiality Non-repudiation

Слайд 10

Identification

Something which uniquely identifies a user and is called UserID.
Sometime users

Identification Something which uniquely identifies a user and is called UserID. Sometime
can select their ID as long as it is given too another user.
UserID can be one or combination of the following:
User Name
User Student Number
User SSN

Слайд 11

Authentication

The process of verifying the identity of a user
Typically based on
Something user

Authentication The process of verifying the identity of a user Typically based
knows
Password
Something user have
Key, smart card, disk, or other device
Something user is
fingerprint, voice, or retinal scans

Слайд 12

Authentication Cont.

Authentication procedure
Two-Party Authentication
One-Way Authentication
Two-Way Authentication
Third-Party Authentication
Kerberos
X.509
Single Sign ON
User

Authentication Cont. Authentication procedure Two-Party Authentication One-Way Authentication Two-Way Authentication Third-Party Authentication
can access several network resources by logging on once to a security system.

Слайд 15

Authorization

The process of assigning access right to user

Authorization The process of assigning access right to user

Слайд 16

Access Control

The process of enforcing access right
and is based on following three

Access Control The process of enforcing access right and is based on
entities
Subject
is entity that can access an object
Object
is entity to which access can be controlled
Access Right
defines the ways in which a subject can access an object.

Слайд 17

Access Control Cont.

Access Control is divided into two
Discretionary Access Control (DAC)
The owner

Access Control Cont. Access Control is divided into two Discretionary Access Control
of the object is responsible for setting the access right.
Mandatory Access Control (MAC)
The system defines access right based on how the subject and object are classified.

Слайд 18

Data Integrity.
Assurance that the data that arrives is the same as when

Data Integrity. Assurance that the data that arrives is the same as when it was sent.
it was sent.

Слайд 19

Confidentiality
Assurance that sensitive information is not visible to an eavesdropper. This is

Confidentiality Assurance that sensitive information is not visible to an eavesdropper. This
usually achieved using encryption.

Слайд 20

Non-repudiation
Assurance that any transaction that takes place can subsequently be proved to

Non-repudiation Assurance that any transaction that takes place can subsequently be proved
have taken place. Both the sender and the receiver agree that the exchange took place.

Слайд 21

Security Mechanisms

Web Security
Cryptographic techniques
Internet Firewalls

Security Mechanisms Web Security Cryptographic techniques Internet Firewalls

Слайд 22

Web Security

Basic Authentication
Secure Socket Layer (SSL)

Web Security Basic Authentication Secure Socket Layer (SSL)

Слайд 23

Basic Authentication

A simple user ID and password-based authentication scheme, and provides the

Basic Authentication A simple user ID and password-based authentication scheme, and provides
following:
To identify which user is accessing the server
To limit users to accessing specific pages (identified as Universal Resource Locators, URLs

Слайд 24

SECURE SOCKET LAYER (SSL)

Netscape Inc. originally created the SSL protocol, but now

SECURE SOCKET LAYER (SSL) Netscape Inc. originally created the SSL protocol, but
it is implemented in World Wide Web browsers and servers from many vendors. SSL provides the following
Confidentiality through an encrypted connection based on symmetric keys
Authentication using public key identification and verification
Connection reliability through integrity checking
There are two parts to SSL standard, as follows:
The SSL Handshake is a protocol for initial authentication and transfer of encryption keys.
The SSL Record protocol is a protocol for transferring encrypted data

Слайд 25

Secure Socket Layer Cont..

The client sends a "hello" message to the Web

Secure Socket Layer Cont.. The client sends a "hello" message to the
server, and the server responds with a copy of its digital certificate.
The client decrypts the server's public key using the well-known public key of the Certificate Authority such as VeriSign.
The client generates two random numbers that will be used for symmetric key encryption, one number for the receiving channel and one for the sending channel. These keys are encrypted using the server's public key and then transmitted to the server.
The client issues a challenge (some text encrypted with the send key) to the server using the send symmetric key and waits for a response from the server that is using the receive symmetric key.
Optional, server authenticates client
Data is exchanged across the secure channel.

Слайд 26

Cryptographic Techniques

Secret Key Algorithm
Public Key Algorithm
Secure Hash Function
Digital Signature
Certificate Authority

Cryptographic Techniques Secret Key Algorithm Public Key Algorithm Secure Hash Function Digital Signature Certificate Authority

Слайд 27

Secret Key Algorithm

Secret Key Algorithm

Слайд 28

Public Key Algorithm

Public Key Algorithm

Слайд 29

Secure Hash Function

Secure Hash Function

Слайд 30

Digital Signature

Digital Signature

Слайд 31

Certificate Authority

Certificate Authority

Слайд 32

X.509 Certificate

Is a ITU-T Recommendation.
Specifies the authentication service for X.500 directories
X.500

X.509 Certificate Is a ITU-T Recommendation. Specifies the authentication service for X.500
specifies the directory services.
Version 1 was published in 1988.
Version 2 was published in 1993.
Version 3 was proposed in 1994 and approved in 1997.
Binds the subject (user's) name and the user's public key.

Слайд 33

X.509 Certificate (cont..)

X09 certificate consists of the following fields:
Version
Serial Number
Algorithm Identifier
Issuer name
Validity

X.509 Certificate (cont..) X09 certificate consists of the following fields: Version Serial
period
Subject name
Subject public key information
Issuer unique identifier (Version 2 & 3 only)
Subject unique identifier (Version 2 & 3 only)
Extensions (Version 3 only)
Signature

Слайд 34

X.509 Certificate (Cont..)

Version 1
Basic
Version 2
Adds unique identifier to prevent reuse of

X.509 Certificate (Cont..) Version 1 Basic Version 2 Adds unique identifier to
X.500
Version 3
Adds extension to carry additional information and some of them are
Distinguish different certificates
Alternative to X.500 name
Limit on further certification by subject
Policy and Usage

Слайд 35

X.509 Certificate Revocation List (CRL)

Is to prevent fraud and misuse.
A certificate may

X.509 Certificate Revocation List (CRL) Is to prevent fraud and misuse. A
be revoked for one the following reason:
The user’s private is compromised
The user is no longer certified by this CA
The CA’s private key a compromised
Version 1 was published in 1988.
Version 2 was published in 1997.

Слайд 36

X.509 CRL (cont..)
X09 CRL consists of the following fields:
Version
Serial Number
Revocation Date
Algorithm Identifier
Issuer

X.509 CRL (cont..) X09 CRL consists of the following fields: Version Serial
name
Last update
Next update
Extensions (Version 2 only)
Signature

Слайд 37

Internet Firewall

A firewall is to control traffic flow between networks.
Firewall uses the

Internet Firewall A firewall is to control traffic flow between networks. Firewall
following techniques:
Packet Filters
Application Proxy
Socks servers
Secure Tunnel
Screened Subnet Architecture

Слайд 38

Packet Filtering

Most commonly used firewall technique
Operates at IP level
Checks each IP packet

Packet Filtering Most commonly used firewall technique Operates at IP level Checks
against the filter rules before passing (or not passing) it on to its destination.
Very fast than other firewall techniques
Hard to configure

Слайд 39

Packet Filter Cont..

Packet Filter Cont..

Слайд 40

Application Proxy

Application Level Gateway
The communication steps are as follows
User connects to proxy

Application Proxy Application Level Gateway The communication steps are as follows User
server
From proxy server, user connects to destination server
Proxy server can provide
Content Screening
Logging
Authentication

Слайд 41

Application (telnet) Proxy Cont..

Application (telnet) Proxy Cont..

Слайд 42

SOCKS Server

Circuit-level gateways
Generally for outbound TCP traffic from secure network
Client

SOCKS Server Circuit-level gateways Generally for outbound TCP traffic from secure network
code must be installed on the user’s machine.
The communication steps are as follows:
User starts application using destination server IP address
SOCKS server intercepts and authenticates the IP address and the userID
SOCKS creates a second session to non-secure system

Слайд 43

Socks Servers Cont..

Socks Servers Cont..

Слайд 44

Secure Tunnel Cont..

Secure Tunnel Cont..

Слайд 45

Secure IP Tunnel

A secure channel between the secure network and an

Secure IP Tunnel A secure channel between the secure network and an
external trusted server through a non-secure network (e.g., Internet)
Encrypts the data between the Firewall and the external trusted host
Also identifies of the session partners and the messages authenticity

Слайд 46

VPN Solutions

IP Security (IPSec)
Layer 2 Tunnel Protocol (L2TP)
Virtual Circuits
Multi Protocol Label Switching

VPN Solutions IP Security (IPSec) Layer 2 Tunnel Protocol (L2TP) Virtual Circuits
(MPLS)

Слайд 47

IPSec Solution

IPSec is an Internet standard for ensuring secure private communication over

IPSec Solution IPSec is an Internet standard for ensuring secure private communication
IP networks, and it was developed by IPSec working group of IETF
IPSec implements network layer security

Слайд 48

Principle of IPSec protocols

Authentication Header (AH)
Provides data origin authentication, data integrity and

Principle of IPSec protocols Authentication Header (AH) Provides data origin authentication, data
replay protection
Encapsulating Security Payload (ESP)
Provides data confidentiality, data origin authentication, data integrity and replay protection
Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE)
Provides a method for automatically setting up security association and managing their cryptographic key.
Security Association (SA)
Provides all the relevant information that communicating systems need to execute the IPSec protocols.

Слайд 49

Operation Modes of IPSec
Transport Mode
The IP payload is encrypted and the IP

Operation Modes of IPSec Transport Mode The IP payload is encrypted and
headers are left alone

IP Header

Payload

The IP datagram is encrypted

Слайд 50

Operation Modes of IPSec Conti...
Tunnel Mode
The entire original IP datagram is encrypted

Operation Modes of IPSec Conti... Tunnel Mode The entire original IP datagram
and it becomes the payload in the new IP

New IP Header

IP Header

Payload

The original IP datagram is the encrypted and is
payload for the new IP header

Слайд 51

IPSec Example

This example combines IPSec protocols and is AH in tunnel mode

IPSec Example This example combines IPSec protocols and is AH in tunnel
protecting ESP traffic in transport mode. This example assume that the SA’s for communicates points have set up.

Слайд 52

IP Header
H1 to H2

Payload

New IP Hdr.
G1 to G2

IP Header
H1 to H2

Payload

ESP Hdr.

ESP

IP Header H1 to H2 Payload New IP Hdr. G1 to G2
Trl.

ESP Auth.

IP Header
H1 to H2

Payload

ESP Hdr.

ESP Trl.

ESP Auth.

AH Hdr.

Encrypted

Encrypted

Authenticated

Слайд 53

New IP Hdr.
G1 to G2

IP Header
H1 to H2

Payload

ESP Hdr.

ESP Trl.

ESP Auth.

AH Hdr.

Encrypted

Authenticated

IP

New IP Hdr. G1 to G2 IP Header H1 to H2 Payload
Header
H1 to H2

Payload

ESP Hdr.

ESP Trl.

ESP Auth.

Encrypted

IP Header
H1 to H2

Payload

Слайд 54

Screened Subnet Architecture Cont..

Screened Subnet Architecture Cont..

Слайд 55

Screened Subnet Architecture


The DMZ (perimeter network) is set up between the secure

Screened Subnet Architecture The DMZ (perimeter network) is set up between the
and non-secure networks
It is accessible from both networks and contains machines that act as gateways for specific applications
Имя файла: Overview-of-Network-Security-.pptx
Количество просмотров: 159
Количество скачиваний: 0