network security 뫴룴ꙷꗾ -...

1

Network Security 網路安全

Lecture 01February 22, 2006

洪國寶

2

Outline

• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course

3

Course information (1/6)

• Instructor: Professor Gwoboa Horng• Basic assumption

It is assumed that students in this course have a basic understanding of complexity theory. Some knowledge of modular arithmetic will be helpful but not required .

• Course web page: http://ailab.cs.nchu.edu.tw/course/NetworkSecurity/94b/main.htm

4


• Textbook– Cryptography and Network

Security, 4/E by William Stallings,Prentice Hall, 2006

– Cryptography and Network Security: Principles and Practices, 3/E by W. Stallings, Prentice Hall, 2003. (開發圖書公司)

– Textbook web page: http://williamstallings.com/Crypto/Crypto4e.html

5


‧參考書籍

近代密碼學及其應用

賴溪松、韓亮、張真誠

松崗

旗標出版社

6


• The objective of this course is to examine both the principles and practice of cryptography and computer network security.

• Our focus is on Internet Security which consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information.

• The course material is of use to computer and communication engineers who are interested in embedding security into an information system.

7


• This class is – Not a lab or programming course– Not a math course, either

8


• Grading (Tentative)Homework 15%

(You may collaborate when solving the homework, however when writing up the solutions you must do so on your own. No typed or printed assignments.)

Project 20% (Presentation and/or paper required) Midterm exam 25% (Open textbook and notes)Final exam 30% (Open textbook and notes)Class participation 10%

9

Outline


10

Motivation (1/10)

• Some real examples

11

Motivation (2/10)

12

Motivation (3/10)

13

Motivation (4/10)

14

Motivation (5/10)

15

Motivation (6/10)

16

Motivation (7/10)

17

Motivation (8/10)

18

Motivation (9/10)

19

Motivation (10/10)

• Hacker intrusion• Password compromise (access control)• Spam/hoax (data integrity)• Program security• Virus • Denial of service

20

Outline


21

Background

• Information Security requirements have changed in recent times

• traditionally provided by physical and administrative mechanisms

• computer use requires automated tools to protect files and other stored information

• use of networks and communications links requires measures to protect data during transmission

22

Definitions

• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers

• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of interconnected networks

23

Security Trends

24

Security GoalsSecurity Goals

• The goal of security is to institute controls that preserve– secrecy: assets are accessible only by

authorized parties;– integrity: assets can be modified only by

authorized parties;– availability: assets are available to authorized

parties.

25

Security GoalsSecurity Goals

Integrity

Confidentiality

Availability

26

Services, Mechanisms, Attacks

• need systematic way to define requirements• consider three aspects of information

security:– security attack– security mechanism– security service

• consider in reverse order

27

Security Service– is something that enhances the security of the data

processing systems and the information transfers of an organization

– intended to counter security attacks– make use of one or more security mechanisms to

provide the service– replicate functions normally associated with physical

documents• eg. have signatures, dates; need protection from disclosure,

tampering, or destruction; be notarized or witnessed; be recorded or licensed

28

Security Mechanism

• a mechanism that is designed to detect, prevent, or recover from a security attack

• no single mechanism that will support all functions required

• however one particular element underlies many of the security mechanisms in use: cryptographic techniques

• hence our focus on this area

29

Security Attack

• any action that compromises the security of information owned by an organization

• information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems

• have a wide range of attacks• can focus of generic types of attacks• note: often threat & attack mean same

30

OSI Security Architecture

• ITU-T X.800 Security Architecture for OSI• defines a systematic way of defining and

providing security requirements• for us it provides a useful, if abstract,

overview of concepts we will study

31

Security Services

• X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers

• RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources

• X.800 defines it in 5 major categories

32

Security Services (X.800)• Authentication - assurance that the

communicating entity is the one claimed• Access Control - prevention of the unauthorized

use of a resource• Data Confidentiality –protection of data from

unauthorized disclosure• Data Integrity - assurance that data received is as

sent by an authorized entity• Non-Repudiation - protection against denial by

one of the parties in a communication

33

Security Services (X.800)

34


35


36


37


38

Security Mechanisms (X.800)• Specific security mechanisms: May be

incorporated into the appropriate protocol layer in order to provide some of the OSI security services.– encipherment, digital signatures, access controls, data

integrity, authentication exchange, traffic padding, routing control, notarization

• Pervasive security mechanisms: Mechanisms that are not specific to any particular OSI security service or protocol layer.– trusted functionality, security labels, event detection,

security audit trails, security recovery

39

Security Mechanisms (X.800)Specific security mechanisms

40

Security Mechanisms (X.800)Specific security mechanisms (Cont.)

41

Security Mechanisms (X.800)Specific security mechanisms (Cont.)

42

Security Mechanisms (X.800)Pervasive security mechanisms

43

Security Mechanisms (X.800)Pervasive security mechanisms (Cont.)

45

Security AttacksSecurity Attacks

46

Security AttacksSecurity Attacks

• Interruption: This is an attack on availability

• Interception: This is an attack on confidentiality

• Modification: This is an attack on integrity• Fabrication: This is an attack on

authenticity

48

Classify Security Attacks as

• passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or– monitor traffic flows

• active attacks – modification of data stream to:– masquerade of one entity as some other– replay previous messages– modify messages in transit– denial of service

49

Passive Attacks

50

Active Attacks

51

Examples of security attacks

52


53


• Social engineering

54


• Impersonation

55

Outline


56

Advantages of computer networks

• Resource sharing• Increased reliability• Distributing the workload• Expandability

57

Network concepts

• Terminology: node, host, link, terminal• Media: cable, optical fiber, microwave• Type of network: LAN, WAN, internet• Topology: common bus, star or hub, ring• Protocol: ISO reference model, TCP/IP

58

The Physical Organization of Networks

• Node: The generic name given to all devices hooked up to a network.– Each node must have a unique address assigned to them

by the network.– Networks are either direct-connected or those that are

not directly linked.• Direct-connected network: Those whose nodes have direct

connections through either physical or wireless links.– Point-to-point: Simplest version of direct-connected network.

Connecting two computing systems. » Example of point to point: Home to ISP.

• Example of a network that is not directly linked: Internet.

59


Linking nodes:• The bus network -– A continuous coaxial cable to

which all the devices are attached.

– All nodes can detect all messages sent along the bus.

• The ring network -– Nodes linked together to form a

circle.– A message sent out from one

node is passed along to each node in between until the target node receives the message.

60


Linking nodes:• The star network -– Each node is linked to a central

node.– All messages are routed

through the central node, who delivers it to the proper node.

• The tree network -(hierarchical network)– Looks like an upside-down tree

where end nodes are linked to interior nodes that allow linking through to another end node.

61


Linking nodes:• The fully connected network -

– All nodes are connected to all other nodes.

• Internetworking -– Connecting together any number

of direct-connected networks.– The largest: Internet.

62


• Categorizing networks according to size:

– DAN (Desk Area Network)– LAN (Local Area Network)– MAN (Metropolitan Area Network)– WAN (Wide Area Network)

63


• DAN (Desk Area Network)– Making all components of a desktop computer available

to other computers on the network.• CPU - Unused computing power can be used by other

computers on the network.• Hard Disk - Items stored can be accessed by others or items

may be placed on the hard drive from other computers.• Video Display - Alert messages can be sent to the computer’s

display.• Other items - Other devices connected to the computer might

be needed by others connected to the network.

64


• LAN (Local Area Network)– A collection of nodes within a small area.– The nodes are linked in a bus, ring, star, tree, or fully

connected topology network configuration.

– Benefits of LANs:• Sharing of hardware resources.• Sharing of software and data.• Consolidated wiring/cabling.• Simultaneous distribution of information.• More efficient person-to-person communication.

65


• MAN (Metropolitan Area Network)– Consists of many local area networks linked

together.– Span the distance of just a few miles.

• WAN (Wide Area Network)– Consists of a number of computer networks including

LANs.– Connected by many types of links.

66

Software Architectureof Networks

• Problem: – Connect several different machines running different operating

systems (Windows, OS/2, MacOS, UNIX, VMS...)– Now, try to: send email, data or files between them.

• Solution:– Create a standardized set of rules, or protocols, that, when

followed, will allow an orderly exchange of information.– A collection of these programs is called a protocol suite.

• Must be on all computers or nodes in the network.• In order to send data over the network, the necessary programs must

be executed.

67

The concept of protocol layering

• The OSI seven layer model• TCP/IP

68

Protocol Hierarchies

• Protocols are stacked vertically as series of ‘layers’.• Each layer offers services to layer above through

an interface, shielding implementation details.• Layer n on one machine communicates with layer

n on another machine (they are peer processes/entities) using Layer n Protocol.

• The entire hierarchy is called a protocol stack– e.g. the TCP/IP protocol stack

69

Services and Protocols

• Service = set of primitives provided by one layer to layer above.

• Service defines what layer can do (but not how it does it).

• Protocol = set of rules governing data communication between peer entities, i.e. format and meaning of frames/packets.

70

Layers, Protocols & Interfaces

Layer nLayer n-1/ninterface

Layer n/n+1interface

Layer nLayer n-1/ninterface

Layer n/n+1interfaceLayer n protocol

Physical communications medium

Layer 1 Layer 1

Layer 2 Layer 2Layer 1/2interface

Layer 1/2interface

Layer 2/3interface

Layer 2/3interfaceLayer 2 protocol

Layer 1 protocol

71

Layering Principles

(n+1) EntityService User

(n) EntityService Provider

(n+1) EntityService User

(n) EntityService Provider

n+1PDU

Layer n+1 protocol

Layer n ServiceAccess Point (SAP)SDU

Layer n protocol

nPDU

PDU - Protocol Data UnitSDU - Service Data Unit

72

The OSI Reference Model

• OSI Reference Model – an internationally standardised network architecture.

• An abstract representation of an ideal network protocol stack; not used in real networks.

• OSI = Open Systems Interconnection.• Specified in ISO 7498-1.• Model has 7 layers.

73

Services in the OSI Model

• In OSI model, each layer provide servicesto layer above, and ‘consumes’ servicesprovided by layer below.

• Active elements in a layer are called entities.• Entities in same layer in different machines

are called peer entities.

74

The OSI Model

Application LayerLayer 7

Layer 6

Layer 5

Layer 4

Presentation Layer

Session Layer

Transport Layer

Network LayerLayer 3

Data Link LayerLayer 2

Physical LayerLayer 1

75

Lower/Upper Layers

• Layers 1-4 often referred to as lower layers.• Layers 5-7 are the upper layers.• Lower layers relate more closely to the

communications technology.• Layers 1 – 3 manage the communications subnet.

– the entire set of communications nodes required to manage comms. between a pair of machines.

• Layers 4 – 7 are true ‘end-to-end’ protocols.• Upper layers relate to application.

76

Layer 7: Application Layer

• Home to wide variety of protocols for specific user needs, e.g.:– virtual terminal service,– file transfer,– electronic mail,– directory services.

77

Layer 6: Presentation Layer

• Concerned with representation of transmitted data.• Deals with different data representations.

– ASCII or EBCDIC,– one’s complement or two’s complement,– byte ordering conventions,– floating point conventions (IEEE or proprietary).

• Also deals with data compression.

78

Layer 5: Session Layer• Allows establishment of sessions between machines, e.g.

to– allow remote logins– provide file transfer service.

• Responsible for:– dialogue control

• which entity sends when with half-duplex communications.– token management

• E.g. control which entity can perform an operation on shared data. – synchronisation

• E.g. insertion of checkpoints in large data transfers.

79

Layer 4: Transport Layer• Basic function is to take data from Session Layer, split it

up into smaller units, and ensure that the units arrive correctly.

• Concerned with efficient provision of service.– maybe multiple connections per session or multiple sessions per

connection.• The Transport Layer also determines the ‘type of service’

to provide to the Session Layer.– most commonly, error-free, point-to-point, with guarantee of

correct ordering of data.– could be transport of isolated messages only (no ordering

guarantees) or broadcast.

80

Layer 3: Network Layer• Provides uniform addressing scheme for network addresses.• Shields upper layers from details of lower layers.• A key responsibility is control of routing.• Routing can be based on:

– static tables,– determined at start of session,– highly dynamic (varying for each packet depending on network

load).• Also responsible for congestion control and usage

monitoring.

81

Layer 2: Data Link Layer

• Provides reliable, error-free service on top of raw Layer 1 service.– corrects errors at the ‘bit’ level.

• Breaks data into frames. – requires creation of frame boundaries using special bit

sequences.

• Frames used to manage errors via acknowledgements and selective frame retransmission.

82

Layer 1: Physical Layer

• Concerned with bit transmission over physical channel.

• Issues include:– definition of 0/1,– whether channel simplex/duplex,– connector design.

• Mechanical, electrical, procedural matters.

83

Internet Protocols vs OSI

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

TCPIP

Network Interface

Hardware

7

65

5

443 3

2 2

11

84

Internet Protocols

• The Architecture of the Internet– Four-layer architecture:

FTP HTTP NV TFTP

TCP UDP

IP

Network #1 Network NNetwork #2

85

TCP/IP Protocol LayeringHost A Host B

Application Layer Application Layer

Transport Layer

Internet Layer

Network Interface Layer

Physical Network

Transport Layer

Internet Layer

Network Interface Layer

Message

Packet

Datagram

Frame

86

Protocol Layering and RoutingHost A Host B

Application Layer Application Layer

Transport Layer

Internet Layer

NetworkInterface

Physical Network

EthernetFrame

EthernetFrame

Network Layer

Transport Layer

Internet Layer

Network Interface

HTTP Message

TCP Packet

RouterInternet Layer

IP Datagram IP Datagram

Physical Network

87

Outline


88

Model for Network Communication Security

89

Model for Network Communication Security

• using this model requires us to: – design a suitable algorithm for the security

transformation – generate the secret information (keys) used by

the algorithm – develop methods to distribute and share the

secret information – specify a protocol enabling the principals to use

the transformation and secret information for a security service

90

Model for Network Access Security

91

Model for Network Access Security

• using this model requires us to: – select appropriate gatekeeper functions to

identify users – implement security controls to ensure only

authorised users access designated information or resources

• trusted computer systems can be used to implement this model

92

Outline


93

Outline of the course

• Introduction (Chapter 1)• Conventional encryption: classical techniques,

modern techniques, algorithms, confidentiality using conventional encryption (Chapters 2—7)

• Public-key encryption and hash functions: public-key cryptography, number theory, message authentication and hash functions, hash and MAC algorithms, digital signatures and authentication protocols (Chapters 8—13)

94

Outline of the course (Cont.)

• Network security practice: authentication applications, electronic mail security, IP security, Web security, anonymous communications (Chapters 14—17)

• Wireless network security• System security: intruders, viruses, and worms,

firewalls (Chapters 18—20)

95

Summary

• have considered:– computer, network, internet security def’s– security services, mechanisms, attacks– X.800 standard– basic network concepts– models for network (access) security

network security 뫴룴ꙷꗾ -...

Documents