network security 뫴룴ꙷꗾ -...
TRANSCRIPT
1
Network Security 網路安全
Lecture 01February 22, 2006
洪國寶
2
Outline
• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course
3
Course information (1/6)
• Instructor: Professor Gwoboa Horng• Basic assumption
It is assumed that students in this course have a basic understanding of complexity theory. Some knowledge of modular arithmetic will be helpful but not required .
• Course web page: http://ailab.cs.nchu.edu.tw/course/NetworkSecurity/94b/main.htm
4
Course information (2/6)
• Textbook– Cryptography and Network
Security, 4/E by William Stallings,Prentice Hall, 2006
– Cryptography and Network Security: Principles and Practices, 3/E by W. Stallings, Prentice Hall, 2003. (開發圖書公司)
– Textbook web page: http://williamstallings.com/Crypto/Crypto4e.html
5
Course information (3/6)
‧參考書籍
近代密碼學及其應用
賴溪松、韓亮、張真誠
松崗
旗標出版社
6
Course information (4/6)
• The objective of this course is to examine both the principles and practice of cryptography and computer network security.
• Our focus is on Internet Security which consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information.
• The course material is of use to computer and communication engineers who are interested in embedding security into an information system.
7
Course information (5/6)
• This class is – Not a lab or programming course– Not a math course, either
8
Course information (6/6)
• Grading (Tentative)Homework 15%
(You may collaborate when solving the homework, however when writing up the solutions you must do so on your own. No typed or printed assignments.)
Project 20% (Presentation and/or paper required) Midterm exam 25% (Open textbook and notes)Final exam 30% (Open textbook and notes)Class participation 10%
9
Outline
• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course
10
Motivation (1/10)
• Some real examples
11
Motivation (2/10)
12
Motivation (3/10)
13
Motivation (4/10)
14
Motivation (5/10)
15
Motivation (6/10)
16
Motivation (7/10)
17
Motivation (8/10)
18
Motivation (9/10)
19
Motivation (10/10)
• Hacker intrusion• Password compromise (access control)• Spam/hoax (data integrity)• Program security• Virus • Denial of service
20
Outline
• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course
21
Background
• Information Security requirements have changed in recent times
• traditionally provided by physical and administrative mechanisms
• computer use requires automated tools to protect files and other stored information
• use of networks and communications links requires measures to protect data during transmission
22
Definitions
• Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection of interconnected networks
23
Security Trends
24
Security GoalsSecurity Goals
• The goal of security is to institute controls that preserve– secrecy: assets are accessible only by
authorized parties;– integrity: assets can be modified only by
authorized parties;– availability: assets are available to authorized
parties.
25
Security GoalsSecurity Goals
Integrity
Confidentiality
Availability
26
Services, Mechanisms, Attacks
• need systematic way to define requirements• consider three aspects of information
security:– security attack– security mechanism– security service
• consider in reverse order
27
Security Service– is something that enhances the security of the data
processing systems and the information transfers of an organization
– intended to counter security attacks– make use of one or more security mechanisms to
provide the service– replicate functions normally associated with physical
documents• eg. have signatures, dates; need protection from disclosure,
tampering, or destruction; be notarized or witnessed; be recorded or licensed
28
Security Mechanism
• a mechanism that is designed to detect, prevent, or recover from a security attack
• no single mechanism that will support all functions required
• however one particular element underlies many of the security mechanisms in use: cryptographic techniques
• hence our focus on this area
29
Security Attack
• any action that compromises the security of information owned by an organization
• information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems
• have a wide range of attacks• can focus of generic types of attacks• note: often threat & attack mean same
30
OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI• defines a systematic way of defining and
providing security requirements• for us it provides a useful, if abstract,
overview of concepts we will study
31
Security Services
• X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers
• RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources
• X.800 defines it in 5 major categories
32
Security Services (X.800)• Authentication - assurance that the
communicating entity is the one claimed• Access Control - prevention of the unauthorized
use of a resource• Data Confidentiality –protection of data from
unauthorized disclosure• Data Integrity - assurance that data received is as
sent by an authorized entity• Non-Repudiation - protection against denial by
one of the parties in a communication
33
Security Services (X.800)
34
Security Services (X.800)
35
Security Services (X.800)
36
Security Services (X.800)
37
Security Services (X.800)
38
Security Mechanisms (X.800)• Specific security mechanisms: May be
incorporated into the appropriate protocol layer in order to provide some of the OSI security services.– encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding, routing control, notarization
• Pervasive security mechanisms: Mechanisms that are not specific to any particular OSI security service or protocol layer.– trusted functionality, security labels, event detection,
security audit trails, security recovery
39
Security Mechanisms (X.800)Specific security mechanisms
40
Security Mechanisms (X.800)Specific security mechanisms (Cont.)
41
Security Mechanisms (X.800)Specific security mechanisms (Cont.)
42
Security Mechanisms (X.800)Pervasive security mechanisms
43
Security Mechanisms (X.800)Pervasive security mechanisms (Cont.)
44
45
Security AttacksSecurity Attacks
46
Security AttacksSecurity Attacks
• Interruption: This is an attack on availability
• Interception: This is an attack on confidentiality
• Modification: This is an attack on integrity• Fabrication: This is an attack on
authenticity
47
48
Classify Security Attacks as
• passive attacks - eavesdropping on, or monitoring of, transmissions to:– obtain message contents, or– monitor traffic flows
• active attacks – modification of data stream to:– masquerade of one entity as some other– replay previous messages– modify messages in transit– denial of service
49
Passive Attacks
50
Active Attacks
51
Examples of security attacks
52
Examples of security attacks
53
Examples of security attacks
• Social engineering
54
Examples of security attacks
• Impersonation
55
Outline
• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course
56
Advantages of computer networks
• Resource sharing• Increased reliability• Distributing the workload• Expandability
57
Network concepts
• Terminology: node, host, link, terminal• Media: cable, optical fiber, microwave• Type of network: LAN, WAN, internet• Topology: common bus, star or hub, ring• Protocol: ISO reference model, TCP/IP
58
The Physical Organization of Networks
• Node: The generic name given to all devices hooked up to a network.– Each node must have a unique address assigned to them
by the network.– Networks are either direct-connected or those that are
not directly linked.• Direct-connected network: Those whose nodes have direct
connections through either physical or wireless links.– Point-to-point: Simplest version of direct-connected network.
Connecting two computing systems. » Example of point to point: Home to ISP.
• Example of a network that is not directly linked: Internet.
59
The Physical Organization of Networks
Linking nodes:• The bus network -– A continuous coaxial cable to
which all the devices are attached.
– All nodes can detect all messages sent along the bus.
• The ring network -– Nodes linked together to form a
circle.– A message sent out from one
node is passed along to each node in between until the target node receives the message.
60
The Physical Organization of Networks
Linking nodes:• The star network -– Each node is linked to a central
node.– All messages are routed
through the central node, who delivers it to the proper node.
• The tree network -(hierarchical network)– Looks like an upside-down tree
where end nodes are linked to interior nodes that allow linking through to another end node.
61
The Physical Organization of Networks
Linking nodes:• The fully connected network -
– All nodes are connected to all other nodes.
• Internetworking -– Connecting together any number
of direct-connected networks.– The largest: Internet.
62
The Physical Organization of Networks
• Categorizing networks according to size:
– DAN (Desk Area Network)– LAN (Local Area Network)– MAN (Metropolitan Area Network)– WAN (Wide Area Network)
63
The Physical Organization of Networks
• DAN (Desk Area Network)– Making all components of a desktop computer available
to other computers on the network.• CPU - Unused computing power can be used by other
computers on the network.• Hard Disk - Items stored can be accessed by others or items
may be placed on the hard drive from other computers.• Video Display - Alert messages can be sent to the computer’s
display.• Other items - Other devices connected to the computer might
be needed by others connected to the network.
64
The Physical Organization of Networks
• LAN (Local Area Network)– A collection of nodes within a small area.– The nodes are linked in a bus, ring, star, tree, or fully
connected topology network configuration.
– Benefits of LANs:• Sharing of hardware resources.• Sharing of software and data.• Consolidated wiring/cabling.• Simultaneous distribution of information.• More efficient person-to-person communication.
65
The Physical Organization of Networks
• MAN (Metropolitan Area Network)– Consists of many local area networks linked
together.– Span the distance of just a few miles.
• WAN (Wide Area Network)– Consists of a number of computer networks including
LANs.– Connected by many types of links.
66
Software Architectureof Networks
• Problem: – Connect several different machines running different operating
systems (Windows, OS/2, MacOS, UNIX, VMS...)– Now, try to: send email, data or files between them.
• Solution:– Create a standardized set of rules, or protocols, that, when
followed, will allow an orderly exchange of information.– A collection of these programs is called a protocol suite.
• Must be on all computers or nodes in the network.• In order to send data over the network, the necessary programs must
be executed.
67
The concept of protocol layering
• The OSI seven layer model• TCP/IP
68
Protocol Hierarchies
• Protocols are stacked vertically as series of ‘layers’.• Each layer offers services to layer above through
an interface, shielding implementation details.• Layer n on one machine communicates with layer
n on another machine (they are peer processes/entities) using Layer n Protocol.
• The entire hierarchy is called a protocol stack– e.g. the TCP/IP protocol stack
69
Services and Protocols
• Service = set of primitives provided by one layer to layer above.
• Service defines what layer can do (but not how it does it).
• Protocol = set of rules governing data communication between peer entities, i.e. format and meaning of frames/packets.
70
Layers, Protocols & Interfaces
Layer nLayer n-1/ninterface
Layer n/n+1interface
Layer nLayer n-1/ninterface
Layer n/n+1interfaceLayer n protocol
Physical communications medium
Layer 1 Layer 1
Layer 2 Layer 2Layer 1/2interface
Layer 1/2interface
Layer 2/3interface
Layer 2/3interfaceLayer 2 protocol
Layer 1 protocol
71
Layering Principles
(n+1) EntityService User
(n) EntityService Provider
(n+1) EntityService User
(n) EntityService Provider
n+1PDU
Layer n+1 protocol
Layer n ServiceAccess Point (SAP)SDU
Layer n protocol
nPDU
PDU - Protocol Data UnitSDU - Service Data Unit
72
The OSI Reference Model
• OSI Reference Model – an internationally standardised network architecture.
• An abstract representation of an ideal network protocol stack; not used in real networks.
• OSI = Open Systems Interconnection.• Specified in ISO 7498-1.• Model has 7 layers.
73
Services in the OSI Model
• In OSI model, each layer provide servicesto layer above, and ‘consumes’ servicesprovided by layer below.
• Active elements in a layer are called entities.• Entities in same layer in different machines
are called peer entities.
74
The OSI Model
Application LayerLayer 7
Layer 6
Layer 5
Layer 4
Presentation Layer
Session Layer
Transport Layer
Network LayerLayer 3
Data Link LayerLayer 2
Physical LayerLayer 1
75
Lower/Upper Layers
• Layers 1-4 often referred to as lower layers.• Layers 5-7 are the upper layers.• Lower layers relate more closely to the
communications technology.• Layers 1 – 3 manage the communications subnet.
– the entire set of communications nodes required to manage comms. between a pair of machines.
• Layers 4 – 7 are true ‘end-to-end’ protocols.• Upper layers relate to application.
76
Layer 7: Application Layer
• Home to wide variety of protocols for specific user needs, e.g.:– virtual terminal service,– file transfer,– electronic mail,– directory services.
77
Layer 6: Presentation Layer
• Concerned with representation of transmitted data.• Deals with different data representations.
– ASCII or EBCDIC,– one’s complement or two’s complement,– byte ordering conventions,– floating point conventions (IEEE or proprietary).
• Also deals with data compression.
78
Layer 5: Session Layer• Allows establishment of sessions between machines, e.g.
to– allow remote logins– provide file transfer service.
• Responsible for:– dialogue control
• which entity sends when with half-duplex communications.– token management
• E.g. control which entity can perform an operation on shared data. – synchronisation
• E.g. insertion of checkpoints in large data transfers.
79
Layer 4: Transport Layer• Basic function is to take data from Session Layer, split it
up into smaller units, and ensure that the units arrive correctly.
• Concerned with efficient provision of service.– maybe multiple connections per session or multiple sessions per
connection.• The Transport Layer also determines the ‘type of service’
to provide to the Session Layer.– most commonly, error-free, point-to-point, with guarantee of
correct ordering of data.– could be transport of isolated messages only (no ordering
guarantees) or broadcast.
80
Layer 3: Network Layer• Provides uniform addressing scheme for network addresses.• Shields upper layers from details of lower layers.• A key responsibility is control of routing.• Routing can be based on:
– static tables,– determined at start of session,– highly dynamic (varying for each packet depending on network
load).• Also responsible for congestion control and usage
monitoring.
81
Layer 2: Data Link Layer
• Provides reliable, error-free service on top of raw Layer 1 service.– corrects errors at the ‘bit’ level.
• Breaks data into frames. – requires creation of frame boundaries using special bit
sequences.
• Frames used to manage errors via acknowledgements and selective frame retransmission.
82
Layer 1: Physical Layer
• Concerned with bit transmission over physical channel.
• Issues include:– definition of 0/1,– whether channel simplex/duplex,– connector design.
• Mechanical, electrical, procedural matters.
83
Internet Protocols vs OSI
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
TCPIP
Network Interface
Hardware
7
65
5
443 3
2 2
11
84
Internet Protocols
• The Architecture of the Internet– Four-layer architecture:
FTP HTTP NV TFTP
TCP UDP
IP
Network #1 Network NNetwork #2
85
TCP/IP Protocol LayeringHost A Host B
Application Layer Application Layer
Transport Layer
Internet Layer
Network Interface Layer
Physical Network
Transport Layer
Internet Layer
Network Interface Layer
Message
Packet
Datagram
Frame
86
Protocol Layering and RoutingHost A Host B
Application Layer Application Layer
Transport Layer
Internet Layer
NetworkInterface
Physical Network
EthernetFrame
EthernetFrame
Network Layer
Transport Layer
Internet Layer
Network Interface
HTTP Message
TCP Packet
RouterInternet Layer
IP Datagram IP Datagram
Physical Network
87
Outline
• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course
88
Model for Network Communication Security
89
Model for Network Communication Security
• using this model requires us to: – design a suitable algorithm for the security
transformation – generate the secret information (keys) used by
the algorithm – develop methods to distribute and share the
secret information – specify a protocol enabling the principals to use
the transformation and secret information for a security service
90
Model for Network Access Security
91
Model for Network Access Security
• using this model requires us to: – select appropriate gatekeeper functions to
identify users – implement security controls to ensure only
authorised users access designated information or resources
• trusted computer systems can be used to implement this model
92
Outline
• Course information• Motivation• Introduction to security• Basic network concepts• Network security models• Outline of the course
93
Outline of the course
• Introduction (Chapter 1)• Conventional encryption: classical techniques,
modern techniques, algorithms, confidentiality using conventional encryption (Chapters 2—7)
• Public-key encryption and hash functions: public-key cryptography, number theory, message authentication and hash functions, hash and MAC algorithms, digital signatures and authentication protocols (Chapters 8—13)
94
Outline of the course (Cont.)
• Network security practice: authentication applications, electronic mail security, IP security, Web security, anonymous communications (Chapters 14—17)
• Wireless network security• System security: intruders, viruses, and worms,
firewalls (Chapters 18—20)
95
Summary
• have considered:– computer, network, internet security def’s– security services, mechanisms, attacks– X.800 standard– basic network concepts– models for network (access) security