Download Security in Computing - Pravin Shetty > Resume

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
Document related concepts

Net bias wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Wake-on-LAN wikipedia , lookup

CAN bus wikipedia , lookup

Network tap wikipedia , lookup

Computer network wikipedia , lookup

Distributed firewall wikipedia , lookup

Airborne Networking wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Hacker wikipedia , lookup

IEEE 1355 wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Computer security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Routing in delay-tolerant networking wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Transcript 
SECURITY LECTURE By PRAVIN SHETTY
Reduce the baud rate!!
2
In the last lecture



3
Taxonomy of security attacks
Aims or services of security
A Model of internetwork security
Security in Computing
In Today’s lecture





5
Computer Security - what we mean?
Security goals and vulnerabilities
Methods of defence
Plan of attack
Carrying to (inter)network security.
Computer Security

6
Computer security deals with the
prevention and detection of unauthorised
actions by users of a computer system.
The security dilemma


security deals with the ready availability of
valuable assets by authorised agents, and
the denial of that access to all others.
Security-unaware users have specific
security requirements but (usually) no
security expertise.
But
7
The security dilemma



8
The costs of additional resources to
implement security mechanisms can be
quantified.
Security mechanisms interfere with users,
and can lead to loss of productivity.
Managing security also costs.
Principles of Security

Principle of easiest penetration
 an intruder will use any means of penetration

Principles of timeliness
 items only need to be protected until they lose
their value

Principles of effectiveness
 controls must work, and they should be
efficient, easy to use, and appropriate.
9
Risk Analysis

10
Risk analysis evaluates the cost of
implementing security measures as
opposed to losing the data and
information.
Vulnerabilities

The three broad computing system
resources are
hardware
 interruption (denial of service), interception
(theft)
software
 interruption (deletion), interception,
modification
data
 interruption (loss), interception,
modification and fabrication
11
Method of defence

By controls
What should be the focus of the controls?
 For example: should protection
mechanisms focus on data or operations
on that data or on the users who use the
data?
Since there are layers of technology, where
controls should apply?
 Applications, services, operating systems,
kernel, hardware.
12
Controls




13
Can be applied at hardware, software,
physical or polices.
Simple mechanisms or lots of features?
Should defining and enforcing security
mechanism be a centralised function?
How to prevent access to the layer below
the security mechanism?
Effectiveness of Conrols

Merely having controls does no good
unless they are used properly. The factors
that affect the effectiveness are
Awareness of protection
Likelihood of users
Overlapping controls
Periodic review
14
Different forms of control


15
Authentication
Access control
Authentication

Means establishing proof (assurance) of
identify.
Proving that the object or the subject is what it
claims to be: (is the user the person they say
they are?; is this message actually what was
sent by the originator?)

Usually involves one or a combination of
something you are, something you know,
and something you have.
 (user name, password, possibly some
hardware authentication device you can have).
16
Access Control



17
Relates to who (or what) may have access
to some object.
The object might be tangible, like a tape
drive or it can be abstract like a directory
in a file system, or a network service on a
remote system (like print or mail server).
Concern with respect to security is how
the object can be accessed; can be used
locally or remotely; can it read, written or
executed? If so by whom or what, and in
what circumstances?
Access Control


18
Access control problem is essentially one
of authorization, rights, and privileges.
There is some standard way to access
computing resources (like username and
password) while there is NO standard
access control scheme for the internet
(internetwork).
Security services






19
Authentication
Access control
Integrity
Confidentiality
Nonrepudiation
Availability
Integrity


20
refers to the current condition of some
data as compared to their pure and
original state.
An example in internetworking: a message
or file that traverses the network at risk of
having data added, removed, or modified
along the way.
Integirty

Consider the following message:
From: [email protected]
To: [email protected],
[email protected]
Subject: hackers
temple.csse has been hacked by intruders. I am
working to resolve this problem. Please check your
systems for possible intrusion.
As a by-product of this email message,
the attacker of temple.csse has also
compromised an email server at this
site (How?).
21
Integrity


22
By monitoring the outbound mail queue,
the attacker intercepts this message and
rather than deleting it, he takes the
following three tacks.
Consider the ramifications of these
messages that actually received by the
root user of the remote sites:
Tack -1

From: [email protected]
To: [email protected],
Subject: hackers
temple.csse has been hacked by intruders. I am
working to resolve this problem. Please check your
systems for possible intrusion.
P.S. One of my co-worker will call you very soon to
discuss the details with you, and to offer
assistance.


23
The attacker can gain the access to the root
(privileged) account of beast.csse.
In addition temple.csse detects and closes the
former point of access, the attacker can erase all
his/her old footprints!!
Tack-2

From: [email protected]
To: [email protected]
Subject: hackers
temple.csse has been hacked by intruders.

24
Here the intruder has left the notice of
temple.csse’s intrusion intact, but removed the
advice to check the other systems – to give time
to cover the tracks as well another venue to
intrude!!
Tack -3

From: [email protected]
To: [email protected],
Subject: hackers
beast.csse has been hacked by intruders. I am working
to resolve this problem. Please check your systems
for possible intrusion.

25
The implication of this action is …
Confidentiality


26
You might not really care if a few postal
employees read a postcard or two, but would you
care if every piece of mail you received were
paraded in plain view past each person that lives
between post office and your home?
On internetworking, email, data transfer via FTP
and www requests may be handled by intervening
networks and devices and anyone with access to
them, authorized or not, can read the
data/messages.
Layered Protocol Models
Sender
Identify
Recipient
Identity
Message
Data
27
Message
Length
A layered protocol stack
Layer N
Layer N-1
Layer 2
Layer 1
28
Protocol enveloping




29
Each layer in a protocol stack uses a unique and
well-defined message format for communicating
with its peer layers on other systems.
As message gets passed down from one layer to
the next, it is enveloped inside of another
message. A new envelop is added at each step.
After transmission across the network, the
protocol layers on the receiving system strip off
their respective envelopes (among other tasks).
The original message is passed to the highest
layer.
Protocol enveloping
30
Layered Architecture for Networks


31
OSI Reference Model
Internet’s TCP/IP Model
OSI Reference Model


OSI reference model is an abstract model,
one that defines services and protocols
that deliver the services.
It does not specify the following:
 programming language bindings
 operating system bindings
Application interface issues
 user interface issues
32
OSI Reference Model
Application
related
services
Application
Presentation
Session
Transport
Network
Data Link
Physical
33
Network
related
services
Internet TCP/IP Model
Application
Transport
(TCP, UDP)
Network (IP)
Data Link
Physical
34
Network Layer - IP

The primary protocol in use at the network layer
is the internet protocol (IP)
4-bit
4-bit
8 bit
Version header length type of service
16 bit
3 bit
Identification
flags
8-bit
8-bit
time to live
protocol
16-bit
Total Length
13 –bit
fragment offset
16-bit
header checksum
32-bit Source address
32-bit Destination address
Options(if any) and padding
Data (variable length)
35
Aside - IP



36
Internet Control Message Protocol (ICMP)
influences and somewhat controls the behavior
of the IP layer, while actually using IP services to
perform its tasks.
ICMP monitors and communicates network
control information between network participants.
The IP layer also is impacted by special routing
protocols like Routing Information Protocol (RIP),
Internet Group Management Protocol (IGMP),
Open Shortest Path First (OSPF) and Border
Gateway Protocol (BGP).
Transport layer – TCP & UDP


37
Transmission control protocol –
connection oriented, full-duplex service
User datagram protocol – lightweight
connectionless service.
TCP segment
16-bit
Source port number
16-bit
Destination port number
32-bit Sequence number
32 bit acknowledgement number
4-bit
Header len
6-bit
6-bit
Reserved Flags
16-bit
TCP Checksum
16-bit
Window Size
16-bit
Urgent pointer
Options(if any) and padding
Data (variable length)
38
UDP datagram
16- bit
Source Port Number
16-bit
Length
16-bit
Destination Port Number
16-bit
Checksum
Date (variable length, if any)
39
Application Layer


40
This layer’s protocol is defined by the
application.
An application engages network services
from the TCP or UDO transport layers
through one of several APIs, such as
Berkeley Sockets on BSD and Transport
Layer Interface (TLI) on System V.
Protocol enveloping in the TCP/IP
41
TCP/IP protocol suite
Application
FTP, SMTP, HTTP, etc
TCP
UDP
ICMP
IP
Data Link
Ethernet, Token Ring, FDDI, etc
Physical
42
Security in layered IP


Security at the IP layer is related to the
layer’s function of end-to-end datagram
delivery.
The security weakness are:
Network snooping
Message replay
Message alteration
Message delay and denial
Authentication issues
Routing attacks
43
Network Snooping




44
Attacker observes network traffic without
disturbing the transmission (passive) –
commonly known as snooping or sniffing.
Commonly snooped are user passwords.
Sniffing software works by placing a
system’s network interface into
promiscuous mode.
Systems like Unix require superuser or
system-level privileges to access the
network promiscuously.
Message Relay

Relaying the message to another host
and it accepts as if it is trusted.
Example: transfer of password files in a
networked unix systems.
45
Message alteration


46
Message means the payload of the IP
datagram, the router performs routine
modifications to the IP datagram header,
and sometimes fragments a datagram into
several smaller ones (when the length
exceeds a limit allowed by the underlying
data link layer).
No need to suspect message alteration,
but techniques such as check sum are not
sufficient.
Message Delay and Denial

By gaining authorised control of a router
or routing host, then modifying executable
code or routing and screening rules used
by the code.
 need to apply proper authentication and
access mechanisms to the routing systems.

By overwhelming a routing device, or one
of the communication end systems, with
an inordinate amount of network traffic.
 easy to detect but difficult to prevent!
47
Authentication issues



Authentication at the IP layer is concerned
with the identify of computer systems.
IP address are software configurable and
the mere possession (or fraudulent use) of
one enables communication with other
systems.
Two such techniques to do this are
 address masquerading
 address spoofing
48
Address Masquerading
49
Address Spoofing


Also known as TCP sequence number
attack.
First need to understand how the threeway TCP handshake protocol works.
 hanshake means- an assertion that indicates
one party’s readiness to send or receive data.
When two systems share a hardware
connection, two-way handshake is enough.
Since TCP rides on IP – an unreliable,
connectionless protocol – a three-way
handshake is required.
50
Handshake in TCP
SYN+ISN A
SYN+ISN B+ ACK(ISNA)
Machine A
Machine B
ACK(ISNB)
Application
51
SYN – synchronize request
ISN - Initial sequence number
ACK – acknowledgement for the ISN
Data
Related documents
Computer Science or Software Engineering?
Computer Science or Software Engineering?
TCP/IP Configuration
TCP/IP Configuration
CSSE 413 – Artificial Intelligence Course Survey - Rose
CSSE 413 – Artificial Intelligence Course Survey - Rose
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
How the Internet Works
How the Internet Works
0304bPreM1Grading - Rose
0304bPreM1Grading - Rose
Networking - Institute of Mathematics and Informatics
Networking - Institute of Mathematics and Informatics
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
Syllabus - V-SECT
Syllabus - V-SECT
CSSE 232 – Computer Architecture I Rose
CSSE 232 – Computer Architecture I Rose
Midterm Review - UTK-EECS
Midterm Review - UTK-EECS
K-Optimal Rule Discovery
K-Optimal Rule Discovery