[ ] teamtwopresentation_v

DISS 740 PresentationDISS 740 Presentation

Topic:Topic:Network SecurityNetwork Security

Presentation Presentation By:By:Pius OlehPius Oleh

Dave KumtaDave KumtaMike BryantMike Bryant

Maurice OkaguaMaurice OkaguaPhlimore McCartyPhlimore McCarty

Brook HeatonBrook HeatonVictor ChengVictor Cheng

Network SecurityNetwork Security

OverviewOverview

Cookies – Cookies – Pius OlehPius Oleh

Biometrics – Biometrics – Dave KumtaDave Kumta

Smart Cards – Smart Cards – Mike BryantMike Bryant

AgendaAgenda

Intrusion DetectionIntrusion Detection – – Phlimore McCarthyPhlimore McCarthy

FirewallsFirewalls – – Maurice OkaguaMaurice Okagua

Q&AQ&A

Public Key Infrastructure (PKI)Public Key Infrastructure (PKI) – – Brook HeatonBrook Heaton Virtual Private Network (VPN) – Virtual Private Network (VPN) – Victor ChengVictor Cheng

Team Mystery GameTeam Mystery Game


What is Network Security? There is no set definition of network security,

but the fundamental definition is the protection of files and directories in a network from unauthorized access.

Overview


A cookie is a text file sent by a web server to a client browser that enables the server to identify Web users’ subsequent site visit.

Types of cookies: First party cookie and Types of cookies: First party cookie and Third party cookie.Third party cookie.

Cookies


Cookie Usage:

According to Peng and Cisna (2000), cookies can be used to tailor advertisement to a specific user on the web.

Persistent cookie or cookie sessionization.

Cookies (Cont’d)


According to Jana and Chatterjee (2004), many web sites use cookies to track unique visitors. They argued that using cookies to track unique visitors is problematic because consumers can reject the cookie or delete the cookie (Jana & Chatterjee, 2004).

Privacy concern:

Online consumers are deleting cookies to protect their privacy. Miyazaki and Fernandez (2000) highlighted privacy as one of the major issues for online consumers.

Cookies (Cont’d)


Bennett (2001) added that online consumers might not be willing to share their personal information due to privacy.

According to Sit and Fu (2001), web cookies cannot be trusted because some web sites do not encrypt them; they argued that even the cookies that are encrypted can be circumvented with little effort.

Cookies (Cont’d)


Lee and Pasternack (2005) identified two major problems facing web analytics (metrics tracking). They summed it up in technical (cookie deletion) and creative (instinct) challenges.

Cookies (Cont’d)


According to recent Jupiter Research, 28 percent of online users are deleting their third-party cookies from their computers (Peterson, 2005).

Consequently, WebTrends Inc. (2005) conducted a similar research and found that 12 percent of online users are deleting their third-party cookies.

Cookies (Cont’d)


According to Whitman, Perez, and Beise (2001), cookies encompass privacy, data security, and computer monitoring. Web cookies are used in covert data gathering, tracking user's browsing habits, as well as for profiling online consumers in marketing clickstream data to provide targeted advertisements (Whitman, Perez, & Beise, 2001).

Cookies (Cont’d)


Szewczak (2002) concurs that this invasion of privacy prompted the Electronic Privacy Information Center (EPIC) to file a complaint with the FTC regarding the online tracking practice of DoubleClick, Inc. for unlawfully tracking online users activity through cookies in conjunction with Abacus Direct national database of online user profiles (Szewczak, 2002).

Cookies (Cont’d)


Bennett, C. J. (2001). Cookies, web bugs, webcams and cue cats: Patterns of surveillance on the world wide web. Ethics and Information Technology, 3(3), 195- 210.

Jana, S., & Chatterjee, S. (2004). Quantifying web-site visits using web statistics: an extended cybermetrics study. Online Information Review, 28(3), 191-199.

Lee, K., & Pasternack, D. (2005). Make the numbers work. Target Marketing, 28(8), 45-46.

Reference List


Miyazaki, A. D., & Fernandez, A. (2000). Internet privacy and security: An examination of online retailer disclosures. Journal of Public Policy & Marketing, 19(1), 54-61.

Peng, W., & Cisna, J. (2000). Http cookies - a promising technology. Online Information Review, 24(2), 150-153.

Peterson, E. T. (2005, March 9). Measuring Unique Visitors: Addressing the dramatic decline in accuracy of cookie-based measurement. Retrieved October 10, 2005, from http://www.jupiterresearch.com.

Sit, E., & Fu, K. (2001). Web cookies: Not just a privacy risk. Association for Computing Machinery. Communications of the ACM, 44(9), 120-120.

Reference List


Szewczak, E. (2002). Beware of the Cookie Monster. Information Resources Management Journal, 15(1), 3-4.

WebTrends (2005). Best Practices for accurate Web Analytics: Avoiding third-party cookie rejection and deletion. Retrieved July 6, 2005, from http://www.webtrends.com/upload/BB_1st_Party_Cookies_FI NAL.pdf.

Whitman, M. E., Perez, J., & Beise, C. (2001). A study of user attitudes toward persistent cookies. The Journal of Computer Information Systems, 41(3), 1-7.

Reference List


Biometrics

Dave Kumta

Biometric AuthenticationBiometric Authentication Not a network authentication mechanism

per se but rather biometrics can be used to authenticate network users;

Biometrics are generally employed as part of a multifactor authentication scheme;

Biometrics can be more “user friendly” when frequent re-authentication required;

Biometrics have a large “signature”, with large storage requirements.


Biometric ApproachesBiometric Approaches

Fingerprints Retina and Iris Scans Face recognition Footprints Voice identification Signature recognition Keystroke recognition


Biometric ChallengesBiometric Challenges Privacy and user acceptance Legal precedence Enrollment Rigor Reliability of electro-mechanical devices Intensive processing requirements Complex algorithms



Smart Cards

Mike Bryant

One Definition of a Smart Card

A smart card, chip card, or integrated circuit(s) card (ICC), is defined as any pocket-sized card with embedded integrated circuits. There are two broad categories of Smart Cards.

Memory cards contain only non-volatile memory storage components, and perhaps some specific security logic. Microprocessor cards contain memory and microprocessor components.


Smart Cards

Smart Card LiteratureSmart Card Literature

Chan, A. (2005).Chan, A. (2005). Mobile cookies management on a smart card, Mobile cookies management on a smart card, COMMUNICATIONS OF THE ACM,COMMUNICATIONS OF THE ACM, November 2005/Vol. 48, No. 11November 2005/Vol. 48, No. 11

Bourlai, T., Messer, K., & Kittler, J. (2004). Face Verification System Bourlai, T., Messer, K., & Kittler, J. (2004). Face Verification System Architecture Using Smart CardsArchitecture Using Smart Cards, , Proceedings of the 17th International Proceedings of the 17th International Conference on Pattern Recognition (ICPR’04)Conference on Pattern Recognition (ICPR’04)

Wu, X., Dandash, O., & Le, P. (2006). The Design and Implementation of a Wu, X., Dandash, O., & Le, P. (2006). The Design and Implementation of a Smartphone Payment System based on Limited-used Key Generation Smartphone Payment System based on Limited-used Key Generation Scheme,Scheme, Proceedings of the Third International Conference on Information Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06)Technology: New Generations (ITNG'06)


Smart Cards

Uses of the Smart Card Technology

Smart Card Internet Cookie Management Face Verification System Architecture Using

Smart Cards Smartphone Payment System


Smart Cards

Mobile Cookies Management on a Smart CardMobile Cookies Management on a Smart Card Cookies are small bits of textual information a Web site might

send to Web browsers to be stored within the client machine and returned unchanged in subsequent visits to the site.

Ability to store cookies on the machine enables Web servers to track state information while interacting with a browser across a session. The cookies can be kept past a session, so when users power off their machines the state information is retained and can be used again the next time they visit the site that first created it.

Many Web applications (such as banking, online shopping, and e-auctions) use cookies as a basis for identifying user preferences and identification. As the user moves to different machines to access the same site, the information previously recorded is lost.

Network SecurityNetwork SecuritySmart Cards

Mobile Cookies Management on a Smart Card (Cont’d)Mobile Cookies Management on a Smart Card (Cont’d)

The author presents a novel solution to making the cookies “mobile” by leveraging smart cards with the benefit of mobility in the user’s pocket.

The “CookiesCard” framework uses a smart card as a secure, mobile storage medium for managing personalized cookies.

The “CookiesCard” proxy interacts directly with the card to provide cookies management while functioning as an intermediary between the client browser and a Web server.


Smart Cards

Face Verification System Architecture Using Smart Face Verification System Architecture Using Smart CardsCards

The authors contend that automatic personal identity verification The authors contend that automatic personal identity verification systems based on facial images have many promising applications in systems based on facial images have many promising applications in the field of security.the field of security.

In any face verification system the user must make an identity claim, In any face verification system the user must make an identity claim, usually by use of a token, in this case the token was stored on a smart usually by use of a token, in this case the token was stored on a smart card. card.

To make a claim, the user presents himself/herself to a camera and To make a claim, the user presents himself/herself to a camera and places his/her card in the card reader. The token is read off the card places his/her card in the card reader. The token is read off the card and the relevant biometric template retrieved. A match between the and the relevant biometric template retrieved. A match between the template and the acquired image is then made.template and the acquired image is then made.

Prior to this the user would have had to have gone through an Prior to this the user would have had to have gone through an enrollment process where their facial biometric template was created enrollment process where their facial biometric template was created and stored in a database.and stored in a database.


The Design and Implementation of a Smartphone Payment System based on Limited-use – Key

Generation Scheme Nostalgia: The expected use for smart phones in 2003 was

approximately 11.6 million users and in year 2007, smart phones are likely to be used more than laptops and PDAs together, by more than 324 million users.

Smart phones allow users to access the Internet using a wireless connection, to store contacts in databases and to perform payments over the Internet

Many mobile payment systems lack protection for sensitive information probably due to cost constraints, design limitations or resource limitations where strong encryption requires substantial processing, memory, and power.


The Design and Implementation of a Smartphone Payment System based on Limited-use – Key

Generation Scheme (Concluded) The proposed Wireless Smart cards Payment System (WSPS) is

derived from the KSL Protocol as a more secure way for Wireless Internet Payment.

A client using a Wireless Smart Card can perform transactions over a wireless LAN which is connected to the Internet via a wired network.

The Smart Card deploys hashing algorithm (SHA1), using 1024 shared key. SHA-1 is considered to be the successor to MD5, an earlier, widely-used hash function. The SHA algorithms were designed by the National Security Agency (NSA) and published as a US government standard. A hash function (or hash algorithm) is a way of creating a small digital "fingerprint" from any kind of data

It’s believed that the use of a Smart Card for making the Internet Payment is more secure because a Smart Card can be charged and used without revealing client information.


Other Smart Card ImplementationsOther Smart Card Implementations

The IEEE and ACM Journals have many other research projects dealing with the use of Smart Cards.


Smart Cards


Firewalls

Maurice Okaqua

WHAT IS A FIREWALL Organizations use internet connectivity to provide services, share

information and collaborate with customers both internally and externally. The internet connectivity also expose the organization network to security attacks namely: viruses, worms, cookies, Trojans, and denial of service attacks.

A firewall is a hardware or software security tool designed to prevent outside intrusions.

The first level of defense in the organizational security tool is generally the firewall. It acts as a security gate between the organization intranet and the internet.

Firewalls monitors and controls all data traffic that passes through the organization network into the computer.

Network SecurityNetwork SecurityFirewalls

A view of an organizational Firewall

Unified Messaging Synchronization

Blackberry

Voicemail

IPSec

PBX

802.11 Enabled Devices

Exchange

Public TelephoneNetwork

Cellular Enabled Devices

CellularNetwork

Internet

Firewall

Network SecurityFirewalls

Types of Firewalls There are two common types of firewalls namely:

– Packet Filtering and Proxy Server Firewall

» Packet filtering firewall The software uses predefined rules to reject or

accept packages or data that passes through it.

» Proxy Server firewall The proxy server prevents outsides from

accessing in formation from the network. It also acts as a middleman or gateway that

coordinated data between the network and the outside world.


Firewalls

Common Organizational Firewall Security PoliciesCommon Organizational Firewall Security Policies

Service controlsService controls

– Determines the services that are externally accessableDetermines the services that are externally accessable Behavior controlBehavior control

– Enforces organizational policy (not allow employees to Enforces organizational policy (not allow employees to use yahoo in a control environment) use yahoo in a control environment)

User ControlUser Control

– What software can be downloaded by employeesWhat software can be downloaded by employees IP Packet filteringIP Packet filtering

– Monitors service request by examine individual Monitors service request by examine individual packets.packets.


Firewalls

Benefits of using Firewall Protection

Enables virtual participation

Enables sharing of sensitive data with meeting participants inside/outside the company.

Video: Enables visual participation in virtual meetings.

Streamed medias: Enables 7x24 viewing of meetings, training via web

Public

InternetILS Directory NetMeeting

client to client

Desktop Video conferencing

Streaming mediaor video conference

Company Perimeter

Company external web site

Streaming Media

N

S

EW

WebEx for internal & external secure data conferencing

Company Intranet

Network Security

Firewalls


Intrusion Detection

Phlimore McCarthy

Principles “Assume that the network will be attack”

Security Assessment Detection Standards Models of Intrusions Implementations Intrusion responses Conclusion


Intrusion Detection

Analysis of Threats Analysis of Vulnerabilities Application of Counte measures

Network SecurityNetwork SecurityIntrusion Detection

Security AssessmentSecurity Assessment

Detection StandardsDetection Standards

Develop by Internet Engineering Task Force Develop by Internet Engineering Task Force (IETF) Intrusion Detection Working Group(IETF) Intrusion Detection Working Group

Intrusion Alert Protocol (IAP)Intrusion Alert Protocol (IAP) Intrusion Detection Message Exchange Format Intrusion Detection Message Exchange Format

(IDMEF)(IDMEF) Distribution Denial of Service (DDOS)Distribution Denial of Service (DDOS) Remote Monitoring ((RMON)Remote Monitoring ((RMON)


Intrusion Detection

Models of IntrusionsModels of Intrusions

““Sequence of a states or actions as ‘good’ (no Sequence of a states or actions as ‘good’ (no intrusion) or ‘bad’ (possible intrusion)”intrusion) or ‘bad’ (possible intrusion)”

Anomaly DetectionAnomaly Detection Misuse DetectionMisuse Detection Specification-based DetectionSpecification-based Detection


Intrusion Detection

Implementations IDSsImplementations IDSs

ArchitectureArchitectureAgentAgent

Host-Based Information GatheringHost-Based Information GatheringNetwork-Based information GatheringNetwork-Based information GatheringCombining SourcesCombining SourcesDirectorDirectorNotifierNotifier


Intrusion Detection

Intrusion ResponsesIntrusion Responses Incident PreventionIncident Prevention Intrusion HandlingIntrusion Handling

– Preparation Preparation – IdentificationIdentification– ContainmentContainment– Eradication Eradication – Recovery Recovery – Follow upFollow up


Intrusion Detection

Intrusion Responses IDSsIntrusion Responses IDSs“be proactive”“be proactive”

Requires counter measures for Requires counter measures for combinations of intrusion modelscombinations of intrusion models

Disconnect user sessionsDisconnect user sessions Disable user account for unauthorized Disable user account for unauthorized

network entrynetwork entry Protect network resourcesProtect network resources


Intrusion Detection

ConclusionConclusion“not able to detect all types of intrusions”“not able to detect all types of intrusions” Further research is required to develop Further research is required to develop

IDSs:IDSs:– MethodologiesMethodologies– Improved Network Security Operational Improved Network Security Operational

PolicesPolices– WAN Architecture Design DeploymentWAN Architecture Design Deployment– Privacy IssuesPrivacy Issues– Legal frameLegal frame


Intrusion Detection


Public Key Infrastructure (PKI)

Brook Heaton

PurposePurpose

Conduct secure communications over the network– Encryption (contents can’t be viewed)– Integrity (contents haven’t been changed)– Authentication (you are who you say you are)– Authorization (you are allowed to do X)



PKI Components and TerminologyPKI Components and Terminology

Certificate Authority Certificates Key Pairs (Public / Private) Certificate Revocation Lists (CRL) Keystore



Standards and OrganizationsStandards and Organizations X.509 (ITU-T) IETF PKIX Working Group NIST MISPC Federal PKI Steering Committee Vendors

– Verisign– Entrust– Etc.



ApplicationsApplications

Email signing and encryption Web authentication, authorization,

encryption Network access (login)



Key Challenges

Certificate Management– Managing revoked certificates– Renewing expired certificates– Distributing certificates– User errors

Hardware / Software Implementation Performance




Virtual Private Network (VPN)

Victor Cheng

Virtual Private Network (IP-based)Virtual Private Network (IP-based) Prevent eavesdropping and tampering in a Prevent eavesdropping and tampering in a

public network.public network. Data in the TCP/IP network stack is Data in the TCP/IP network stack is

encapsulated into a secure network packet.encapsulated into a secure network packet. Typical IP-based VPN : PPTP, Typical IP-based VPN : PPTP, SSL, IPsecSSL, IPsec Point to Point Tunneling Protocol (PPTP)Point to Point Tunneling Protocol (PPTP)

– Implemented by Microsoft since Win95.Implemented by Microsoft since Win95.– Can be password or certificate based. Weak password leads Can be password or certificate based. Weak password leads

to security problems.to security problems.– Often barred by firewalls.Often barred by firewalls.



IP Security (IPsec)IP Security (IPsec)– Standard in IPv6, optional in IPv4.Standard in IPv6, optional in IPv4.– Provides security at the network layer. Provides security at the network layer. – Internet Key ExchangeInternet Key Exchange (IKE) protocol (IKE) protocol – Tunnel ModeTunnel Mode - supports portal-to-portal - supports portal-to-portal– Transport ModeTransport Mode - supports end-to-end - supports end-to-end

Secure Socket Layer (SSL)Secure Socket Layer (SSL)– Above TCP transport protocol, commonly used (https).Above TCP transport protocol, commonly used (https).– OpenVPNOpenVPN - encrypt the entire TCP/IP network stack - encrypt the entire TCP/IP network stack– SSL VPN – secure web accessSSL VPN – secure web access– Support all common cryptographic algorithms: Support all common cryptographic algorithms:

» Asymmetric ciphers : RSA, Diffie-HellmanAsymmetric ciphers : RSA, Diffie-Hellman» Symmetric ciphers : DES, Triple DES, AESSymmetric ciphers : DES, Triple DES, AES» Hash Functions : MD5, SHA-1Hash Functions : MD5, SHA-1

– Public key for authentication and key exchange, symmetric key for Public key for authentication and key exchange, symmetric key for encryption of data. encryption of data.



Research IssuesResearch Issues IPSec/VPN Security Policy: Correctness, Conflict IPSec/VPN Security Policy: Correctness, Conflict

Detection, and Resolution (Zhi Fu et al., 2001)Detection, and Resolution (Zhi Fu et al., 2001) Management structure for ISPs (Braun et al. 2004)Management structure for ISPs (Braun et al. 2004) Implementation at Gigabit level (Friend, 2004)Implementation at Gigabit level (Friend, 2004)




Q&A


Team Mystery Game

[ ] teamtwopresentation_v

Documents

web cookies

cookies contd

network security szewczak

network security miyazaki

network security bennett

network security lee

thirdparty cookies

network security cookie