security ecture 2

Network Security Philadelphia University

Ahmad Al-Ghoul 2010-2011 1

Module 2Module 2 Security Methodology Security Methodology

MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: [email protected]



Some standards bodies

the IETF (the Internet Engineering Task Force).

AES the Advanced Encryption Standard ETSI (the European Telecommunications

Standards Institute) IEEE the Institute of Electrical and

Electronics Engineers ISO international standard organization



The 10 Major Headings

Security Policy Security Organisation Asset Classification and Control Personnel Security Physical and Environmental Security Operational Management Access Control Systems Development and Maintenance Business Continuity Management Compliance



International Standards International Standards in Information

Security are developed by Security Techniques Committee ISO/IEC JTC 1 SC 27

Three Areas– WG 1 - Security Management– WG 2 - Security Algorithms/Techniques– WG 3 - Security Assessment/Evaluation



Participating Members SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI

China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy JISC Japan

KATS Korea, Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA



WG 1 Security Management Two key standards:

– Guidelines for Information Security Management (GMITS) (TR 13335)

– Code of Practice for Information Security Management (IS 17799)

Other standards:– Guidelines on the use and management of trusted third parties (TR

14516)– Guidelines for implementation, operation and management of

Intrusion Detection Systems (WD 18043)– Guidelines for security incident management (WD 18044)



WG 2 Security Techniques There are International Standards for:

– Encryption (WD 18033)– Modes of Operation (IS 8372)– Message Authentication Codes (IS 9797)– Entity Authentication (IS 9798)– Non-repudiation Techniques (IS 13888)– Digital Signatures (IS 9796, IS 14888))– Hash Functions (IS 10118)– Key Management (IS 11770)– Elliptic Curve Cryptography (WD 15946)– Time Stamping Services (WD 18014)



WG 3 Security Evaluation Third Party Evaluation

– Criteria for an independent body to form an impartial and repeatable assessment of the presence, correctness and effectiveness of security functionality

“Common Criteria” (CC) (IS 15408



Common Criteria Produced by a consortium of Government bodies

in North America / European Union– Mainly National Security Agencies

Influenced by International Standardisation committee– Adopted as International Standard 15408

Adopted and recognised by other major Governments– All EU, Australia, Japan, Russia



Security Architecture– For end-to-end communications



Security Architecturefor End-to-End Communications



Authentication is the process of confirming a user's identity.

Authentication is one of the basic building blocks of computer security. It is achieved through the execution of an authentication protocol between two or more parties. One such protocol, the Secure Socket Layer (SSL) protocol

Authorization determines what services and access a user is authorized for.



Authentication3 types of authentication: Something you know - Password, PIN,

mother’s maiden name, passcode. Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport

Something you are - Fingerprint, voice scan, DNA



Authentication is a process in which a system identifies a user. Access control determines what is permitted after authentication. Authentication is often closely tied to the concept of accounts, which are, generically, a set of information tied to a unique identifier. This information usually comprises the data needed to let someone use system resources. For example, it provides the location of the user's personal files or the user's real name.



Models: Access Control

• What is access control?– Limiting who is allowed to do what

• What is an access control model?– Specifying who is allowed to do what



What is access control? Access control is the heart of security Definitions:

– The ability to allow only authorized users, programs or processes system or resource access

– The granting or denying, according to a particular security model, of certain permissions to access a resource

– An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on reestablished rules.



How can AC be implemented?– Hardware– Software

• Application• Protocol (Kerberos, IPSec)

– Physical– Logical (policies)



What does AC hope to protect? Data - Unauthorized viewing, modification

or copying System - Unauthorized use, modification or

denial of service It should be noted that nearly every network

operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure



Access control lists (ACL) A file used by the access control system to

determine who may access what programs and files, in what method and at what time

Different operating systems have different ACL terms

Types of access:– Read/Write/Create/Execute/Modify/Delete/

Rename



Defending Against Threats When talking about information security, vulnerability is a

weakness in your information system (network, systems, processes, and so on) that has the greatest potential of being compromised. There might be a single vulnerability, but typically there are a number of them. For instance, if you have five servers that have the latest security updates for the operating system and applications running, but have a sixth system that is not current, the sixth system would be considered a vulnerability. Although this would be a vulnerability, it would most likely not be the only one. To defend against threats, you must identify the threats to your C-I-A triad, determine what your vulnerabilities are, and minimize them.



Building a Defense When building a defense, you should use a layered approach

that includes securing the network infrastructure, the communications protocols, servers, applications that run on the server, and the file system, and you should require some form of user authentication.

When you configure a strong, layered defense , an intruder has to break through several layers to reach his or her objective. For instance, to compromise a file on a server that is part of your internal network, a hacker would have to breach your network security, break the server's security, break an application's security, and break the local file system's security. The hacker has a better chance of breaking one defense than of breaking four layers of defense.



Methods of Defense Having controls does no good unless they are used properly,

the next are some factors that affect the effectiveness of controls.

Effectiveness of Controls– Awareness of Problem– Likelihood of Use: the suitable and effective use

– Overlapping Controls: combinations of controls could be provided to one exposure.

– Periodic Review: few controls are permanently effective. When we finds a way to secure assets, the opposition doubles its efforts in an effort to defeat the the security mechanism. Thus, judging the effectiveness of a control is an ongoing task.



–Principle of Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate.



Methods of Defense Controls In this section we will study some security control

tools that attempt to prevent exploitation of the vulnerabilities of computing system.

Encryption Software Controls

– internal program controls(data base): parts of the program that enforce security restrictions, such as access limitations in a data base management program.

– operating system controls: limitations enforced by the system to protect each user from all other users.

– development controls: quality standards under which a program is designed, coded, tested, and maintained.



Methods of Defense Hardware Controls

– use the devices which have been invented to assist in computer security (e.g. smart card)

Hardware security modules (HSM) perform cryptographic operations, protected by hardware (PCI boards, SCSI boxes, smart cards, etc.)

These operations include:– Random number generation– Key generation (asymmetric and symmetric)– Private key hiding (security) from attack (no unencrypted private

keys in software or memory)• Private keys used for signing and decryption• Private keys used in PKI for storing Root Keys



Methods of Defense Policies

– operation policy: some of the simplest controls could do by change the password frequently, and that can be achieved essentially no cost but with tremendous effect.

– legal and ethical control:the law is slow to evolve, and the technology involving computers has emerged suddenly. Although legal protection is necessary and desirable.

– The area of computer ethics is unclear. It is not that computer people are unethical, but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior. Some organizations are attempting to devise codes of ethics for computer professionals.

Physical Controls– Some of the easiest, most effective, and least expensive controls are

physical controls. locks on door, guard at entry point, backup, etc.



Basic Encryption and Decryption Encryption and Decryption

– encryption: a process of encoding a message so that its meaning is not obvious

– decryption: the reverse process encode(encipher) vs. decode(decipher)

– encoding: the process of translating entire words or phrases to other words or phrases

– enciphering: translating letters or symbols individually– encryption: the group term that covers both encoding

and enciphering



What is Encryption?

This is confidential.



What is Encryption?

This is confidential.

CJIN Network



Plaintext vs. Ciphertext Plaintext vs. Ciphertext

– P(plaintext): the original form of a message– C(ciphertext): the encrypted form

Basic operations– plaintext to ciphertext: encryption: C = E(P)– ciphertext to plaintext: decryption: P = D(C)– requirement: P = D(E(P))



Encryption Strategy Provide confidentiality of communications

Ensure integrity of information

Enhance Authentication

Provide for non-repudiation of sender or receiver



Encryption with key

– encryption key: KE

– daecryption key: KD

– C = E(KE, P)

– P = D(KD, E(KE, P))



Encryption with key Symmetric Cryptosystem: KE = KD

Asymmetric Cryptosystem: KE KD



Secret Key Encryption

This is a secret message

Not aNot asecuresecure

lineline This is a secret message

1. Bob types message to Jane and encrypts the message with secret key and sends it.3. Somehow he lets her know what his secret key is.

1. Jane receives Bobs secret message and is later told by Bob the secret key to unlock the message2. She decrypts and reads the message



Public Key Encryption

Jane, This is a secret message - Bob

Not asecure

line

1. Bob writes the message and encrypts it using Jane’s public key which is known to everyone2. Bob sends the message over the internet to Jane

Jane’s public key Jane’s private key

BobJane, This is a secret message - Bob

Jane

1. Jane receives the messageand decodes it with her private key, which only she knows.2. The secrecy of the private key is crucial



Uses of Encryption Digital Certificates use Public Key Web Access with SSL Virtual Private Networks (VPNs) Desktop Encryption



Digital signatureDigital signature is a sort ofprotocol that provides authenticityand identification of the user.

It is similar to the signature of aperson on a paper or check

It is used for many purposes in thenetwork security provision



Physical security Network security should begin by first

emphasizing the necessity for physical security. Most organizations limit physical access to hosts and servers, but it must talk into consideration networking devices, such as routers, switches, and the like. Even such simple elements as cabling and wiring.

security ecture 2

Documents