* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Security - CS Course Webpages
Survey
Document related concepts
Proxy server wikipedia , lookup
Cyberwarfare wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Denial-of-service attack wikipedia , lookup
Network tap wikipedia , lookup
Unix security wikipedia , lookup
Mobile security wikipedia , lookup
Wireless security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Deep packet inspection wikipedia , lookup
Security-focused operating system wikipedia , lookup
Computer security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Defining Network Security Security is prevention of unwanted information transfer • What are the components? – – – – ...Physical Security …Operational Security …Human Factors …Protocols 1 Areas for Protection • • • • Privacy Data Integrity Authentication/Access Control Denial of Service 2 Regulations and Standards • Computer Crime Laws • Encryption • Government as “Big Brother” 3 Security Threat, Value and Cost Tradeoffs • Identify the Threats • Set a Value on Information • Add up the Costs (to secure) Cost < Value * Threat 4 Threats • • • • • Hackers/Crackers (“Joyriders”) Criminals (Thieves) Rogue Programs (Viruses, Worms) Internal Personnel System Failures 5 Network Threats • • • • • IP Address spoofing attacks TCP SYN Flood attacks Random port scanning of internal systems Snooping of network traffic SMTP Buffer overrun attacks 6 Network Threats (cont.) • SMTP backdoor command attacks • Information leakage attacks via finger, echo, ping, and traceroute commands • Attacks via download of Java and ActiveX scripts • TCP Session Hijacking • TCP Sequence Number Prediction Attacks 7 Threat, Value and Cost Tradeoffs • • • • • Operations Security Host Security Firewalls Cryptography: Encryption/Authentication Monitoring/Audit Trails 8 Host Security • • • • Security versus Performance & Functionality Unix, Windows NT, MVS, etc PCs “Security Through Obscurity” L 9 Host Security (cont) • Programs • Configuration • Regression Testing 10 Network Security • Traffic Control • Not a replacement for Host-based mechanisms • Firewalls and Monitoring, Encryption • Choke Points & Performance 11 Access Control • Host-based: – – – – Passwords, etc. Directory Rights Access Control Lists Superusers L • Network-based: – – – – Address Based Filters Encryption Path Selection 12 Network Security and Privacy • Protecting data from being read by unauthorized persons. • Preventing unauthorized persons from inserting and deleting messages. • Verifying the sender of each message. • Allowing electronic signatures on documents. 13 FIREWALLS • • • • • Prevent against attacks Access Control Authentication Logging Notifications 14 Types of Firewalls • Packet Filters Application – Network Layer • Stateful Packet Filters – Network Level • Circuit-Level Gateways – Session Level • Application Gateways – Application Level 15 Presentation Session Transport Network Data Link Physical Packet Level • Sometimes part of router • TAMU “Drawbridge” Drawbridge Campus 16 ROTW Router Circuit Level • Dedicated Host • Socket Interfaces Local FW ROTW 17 Application Level • Needs a dedicated host • Special Software most everywhere Firewall telnet ROTW 18 Firewall Installation Issues FTP INTERNET DNS Web Router 19 Mail Firewall Installation Issues • • • • • • DNS Problems Web Server FTP Server Mail Server Mobile Users Performance 20 Address Transparency • Need to make some addresses visible to external hosts. • Firewall lets external hosts connect as if firewall was not there. • Firewall still performs authentication 21 Gateway Internet 10.0.0.0 128.194.103.0 Network Address Translation Firewall 22 Network Address Translation Host B: External Host Gateway Host Host A: Internal Host gw control ftpd ftp proxy ftp TCP IP TCP Data Link IP Hardware Data Link TCP IP Data Link Hardware Hardware A GW Datagram A B Datagram 23 IP Packet Handling • • • • • Disables IP Packet Forwarding Cannot function as a insecure router eg. ping packets will not be passed Fail Safe rather than Fail Open Only access is through proxies 24 DNS Proxy Security INTERNET External DNS Server DNSd Eagle Gateway eagle.xyz.com finance.xyz.com sales.xyz.com marketing.xyz.com 25 Virtual Private Tunnels Encapsulate Hello Authenticate Hello Encrypt Hello INTERNET !@@%* !@@%* !@@%* Creates a “ Virtual Private Network “ 26 Hello Decapsulate Hello Authenticate Hello Decrypt VPN Secure Tunnels • Two types of Tunnels supported – SwIPe and IPsec tunnels • Encryption – DES, triple DES and RC2 • Secret key used for used for authenticatio and encryption • Trusted hosts are allowed to use the tunnel on both ends 27 Designing DMZ’s DMZ INTERNET Web FTP Company Intranet Mail 28 Screening Router Firewall Design Project San Jose File Server INTERNET Mail Server Wide Area Router Dallas Internet Router Raptor Eagle Raptor Remote Hawk Console 29 Monitoring • Many tools exist for capturing network traffic. • Other tools can analyze captured traffic for “bad” things. • Few tools are real-time. 30 Summary • Security must be comprehensive to be effective. • Remember threat, value, cost when implementing a system. • Security is achievable, but never 100%. • Make your system fault tolerant. 31