* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download ppt - K.f.u.p.m ocw
Survey
Document related concepts
Computer network wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Remote Desktop Services wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Chapter 12 Network Security Modified by: Masud-Ul-Hasan and Ahmad Al-Yamani 1 Objectives Understand the many processes involved with the development of a comprehensive security policy and security architecture. Understand the importance of a well- developed and implemented security policy and associated people processes to effective security technology implementation. Understand the concepts, protocols, etc. related to Virus Protection, firewalls, authentication, and encryption. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 2 Business Impact Impact on business when network security is violated by on-line thieves ? According to federal law enforcement estimates in USA, more than $ 10 billion worth of data is stolen annually in the US only. In a single incident, 60,000 credit and calling card numbers were stolen. 50 % of computer crimes are committed by a company’s current or ex-employees. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 3 Security Policy Development Life Cycle A method for the development of a comprehensive network security policy is known as SPDLC. Identify business related security issues Evaluate effectiveness Analyze security risks, of current architectures and policies threats, and vulnerabilities Design the security Audit impact of security technology and processes architecture and the associated processes Implement security technology and processes Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 4 Identification of Business-related security issues It is security requirement assessment. What do we have to lose? What do we have worth stealing? Where are the security holes in our business processes? How much can we afford to lose? How much can we afford to spend on network security? Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 5 Analysis of Risks, Threats, Vulnerabilities Information asset evaluation – what is worth protecting ? Network architecture documentation – What is the current state of the network? How many unauthorized modems are dialing in? Identify all assets, threats and vulnerabilities. Determine risks and create protective measures. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 6 Architecture and Process Design Logical design of security architecture and associated processes. What must be the required functionality of the implemented technology? What business processes implemented and monitored by people must match this security architecture? Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 7 Security Technology and Process Implementation Choose security technology based on logical design requirements. Implement all security technology with complementary people process. Increase overall awareness of network security and implement training. Design ongoing education process for all employees including senior management. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 8 Audit Impact of Security Technology & Processes Ensure that implemented policy and technology are meeting initial goals. Institute a method to identify exceptions to security policy standards and deal with these exceptions swiftly. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 9 Evaluate effectiveness of Current Architecture and Processes Based on results of ongoing audits, evaluate effectiveness of current policy and architecture of meeting high-level goals. Adjust policy and architecture as required and renew the cycle. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 10 Security Requirements Assessment (SRA) Proper SRA implies that appropriate security processes and technology have been applied for any given users or group’s access to or from any potential corporate information resource. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 11 Scope Definition and Feasibility Studies Before proceeding blindly with a security policy development project, it is important to properly define the scope or limitations of the project. The feasibility study provides an opportunity to gain vital information on the difficulty of the security policy development process as well as the assets (human and financial) required to maintain such a process. One of the key issues is deciding on the balance between security and productivity. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 12 Security vs. Productivity Balance Lack of Security High risk No productivity loss Lack of security may Low cost occurs from access ultimately have restrictions negative impact on Open access No productivity loss productivity Open access may lead to data loss or data integrity problems which may lead to productivity loss. PRODUCTIVITY Modified by: Masud-ul-Hasan and Ahmad Al-Yamani SECURITY 13 Security vs. Productivity Balance Over Restrictive Security High cost Over restrictive Low risk security causes Restrictive access productivity decline Security needs take priority over user access Productivity loss Over restrictive security may lead to noncompliance with security processes which may lead to loss of security PRODUCTIVITY Modified by: Masud-ul-Hasan and Ahmad Al-Yamani SECURITY 14 Security vs. Productivity Balance Optimal Balance of Security and Productivity Minimize negative Maximize security Restrictiveness of security impact on processes policy balanced by people's productivity Balanced risk and costs acceptance of those policies BALANCE PRODUCTIVITY Modified by: Masud-ul-Hasan and Ahmad Al-Yamani SECURITY 15 Network Security Policy Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 16 Security vs. Productivity Balance How to define the balance between security and productivity? Identify assets Identify threats Identify vulnerabilities Consider the risks Identify risk domains Take protective measures Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 17 Data/Information Classification Unclassified/Public Information having no restrictions as to storage, transmission, or distribution. Sensitive Information whose release could not cause damage to corporation but could cause potential embarrassment or measurable harm to individuals, e.g. salaries & benefits of employees. Confidential Information whose release could cause measurable damage to the corporation, e.g. corporate strategic plans, contracts. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 18 Data/Information Classification Secret Information whose release could cause serious damage to a corporation. E.g., trade secrets, engineering diagrams, etc. Top secret Information whose release could cause severe or permanent damage. Release of such information could literally put a company out of business. Secret formulas for key products would be considered top secret. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 19 Assets Corporate property of some value that require varying degrees of protection. Assets needed network security are: Corporate data (highest priority) Network hardware Software Media to transport data Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 20 Threats Processes or people that pose a potential danger to identified assets, can be: Intentional or unintentional, natural, or man-made. Network related threats include: Hackers Fires Floods Power failures Equipment failures Dishonest employees Incompetent employees Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 21 Vulnerabilities Manner or path by which threats are able to attack assets. Can be thought of as weak links in overall security architecture and should be identified for every potential threat/asset combination. Vulnerabilities that have been identified can be blocked. After identifying vulnerabilities, the questions are: How should a network analyst proceed in developing defenses to these vulnerabilities? Which vulnerabilities should be dealt with first? How can a network analyst determine an objective means to prioritize vulnerabilities? Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 22 Risks Probability of a particular threat successfully attacking a particular asset in a given amount of time via particular vulnerability. By considering the risk, network analysts are able to quantify/calculate the relative importance of threats and vulnerabilities. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 23 Assets, Risks, Protection ASSET THREAT VULNERABILITY Multiple protective measures may need to be established between given threat/asset combinations. PROTECTIVE MEASURES RISK Modified by: Masud-ul-Hasan and Ahmad Al-Yamani GOLDMAN & RAWLES: ADC3e 24 Protective measures There might exist multiple vulnerabilities (paths) between a given asset and a given threat So multiple protective measures need to be established between given threat/asset combinations Major categories of potential protective measures Virus protection Firewalls Authentication Encryption Intrusion Detection Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 25 Threats and Protective Measures camouflage Spying/listen in attacker is able to read, insert and modify messages b/w two parties A common technique spammers use is to configure the From line in an e-mail message to hide the sender's identity. Modification of data through unauthorized means (e.g., while entering the data) Trying every word in dictionary as a possible password. Form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed by someone who intercepts the data and retransmits it, possibly as part of a Computer program masquerading as a game or any “cute” program. masquerade attack However, when it runs it does something else - like erasing the hard A generic class ofthe attacks where host, or that a segment, or an entire drive or blocking screen with a graphic will not go away. network is brought down and becomes unusable by legitimate users. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 26 Threats and Protective Measures Once policies have been developed, it is up to everyone to support those policies in their own way. Having been included in the policy development process, users should also be expected to actively support the implemented acceptable use policies. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 27 Executive’s Responsibilities Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 28 Management's Responsibilities Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 29 Acceptable Use Policy Development Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 30 User’s Responsibilities Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 31 Virus Protection Virus protection is often the first area of network security addressed by individuals or corporations. A comprehensive virus protection plan must combine policy, people, processes, and technology to be effective. Too often, virus protection is thought to be a technology-based quick fix. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 32 Virus Protection Most common microcomputer security violation. 90% of the organizations surveyed with 500 or more PCs experience at least one virus incident per month. Complete recovery from a virus infections costs and average of $8300 and over a period of 22 working days. In Jan 1998, there were over 16,000 known viruses, with as many as 200 new viruses appearing per month. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 33 Virus Categories Virus symptoms, methods of infection, and outbreak mechanisms can vary widely, but all viruses share a few common behaviors. Most viruses work by infecting other legitimate programs and causing them to become destructive or disrupt the system. Most viruses use some type of replication method to get the virus to spread and infect other programs, systems, or networks. Most viruses need some sort of trigger or activation mechanism to set them off. Viruses may remain dormant and undetected for long periods. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 34 Virus Categories Some viruses have a delayed action, which is sometimes called a bomb. E.g., a virus might display a message on a specific day or wait until it has infected a certain number of hosts. Two main types Time bombs: A time bomb occurs during a particular date or time. Logic bombs: A logic bomb occurs when the user of a computer takes an action that triggers the bomb. E.g., run a file, etc. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 35 Virus Categories File infectors: attack the executable, or program files. System/boot infectors: changes the MBR-Master Boot Record an area containing all statements to load the operating system. Multipartite viruses: also multi-part, attack both the boot sector and the executable, or program files at the same time. Hostile applets: Java applets that consume resources in rude or malicious ways, so that either all the CPU or memory resources of the computer are consumed. E-mail viruses: e-mail attachments with spam. Cluster/File system viruses: changes the system's FAT-File Allocation Table an index of names and addresses of files. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 36 Antivirus Strategies (AS) Effective AS must include Policy Procedures Technology AS Policies and Procedures Identify virus infection vulnerabilities and design protective measures. Install virus scanning software at all points of attacks. All diskettes must be scanned at a stand-alone scanning PC before being loaded onto network attached clients or servers. All consultants and third party contractors should be prohibited from attaching their notebook computers to the corporate network without scanning. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 37 AS Policies and Procedures All vendors must run demos on their own equipment. Shareware/downloaded software should be prohibited or controlled and scanned. All diagnostic and reference diskettes must be scanned before use. Write protect all diskettes with .exe, .com files. Create a master boot record that disables write to hard drive when booting from a diskette, etc. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 38 AS Antivirus Technology Viruses can attack Locally or remotely attached client platforms Server platforms Entrance to the corporate network via the Internet At each entrance point, viruses must be detected and removed. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 39 AS Antivirus Technology Virus Scanning is the primary method for successful detection and removal. Software most often works off a library of known viruses. Purchase antivirus software which updates virus signatures at least twice per month. Typically, vendors update virus signatures files every 4 hours, with hourly updates expected in near future. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 40 AS Antivirus Technology Emulation technology attempts to detect as yet unknown viruses by running programs with a software emulation program known as a virtual PC. Execution program can be examined in a safe environment for any unusual behavior of other tell-tale symptoms of resident viruses. Proactive rather than reactive. Advantage: identification of potentially unknown viruses based on their behavior rather than by relying on identifiable signatures of known viruses. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 41 AS Antivirus Technology Such programs are also capable of trapping encrypted or polymorphic viruses that are capable of constantly changing their identities or signatures. Some of these programs are also self-learning Knowledge of virus-like activity increases with experience. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 42 AS Antivirus Technology CRC checkers or Hashing checkers create and save unique cyclical redundancy check character or hashing number for each file to be monitored. Each time the file is saved, the new CRC is checked against the reference CRC. If CRCs are different file has changed A program evaluates changes to determine a likelihood that changes were caused by a viral infection. Disadvantage: able to detect viruses after infection, which may already be too late. Decoys: files that are allowed to be infected to detect and report on virus activity. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 43 AS Antivirus Technology Active content monitor to identify viruses and malicious content such as Java applets or Active X controls that may be introduced via Internet connectivity. Able to examine transmission from the Internet in real time and identify known malicious content based on definition libraries contents of reference Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 44 Point of Attack: Client PC Point of Attack: Internet Access Vulnerabilities Infected diskettes Groupware conferences with infected documents Protective Measures Strict diskette scanning policy Autoscan at system start-up Vulnerabilities Downloaded viruses Downloaded hostile agents Protective Measures Firewalls User education about the dangers of downloading Client PC Router INTERNET hub Remote Access Users Point of Attack: Remote Access Users Vulnerabilities Frequent up/downloading of data and use of diskettes increase risk Linking to customer sites increases risk Protective Measures Strict diskette scanning policy Strict policy about the connection to corporate networks after linking to other sites. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani Server Point of Attack: Server Vulnerabilities Infected documents stored by attached clients Infected documents replicated from other groupware servers Protective Measures Autoscan run at least once a day Consider active monitoring virus checking before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources 45 Firewalls When a company links to the Internet, a two-way access point, out of as well as into that company’s confidential information is created. To prevent unauthorized access from the Internet to company’s confidential data, firewall is deployed. Firewall runs on dedicated server that is connected to, but outside of, the corporate network. All network packets are filtered/examined for authorized access. Firewall provides a layer of isolation between inside network and the outside network. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 46 Firewalls Does it provide full protection? No !!, if Dial-up modems access remains uncontrolled or unmonitored. Incorrectly implemented firewalls may introduce new loopholes. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 47 Firewall Architectures No standards for firewall functionality, architectures, or interoperability. As a result, user must be especially aware of how firewalls work to evaluate potential firewall technology purchase. Three architectures Packet Filtering Application Gateways Circuit-level Gateways Internal Firewalls Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 48 Packet Filtering Every packet of data on the Internet is uniquely identified by the source and destination addresses. E.g., addresses in the header Filter is a program that examines the source and destination addresses of all incoming packets to the firewall server. Filter tables are list of addresses whose data packets and embedded messages are either allowed or prohibited from proceeding through the firewall server and into the corporate network. It is based on user-defined rules. Also called as port level filter or network level filter. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 49 Packet Filtering Routers are also capable of filtering packets-means an existing piece of technology can be used for dual purposes. Dedicated packet-filtering firewalls are usually easier to configure and require less in-depth knowledge of protocols to be filtered or examined. But maintaining filter tables and access rules on multiple routers is not a simple task. Packet filtering has limitations in terms of level of security it provides. IP spoofing is used by hackers to breach packet filters. Since packet filters make all filtering decisions based on IP source and destination addresses, if a hacker can make a packet appear to come from an authorized or trusted IP address, then it can pass through the firewall. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 50 Packet Filtering Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 51 Application Level Filters (ALFs) Also known as Application gateways Assured pipelines Proxies Go beyond port level filters in their attempts to prevent unauthorized access. Port level filters determine the legality of the party asking for information. ALFs ensure the validity of what they are asking for in addition to who is making that request. Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 52 Circuit Level Filters Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Socks creates a proxy data channel to the application server on behalf of the application client. Socks can control traffic by disabling or enabling communication according to TCP port numbers. Sock4 – allows outgoing firewall applications. Sock5 – supports both incoming and outgoing firewall applications as well as authentication. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 53 Application Gateway Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 54 Dual-Homed Gateway Both application gateway & packet-filtering router are used in dual-homed gateway for increased security . Application gateway is physically connected to the private secure network & the packet-filtering router is connected to the non-secure network or the Internet. Between the application gateway and the packetfiltering router is an area known as the screened subnet. Also attached to this screened subnet are information servers, WWW servers, or other servers that the company may wish to make available to outside users. However, all outside traffic still goes through the application gateway first, and then to the information servers. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 55 Dual-Homed Gateway Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 56 Trusted Gateway In this, certain applications are identified as trusted and are able to bypass the application gateway entirely and establish connections directly rather than be executed by proxy. In this way, outside users can access information servers and WWW servers without tying up the proxy applications on the application gateway. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 57 Trusted Gateway Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 58 Internal Firewalls Internal firewalls – the need 60% of the network attacks are made by internal users. Dissatisfied employees, former employees etc. are responsible for different incidents of network hacking. 30% of Internet sites that reported breaches had firewalls in place. Internal firewalls are a new category of software to handle internal attacks. Packet filtering works primarily at the network layer. Circuit filtering works at the transport layer. Application filtering works at the application layer. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 59 DMZ There are times that an organization wants remote users to have access to items on their network. E.g., Web site Online business FTP download and upload area In cases like this, better to create a (Demilitarized Zone) DMZ. It is really just an area that is outside the firewall. Think of DMZ as the front yard of your house. It belongs to you and you may put some things there, but you would put anything valuable inside the house where it can be properly secured. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 60 Firewall – Behind DMZ Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 61 Firewall – In front of DMZ Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 62 Firewall – Multi-tiered Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 63 Proxy Server The word “proxy” means “one who is authorized to act on behalf of another”. A proxy server is a special type of firewall which acts on behalf of many individual users in screening network traffic into, and out of, a company's network. Typically, an Internet proxy server is used to gather all user requests, forward them out to the Internet, receive the responses, and in turn forward them to the originating requester. To the individual user, the proxy server is invisible, that is, all Internet requests and returned responses appear to be directly with the Internet server addressed via a specified URL. To the external world, a proxy server appears as a single network user submitting requests, and advertises only one network address on behalf of many local users. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 64 Proxy Server A proxy server provides two distinct firewall services. First, it limits the Internet services to which users of a company's network may access. E.g., a company's security policy may dictate that corporate network users are allowed email and web access, while prohibiting file transfer capabilities. Second, the proxy server limits a company's network appearance to the outside world by masking internal address schemes, thereby minimizing hacker access to a company's internal resources. Proxy servers can also make Internet access more efficient. If a page is accessed on a Web site, it is cached (stored) on the proxy server. This means that the next time when that page is accessed again, it normally doesn't have to load again from the Web site. Instead it loads instantaneously from the proxy server. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 65 Authentication and Access Control The overall purpose of Authentication is to ensure that users attempting to gain access to networks are really who they claim to be. Password protection was the traditional means to ensure authentication. Password protection is no longer sufficient. More is needed. A wide variety of Authentication Technology (AT) has been developed to ensure that users really are who they say they are. Products fall into three main categories. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 66 Authentication and Access Control Three categories are: 1. What you know: AT that delivers single sign-on (SSO) access to multiple network-attached servers and resources via passwords. PassGo SSO from Axent Technologies Global Sign On from IBM 2. What you have: AT that uses one-time or onesession passwords to authenticate user. This AT requires the user to possess some type of smart card or other token authentication device to generate these single use passwords. 3. What you are: AT that validates users based on some physical characteristic such as finger prints, hand geometry, retinal scans etc. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 67 1. Single Sign-On (SSO) Single sign-on (SSO) - also sometimes known as secure single sign-on (SSSO), allows users to log into the enterprise network and authenticated from their client PC location. It is not necessary for users to remember a variety of different user Ids and passwords to the numerous different enterprise servers from which they may request services. Since this is the single entry point onto the enterprise network for users, log auditing software can be used to keep non-repudiable records of all activities and transactions. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 68 Single Point of Registration (SPR) Single point of registration (SPR) - allows a network security manager to enter a new user (or delete a terminated user) from a single centralized location. He can assign all associated rights, privileges, and access control to enterprise resources from this single point rather than having to enter this new user's information on multiple resources distributed throughout the enterprise. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 69 Secure HTTP (SHTTP) Secure HTTP is a secure version of HTTP that requires both client and server S-HTTP versions to be installed for secure end-to-end encrypted transmission. Based on public key encryption, providing security at the document or application level since it works with the actual HTTP applications to secure documents and messages. Uses digital signature encryption to assure that the document possesses both authenticity and message integrity. SSL is designed to establish a secure connection between two computers, S-HTTP is designed to send individual messages securely. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 70 Secure Sockets Layer (SSL) Described as wrapping an encrypted envelope around HTTP transmissions. Whereas S-HTTP can only be used to encrypt web documents, SSL can be wrapped around other Internet service transmissions such as FTP, and Telnet as well as HTTP. SSL is a connection-level encryption method providing security to the network link itself. Used for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Many web sites use it to obtain confidential user information, such as credit card numbers, etc. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 71 Single Access Control View Single access control view - allows the user's access from their client workstation to only display those resources that the user actually has access to. Any differences between server platforms should be shielded from the user. The user should not need to memorize different commands or control interfaces for the variety of enterprise servers that a user may need to access. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 72 2.Token Authentication (TAu)–Smart Cards This technology provides one-time-use session passwords that are authenticated by associated server software. TAu may be of multiple forms: Hardware based smart cards that are about the size of a credit card with a numeric keypad. In-line TAu devices that connect to the serial port of a computer for dial-in authentication through a modem. Software tokens that are installed on client PC and authenticate with the server portion of the token authentication product transparently to the end user. PIN is required to activate authentication process. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 73 Challenge & Response Terminal Challenges the Smart Card 1. Terminal generates a random number 3. Terminal decrypts it with its own key. 2. Smart card encrypts it with its key and sends it back to the terminal If the number is same as it is generated by the terminal’s random number generator, It will authenticate the smart card. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 74 Challenge & Response (contd.) Smart Card Challenges the Terminal 1. Smart card generates 2. Terminal encrypts it with its key and sends it back to the smart card a random number 3. Smart card decrypts it with its own key. If the number is same as it is generated by the smart card’s random number generator, It will authenticate the terminal. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 75 3. Biometric Authentication (BA) BA can authenticate users based on finger prints palm prints retinal patterns hand geometry facial geometry voice recognition Other physical characteristics Not yet perfect or fool proof. False rejects – BA device comparison algorithm configured very sensitive. False Accepts - BA device comparison algorithm not detailed enough. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 76 Authorization Can be seen as a subset of authentication. Authorization ensures that only properly authorized users are able to access particular network resources or corporate information resources. The authorization security software can be either: Server based – also known as brokered authorization. Work-station based – also known as trusted node. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 77 Encryption Encryption involves the changing of data into an impossible to read form before transmission. If the transmitted data are somehow intercepted, that cannot be interpreted. The changed, unmeaningful data is known as ciphertext. Encryption must be accompanied by decryption, or changing the unreadable text back into its original form. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 78 RADIUS (Remote Authentication Dial-In User Service) RADIUS allows network managers to centrally manage remote access users, access methods, and logon restrictions. A client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. AAA protocol (Authentication, Authorization and Accounting) The RADIUS protocol improves network security by providing a mechanism for authenticating remote users connecting to the network. It does this by carrying authentication, authorization and configuration information between a Network Access Server (NAS) and a RADIUS server. A NAS, also known as a Remote Access Server (RAS), is a device that provides an access point to a network for remote users connecting through remote access protocols such as telnet, ftp or PPP. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 79 RADIUS Architecture Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 80 Logical System View PPP IP ISP POP Customer Information Provider NAS / RAS ROUTER Internet PSTN Workstation Modem Modified by: Masud-ul-Hasan and Ahmad Al-Yamani Remote Server VPN (Virtual Private Network) VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated connection such as leased line, a VPN uses “virtual” connections routed though the internet. Tunneling is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. C A G E H B D Modified by: Masud-ul-Hasan and Ahmad Al-Yamani I F Tunnel 82 Tunneling Protocols and VPN To provide VPN capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols were developed that could establish private, secure channels between connected systems. Point-to-Point Tunneling Protocol Layer 2 Forwarding protocol Layer 2 Tunneling Protocol Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 83 Tunneling Protocols and VPNs A VPN creates an encrypted tunnel across a public network and passes the data destined for the remote location across the tunnel. The remote workstation gets a local IP address and appears to all computers on the local network as if it were local. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 84 Kerberos A well-known combination authentication/authorization system developed at MIT & marketed commercially by many. The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance. Kerberos is designed to enable two parties to exchange private information across an open network. It works by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages to identify the sender of the message. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 85 Kerberos Architecture consists of three key components Kerberos client software Kerberos authentication server software Kerberos application server software To be able to ensure that only authorized users are able to access a particular application, Kerberos must be able to communicate directly with that application. The source code of the application must be modified to make it compatible with Kerberos. If source code is not available, perhaps software vendors sells Kerberized versions of their software. Kerberos is not able to offer authorization protection to applications with which it cannot communicate. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 86 Kerberos Users are first authenticated by the Kerberos authentication server, which consults its database & issue a ticket for the valid user to communicate with the ticket granting software (TGS). This ticket is known as a ticket-granting ticket. Using this ticket, the user sends an encrypted request to the ticket granting software (TGS) requesting a ticket for access to a particular applications server. If the TGS determines that the request is valid, a ticket is issued that will allow the user to access the requested server. This ticket is known as a service-granting ticket. The user presents this ticket to the application server, which evaluates the ticket’s validity. If the application determines that the ticket is valid, a client/server session is established. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 87 Kerberos Architecture Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 88 Security Design Strategies Make sure that router operating system software has been patched. Identify those information assets that are most critical to the corporation, and protect those servers first. Implement physical security constraints to hinder physical access to critical resources such as servers. Monitor system activity logs carefully. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 89 Security Design Strategies Develop a simple, effective, and enforceable security policy and monitor its implementation. Consider installing a proxy server or applications layer firewall. Block incoming DNS queries and requests for zone transfers. Don’t publish the corporation’s complete DNS map on DNS servers that are outside the firewall. Disable all non essential TCP ports and services. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 90 Security Design Strategies Install only software and hardware that you really need on the network. Allow only essential traffic into and out of the corporate network and eliminate all other types by blocking with routers or firewalls. Investigate the business case for outsourcing Web-hosting services so that the corporate Web server is not physically on the same network as the rest of the corporate information assets. Use routers to filter traffic by IP address. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 91 Government Impact Government agencies play a major role in the area of network security. The two primary functions of these various government agencies are: Standards-making organizations that set standards for the design, implementation, and certification of security technology and systems. Regulatory agencies that control the export of security technology to a company’s international locations. Modified by: Masud-ul-Hasan and Ahmad Al-Yamani 92