2/24/2000 will lennon 1 internet security based on learning tree course #468: internet and intranet...
TRANSCRIPT
2/24/2000 Will Lennon1
Internet Security
Based on Learning Tree Course #468:
Internet and Intranet Security: A Comprehensive Introduction
February 20, 2001 Will Lennon2
Security ModelObjectives vs. Threats
Information Source
Information Destination
Normal Flow
Authenticity vs. Masquerade
Integrity vs. Modification
Privacy vs. Interception
Availability vs. Interruption
February 20, 2001 Will Lennon3
Authenticity vs. Masquerade
• Personal Authenticity (Logins)restrict access to unauthorized users
• Interior Authenticity (DHCP, IPSec)restrict access to unauthorized hosts
• Exterior Authenticity (firewalls)restrict access to internal services
February 20, 2001 Will Lennon4
Authenticity vs Masquerade
3 ways to establish personal identity:
• Something you know (Passwords)• Something you have (Keys)• Something you are (Biometrics)
February 20, 2001 Will Lennon5
Personal Authenticity vs. Masquerade
Passwords attacks:
• Guessing (spouse, pets, child)• Cracking passwords (dictionary attacks)• Snooping passwords (network analyzers)• Social Engineering (Deception)• Trojan Horses
February 20, 2001 Will Lennon6
Personal Authentication methods
• One-time lists• Repeated hashing (S/Key, OPIE)• Electronic tokens• Challenge-Response Schemes (CHAP)
February 20, 2001 Will Lennon7
Interior Authentication: IPSec
• Generic security mechanism for IPv6• A security association is created between two
parties• Provides privacy services as well as
authentication• Included in most modern O.S.s
February 20, 2001 Will Lennon8
Exterior Authentication: Firewalls
Packet Filters• Stateless Packet Filters• State-full Packet Filters
Proxies• Application Proxy• Circuit-Level Gateways
February 20, 2001 Will Lennon9
Sanity CheckNetwork 1:147.117.xx.xx
Network 2:192.168.88.xx
From: 192.168.88.11To: 192.168.88.33
From: 147.117.32.65To: 192.168.88.33
Insane: blocked
Sane: Pass
Router
February 20, 2001 Will Lennon10
Stateless Packet FiltersNetwork 1:147.117.xx.xx
Network 2:192.168.88.xx
Telnet
SMTP
Telnet (port 23): Block
SMTP (port 25): Pass
Router
February 20, 2001 Will Lennon11
Stateless Packet Filter Refinements: TCP
• Block incoming packets without ACK to block connections initiated by external hosts
• Doesn’t work for UDPSYN
SYN + ACK
ACK
Client Server
TCP Handshake
February 20, 2001 Will Lennon12
Problems with Stateless Packet Filtering
• IP Fragmentation
• Protocols with variable port numbers
• Non-standard use of standard ports
February 20, 2001 Will Lennon13
Circuit-Level Gateway
OutsideHost
InsideHost
1 2
3
1: Inside Host connects to TCP port on Gateway2: Gateway connects to Outside Host3: Gateway passes messages transparently
Gateway
February 20, 2001 Will Lennon14
Screened Subnet Topology
WWW
FTPServer
WWWServer
InternalNetwork
Screening Router(Packet Filter)
DMZ
DWOS
Proxy
February 20, 2001 Will Lennon15
Chapman Architecture
WWW
FTPServer
WWWServer
InternalNetwork
Screening Router(Packet Filter)
Screening Router
DMZ
DWOS
BastionHost
February 20, 2001 Will Lennon16
Privacy vs. Interception
3 ways to maintain information privacy:
• Hide the existence -> steganography• Hide the content -> access control• Hide the meaning -> encryption
February 20, 2001 Will Lennon17
Cryptography / Encryption
Encryptor DecryptorHello a#k3Wj Hello
Key A Key B
Two types of cryptographic algorithms exist:
1) Secret Key (aka Symmetrical) Key A == Key B DES, 3DES, Blowfish, RC5, IDEA, Skipjack
2) Public Key (aka Symmetrical) Key A != Key B RSA, DSA
Hash Functions: MD5, SHA
February 20, 2001 Will Lennon18
Public Key Encryption Example
?
Alice: “I want to send you a secret message.”
Ahab: “Encrypt it with my public key: s6sd2KlUq.”
Alice: “Here’s the message: iqm3k2lsjesk
Ahab: “Got it.”
Alice Ahab
February 20, 2001 Will Lennon19
Virtual Private Networks (VPNs)
• VPN is an encrypted tunnel through which all data passes between two endpoints
• Endpoints are usually firewalls• Encryption technology varies, often negotiated
using IPSec
Net 1Internet
VPN Net 2
February 20, 2001 Will Lennon20
Integrity vs. Modification
Use a Hash Function to assure Integrity.
A Hash Sum or message digest is:
• data dependent• irreversible • collision free Hash
Function
Hash Sum
Message
February 20, 2001 Will Lennon21
Cryptography for Personal Messages
MD5 Hash(Integrity) Hash Sum Encrypt
(Authenticity)
Digital Signature
Sender’sPrivate Key
Digital Signature
Message
Message Encrypt(Privacy)
EncryptedPrivate
Message
Receiver’sPublic Key
February 20, 2001 Will Lennon22
Availability vs. Interruption
Bombs:• Files that have undesirable behavior
Viruses:• Designed to propagate themselves• Limited to a particular OS or application• Must be attached to another piece of software
Worms:• Similar to viruses but are stand-alone software
February 20, 2001 Will Lennon23
Availability vs. Interruption
• Electro-Magnetic Pulse (EMP)HERF gun: High Energy Radiated Frequency
• Data Flood: -->traceOn(“”)• Broadcast Storms: “Smurf Attack”• Bombardment Attacks: SYN flood• Duplicate IP Address problem
February 20, 2001 Will Lennon24
SYN Flood
SYN
SYN + ACK
ACK
Client Server
Server opens a new port,sends response, and waitsfor client to acknowledge
Client repeated sends SYN messages.Client never sends the ACK message.Server’s ports quickly become full.
February 20, 2001 Will Lennon25
Smurf Attack
Victim1.2.3.4
Relays
Zombies
Attack Station
PingTo: 255.255.255.255From: 1.2.3.4
ZombiesZombiesZombiesZombiesRelaysRelaysRelaysRelays
Start
Ping ResponseTo: 1.2.3.4From: w.x.y.z