Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cross-site scripting wikipedia , lookup
Authentication wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Security in Networks— Their design, development, usage… Barbara Endicott-Popovsky CSSE592/491 In collaboration with: Deborah Frincke, Ph.D. Director, Center for Secure and Dependable Systems University of Idaho Text Book Both broad survey and focused Chapters 1-2 lay groundwork Chapters 3 –7 Software • Chapter 7 – – – – Contrast to standalone environments Threats Controls Tools: Firewalls, Intrusion detection, Secure e-mail Chapter 9 Privacy, ethics, the law Chapter 10 Cryptography – the how In this section of the course we will look at… Networks—their design, development, usage • • • • The Basics Threats Controls Tools • Firewalls • Intrusion Detection • Secure e-mail Source: Pfleeger & Pfleeger Agenda I. The Basics II. Threats III. Controls IV. Tools Source: Pfleeger & Pfleeger I. The Basics Terms • Topology • Media • Analog/digital • Protocols • LAN/WAN • Internet • Distributed System • API’s Source: Pfleeger & Pfleeger ISO/OSI Model OSI Layer 7 6 Name Application Presentation 5 Session 4 3 2 Transport Network Data Link 1 Physical Activity User-level data Standardized data appearance Logical connection among parts Flow control Routing Reliable data deliver6y Actual communication across physical medium Source: Pfleeger & Pfleeger TCP/IP vs. OSI OSI Layer 7 6 Name Application Presentation 5 Session 4 3 2 Transport Network Data Link 1 Physical Activity User-level data Standardized data appearance Logical connection among parts Flow control Routing Reliable data deliver6y Actual communication across physical medium Source: Pfleeger & Pfleeger TCP/IP Layer Action Responsibilities Application Prepare messages User interaction, addressing Transport Convert messages to packets Sequencing, reliability, error connection Internet Convert messages to datagrams Flow control, routing Physical Transmit datagrams as bits Data communication Source: Pfleeger & Pfleeger Issues ISO/OSI: Slows things down TCP/IP: More efficient Open NOTE: Study this part of the Chapter Results: TCP/IP used over Internet Introduces security issues Source: Pfleeger & Pfleeger II. Threats Vulnerabilities Attackers Threats • • • • • • • • • • • Precursors In transit Protocol flaws Impersonation Spoofing Message Confidentiality / Integrity threats Web Site Defacement Denial of Service (DOS) Distributed Denial of Service (DDOS) Active or Mobile Code Threats Complex Attacks Source: Pfleeger & Pfleeger Vulnerabilities Anonymity Many points of attacks—targets and origins Sharing Complexity of system Unknown perimeter Unknown path Source: Pfleeger & Pfleeger Attackers Kiddiescripters Industrial spies Information warfare Cyber terrorists “Hactivists” Wardrivers, etc. Profile—see Mittnick Source: Pfleeger & Pfleeger Threat Spectrum Source: Deb Frincke From CSI/FBI Report 2002 • 90% detected computer security breaches • 80% acknowledged financial losses • 44% (223) were willing / able to quantify losses: $455M • Most serious losses: theft of proprietary information and fraud • 26 respondents: $170M • 25 respondents: $115M • 74% cited Internet connection as a frequent point of attack • 33% cited internal systems as a frequent point of attack • 34% reported intrusions to law enforcement. (up from 16%-1996) Source: Deb Frincke More from CSI/FBI 2002 40% detected external penetration 40% detected DOS attacks. 78% detected employee abuse of Internet 85% detected computer viruses. 38% suffered unauthorized access on Web sites 21% didn’t know. 12% reported theft of information. 6% reported financial fraud (up from 3%-- 2000). Source: Deb Frincke Threats: Precursors Port Scan Social Engineering Reconnaissance OS Fingerprinting Bulletin Boards / Chats Available Documentation Source: Pfleeger & Pfleeger Threats: In Transit Packet Sniffing Eavesdropping Wiretapping Microwaves Satellites Fiber Wireless Source: Pfleeger & Pfleeger Threats: Protocol Flaws Public protocols Flaws public Human errors Source: Pfleeger & Pfleeger Threats: Impersonation Guessing Stealing Wiretapping Eavesdropping Avoid authentication Nonexistent authentication Known authentication Trusted authentication Delegation MSN Passport Source: Pfleeger & Pfleeger Threats: Spoofing Masquerade Session hijacking Man-in-the Middle attack Source: Pfleeger & Pfleeger Threats: Message Confidentiality/Integrity Misdelivery Exposure Traffic flow analysis Falsification of messages Noise Source: Pfleeger & Pfleeger Threats: Web Site Defacement Buffer overflows Dot-Dot and address problems Server-Side include Source: Pfleeger & Pfleeger Threats: Denial of Service (DOS) Transmission failure Connection flooding Echo-chargen Ping of death Smurf attack Service Syn flood Traffic redirection DNS attack BIND Source: Pfleeger & Pfleeger Threats: Distributed Denial of Service (DDOS) Trojan horses planted Zombies attack Source: Pfleeger & Pfleeger Threats: Active/Mobile Code (Code Pushed to the Client) Cookies Per-session Persistent Scripts Active code Hostile applet Auto Exec by type Source: Pfleeger & Pfleeger Threats: Complex Attacks Script Kiddies Building Blocks Source: Pfleeger & Pfleeger III. Controls Design Architecture • Segmentation • Redundancy • Single points of failure Encryptions • • • • • • • • Link encryption End-to-end encryption VPN’s PKI and Certificates SSH and SSL encryption IPSec Signed code Encrypted e-mail Source: Pfleeger & Pfleeger Controls (cont’d.) Content Integrity • Error correcting codes • Cryptographic Checksum Strong Authentication • • • • One-time password Challenge-Response systems Digital distributed authentication Kerberos Access controls • ACL’s on routers • Firewalls Alarms and Alerts Honeypots Traffic Flow Security • Onion routing Source: Pfleeger & Pfleeger IV. Tools Firewalls Intrusion Detection Systems Secure e-Mail Source: Pfleeger & Pfleeger Firewalls Packet filtering gateway Stateful inspection firewall Application proxy gateway Guard Personal firewalls Source: Pfleeger & Pfleeger Intrusion Detection Systems Signature-based IDS Heuristic IDS Stealth mode Source: Pfleeger & Pfleeger IDS Characteristics Goals • Detect all attacks • Little performance impacts Alarm response • Monitor and collect data • Protect • Call administrator Limitations • Avoidance strategies • Sensitivity • Only as good as the process/people Source: Pfleeger & Pfleeger Secure e-Mail Designs • Confidentiality—encryption • Message integrity checks Examples • PGP • S/MIME Source: Pfleeger & Pfleeger