Network Security
LESSON 28

Outline:
Network Security

Computer Security:

• Computer security involves more than just protocols and software. If properly implemented, it should include:
  • Physical security (locks).
  • Security and company-wide policies/b>.
  • Special or dedicated hardware.
  • Well configured software and protocols.
• ? What is Computer Security ?
  • It is keeping anyone from doing things you normally would not want them to do to, with, on , or from your computers and equipment.
• ? What resources are we trying to protect ?
• ? Against whom must the computer systems be defended ?
• ? How much security is enough, and how much can you afford ?

Picking a Security Policy:

• "A security policy is a set of decisions that, collectively, determines an organization’s posture toward security."
• A policy:
  • Determines the limits of acceptable behavior.
  • Determines what response to violations should be.
  • Must reflect the area over which the company’s resources extend.
• Policies considering computers reachable by networks are difficult to define.
• Security in an internetwork is difficult because it involves:
  • Understanding when and how participating users, computers, services and networks can trust one another.
  • Understanding the technical details of network hardware and protocols.
• "Humans are usually the most susceptible point in any security scheme."
• "A worker who is malicious, careless, or is unaware of an organization's information policy can compromise even the best security policy."

Protecting Resources:

• Security implies safety, including:
  • Assurance of data integrity.
  • Freedom from unauthorized access of computational resources.
  • Freedom from snooping or wiretapping.
  • Freedom from disruption of service.
  No network is absolutely secure!
• Physical network security - extends to the cables, bridges, and routers that comprise its infrastructure.
• Protecting an abstract resource (information) is usually difficult, because information is elusive.
• Data integrity and data availability are important to maintain since data should not be changed or blocked by outsiders.

Mechanisms for Internet Security:
Authentication

• Internet security can be divided into three areas:
  • Authorization, authentication, and integrity.
  • Privacy.
  • Availability.
• To validate authorization, a server must know the identity of a client.
• IP source authentication is weak because it can be broken easily (IP spoofing).
• Clients must also authenticate the identity of servers to ensure security.
• To handle both, a trusted service is required. One form of trusted service uses a public-private key encryption scheme.
• Each participant is assigned two keys (public, private) that are used to encode and decode messages.
• Each key is a large integer (40+ digits).

Mechanisms for Internet Security:
Pretty Good Privacy (PGP)

• Pretty Good Privacy (PGP) is a popular public-private key encryption program out of MIT.
• A participant publishes a public key in a public database, and keeps the private key local and secure.
• When sending a message, it is encoded with the private key and decrypted using the public.

Mechanisms for Internet Security:
Privacy

• Encryption can also handle the problem of privacy.
• A sender can guarantee that only the intended receiver can read a message by using the receiver's public key to encrypt the message.
• The correct receiver only can then decrypt and read the message (the sender cannot even decrypt it).
• Public-private key encryption schemes can also be used to authenticate messages.
• By using a digital signature, it allows the receiver to verify that the sender is solely the one who encrypted the message.
• A message is encrypted with sender's private key then again with receiver's public key.
• The receiver decrypts the message with its private key, then with the sender's public key.

Firewalls and Internet Access:

• Internet access control requires changes to basic components of the internet infrastructure, including a careful combination of restriction on:
  • Network topology.
  • Intermediate information staging.
  • Packet filters.
• Internet Firewalls, which partition an internet into two regions (inside and outside), handles the prevention of unwanted external access.

Multiple External Connections:

• Multiple external connections pose a special security problem for organizations
• They must form a security perimeter by installing a firewall at each external connection, and must coordinate all firewalls to use exactly the same access restrictions.
• Failure to restrict access identically on all firewalls can leave the organization vulnerable (weakest link).

Firewall Implementation:

• Theoretically, firewalls block all communications between internal and external computers.
• Realistically, the operation and restriction depends on the network technology, capacity of the links, traffic load, and the organization's policies.
• No single solution works for all companies.
• Since each passing datagram must be examined passing in and out, firewalls must handle datagrams at the same speed of the connection(s).

Packet-Level Filters:

• Packet filters augment normal traffic routing and allow a manager to specify how the router should dispose of each datagram.
• The filtering mechanisms keep no history or record of interaction of disposed datagrams.
• When setting up datagram filters, a manager can choose a combination of source/destination IP addresses, protocol, and source/destination protocol ports.
• "A firewall that uses datagram filtering should restrict access to all IP sources, IP destinations, protocols, and protocol ports except those computers, networks, and services the organization explicitly decides to make externally available."
• Packet filters allowing managers to specify which packets to admit, instead of blocking, can make restrictions easier to specify and implement.

Restricted Access for Clients:

• "If an organization's firewall restricts incoming datagrams except for ports that correspond to services the organization makes available externally, an arbitrary application inside an organization cannot become a client of a server outside the organization."
• Modified applications are required to overcome this restriction.

Restricted Access for Clients:
Proxy Agents

• The second major piece of firewall architecture restricts foreign access to internal resources, while still allowing users to access outside resources.
• Proxy agents and proxitized applications are used to enable client/server applications to interact through a firewall.
• A proxy server (commonly referred to as a bastion host) acts a secure third party in all client/server interactions through a firewall.
  

• Firewalls have two conceptual barriers:
  • Outer barrier which blocks all incoming traffic except datagrams destined for:
    • Publicly available services on the bastion host. Clients on the bastion host.
  • Inner barrier which blocks all incoming traffic except datagrams that:
    • Originate on the bastion host.
• Manually enabled bypasses are seldom used.

Firewall Architecture:

• "Although a bastion host is essential for communication through a firewall, the security of the firewall depends on the safety of the bastion host."
• "An intruder who exploits a security flaw in the bastion host operating system can gain access to hosts inside the firewall."
• Two routers are used to implement each barrier (R1 = inner, R2 = outer).

Firewall Architecture:
Stub Network

• A stub network (short stubby wire connecting only 3 devices) is the network:
  • On which the bastion host resides.
  • Which connects the two wall routers.
• The stub network isolates the organization’s internal network from incoming data traffic (protects against the disruption of service).

Firewall Architecture:
Alternative Implementation:

• Stub networks only work when connecting a single site, when accommodating multiple external connections, an alternative is needed.
• Since most sites mistrust each other, a separate router is used per connection to prevent unwanted packet flow between external sites.
• Using multiple routers also allows for faster processing and reduces the needed external connection bandwidth.

Firewall Architecture:
Monitoring and Logging

• By monitoring and logging transactions, a manager can:
  • Determine if attempts have been made to bypass security.
  • Check if firewall break-ins have been tried.
  • Discover any operational problems.
• Monitoring can be active (manager is notified immediately) or passive (information is logged).

Security Issues:
Terminology

• Encryption (enciphering):
  • Conversion of plaintext or data into unintelligible form by means of a reversible translation that is based on a translation table or algorithm.
• Decryption (deciphering):
  • Translation of encrypted text (ciphertext) into original text (plaintext)
• Authentication:
  • A process used to verify the integrity of transmitted data, especially a message.
• Cryptography:
  • The branch of cryptology dealing with the design of algorithms for encryption/decryption, intended to ensure the secrecy and/or authentication of messages.
• Plaintext:
  • The input to an encryption function or output of a decryption function.
• Ciphertext:
  • The output of an encryption algorithm; the encrypted form of a message or data.
• Digital Signatures:
  • An authentication mechanism which enables the creator of a message to attach code that acts as a signature. It guarantees the source and integrity of the message.
• File Permissions:
  • Set within operating systems to give or restrict access on files to the world, group members, or owner.
  • In UNIX, file permissions are set using: chmod NNN filename ,where NNN are integers 1..7 determining Owner:Group:World access permissions.
• Public/Private-Key Encryption:
  • A form of cryptosystem in which encryption and decryption are performed using two different keys.
• Public Key:
  • One of two keys used in a symmetric encryption scheme, where it is made available publicly for use in combination with a private key.
• Private Key:
  • One of two keys used in a symmetric encryption scheme, where it is privately used only by its creator.

Security Issues:
Communications Protocols

• Security is provided and required at several protocol layers.
• Application layer:
  • SSL (Secure Sockets Layer) is used to protect data sent to and from WWW clients and servers using public/private key protection.
    • S/MIME (Secure MIME types) also allow secure WWW and e- mail interactions among applications.
  • Network layer:
    • IPv6 has attempted to introduce secure network connections and transmissions using:
      • Datagram header and data encryption.
      • Digital signatures
      • Authentication header fields.
• Because processing speed is an issue, security at the network layer is limited.

Security Issues:
World Wide Web related

• CGI (Common Gateway Interface) script execution:
  • Root access is needed at times to perform specific database transactions and lookups.
  • Password restriction is possible, but no session is setup therefore security is in the hands of the web client.
  • World permissions are used for ALL web transactions and CGI script executions.
• Electronic Commerce:
  • SSL (Secure Sockets Layer) is used to allow transmission of credit card numbers and other private information between HTTP clients and servers. Protection resides above HTTP.
  • SHTTP (Secure HTTP) handles the insecurities found in the original HTTP by automating encryption and decryption of SHTTP clientserver interactions.

Security Issues:
Protection and Holes

• IP spoofing is where a third party steals packets, changes them, and then retransmits those packets appearing as the original source.
• Backdoors are often found within operating systems to access restricted features and functions.
• Passwords are used with login IDs to restrict unauthorized access.
• Satan is a program which tests an operating system’s security holes and weaknesses.
• Trapdoors are similar to backdoors where access is granted through secret undocumented entry points.
• Trojan Horse is a useful computer program which also contains additional (hidden) functions that exploit legitimate authorizations and cause havoc.
• A virus is code embedded with a program that copies and attaches itself to other programs, performing some unwanted function.

Security Issues:
Break-ins and Problems

• Security algorithms and schemes that have been broken include:
  • Secure Sockets Layer 1.0 was broken by several people, proving Netscape Corporation’s electronic commerce was faulty. SSL 2.0 fixed these problems.
  • Clipper Chip using the SKIPJACK algorithm was proposed by the US government as a legal standard, however it was broken just in time!
• Physical security problems and solutions:
  • Fiber optics cables can be tappedM by bending the fiber to read the reflected light pulses.
  • Copper and other cables can also be tapped.
  • To prevent tapping, the government sometimes puts cyanide (poison) inside of the casing used to house the cable!

Various Security Topics:
Algorithms and Schemes

• Encryption Algorithms and Schemes:
  • Rivest-Shamir-Adleman (RSA)
  • Data Encryption Scheme (DES)
  • Message Digest Algorithm (MD5)
  • Secure Hash Algorithm (SHA)
  • International Data Encryption Algorithm (IDEA)
  • SKIPJACK (Clipper)

Various Security Topics:
Authentication and E-Mail Security

• Authentication and Key Exchange:
  • Kerberos
  • X.509 Directory Authentication Service
  • Diffie-Hellman Key Exchange
  • Digital Signature Standard (DSS)
• Electronic Mail Security:
  • Pretty Good Privacy (PGP)
  • Privacy Enhanced Mail (PEM)

Last Modification: (Sunday, August 25, 1996)

All work was written, produced, and is copyrighted by Daniel Z. Tabor Jr.
Page created by Daniel Z. Tabor Jr. Copyright ©1996 Illusion Industries Inc.