Scribd
Upload
79 views37 pages

Ch06 Network Security

Uploaded by

Ohu7od
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views37 pages

Ch06 Network Security

Uploaded by

Ohu7od
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

11/17/2024

Networks
(Chapter 6)

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
1

Networking basics

Network threats and vulnerabilities

Wireless Security
- WiFi vulnerabilities

Denial-of-service attacks
Objectives
Network encryption concepts and tools

Types of firewalls and what they do

Intrusion detection and prevention systems

Security information and event management tools

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
2

2
11/17/2024

Network Baisc

Network Basic
What is a Computer Network?
• A group of two or more devices (like computers, phones, or printers)
connected together to communicate and share resources.

Network Transmission Media Key Components:


• Wire
• Nodes: Devices like computers, routers, or printers.
• Cable: carries electricity • Transmission media (Link): The wire or wireless
• Optical fiber: carries light energy connections between devices.
• Wireless • Protocols: Rules that govern communication (e.g.,
• WiFi HTTP, TCP/IP).
• Microwave
• Satellite communication

4
11/17/2024

WiFi: uses radio waves to send Microwave: a line-of-sight Satellite communication:


signals out omnidirectionally technology that broadcast signals travels from earth to the
through the air satellite and back to earth again

7 – Application 7 – Application
6 – Presentation
5 – Session
6 – Presentation
5 – Session The OSI Model
4 – Transport 4 – Transport
3 – Network 3 – Network Network communications are performed through a virtual
2 – Data Link 2 – Data Link concept called the Open System Interconnection (OSI) model
1 – Physical 1 – Physical
The OSI model, most useful conceptually, describes similar
processes of both the sender and receiver
Packet
◦ Smallest individually addressable data unit transmitted

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
6

6
11/17/2024

Communication
Media
Vulnerability

Communication Media Vulnerability


Sender
Wiretap

LAN

Imposter
WAN
Rogue receiver:
sniffer, wiretap

Satellite, microwave interception, LAN


wired interception

Receiver

All network communications are potentially exposed to


interception; thus, sensitive signals must be protected

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
8

8
11/17/2024

Interception, Or Modification, Or Fabrication, Or


Unauthorized View Unauthorized Change Unauthorized Creation
Threats to
Network
Communications

Interruption, Or Port Scanning


Preventing Authorized
Access

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
9

Security
perimeter
1.Interception
• Security Perimeters
◦ virtual line that encircles a protected set of
computing resources
• Interception occurs when an unauthorized
actor crosses the security perimeters through
◦ Eavesdropping
◦ wiretapping

Encryption is the most common and useful control


for addressing interception threats

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
10

10
11/17/2024

Interception - Cont.
Why Network is Vulnerable to Interception?
Network characteristics make it vulnerable because of the following issues

Anonymity Many points of Sharing System complexity Unknown Unknown path


attack perimeter
An attacker can Large networks Networked systems Networks, change There may be many
networks of
attempt many mean many points open up potential all the time, thus paths, including
different complex
attacks, of potential entry access to more hard to tell which untrustworthy
systems, disparate
anonymously, from users than do systems belong & ones, from one
OSs, vulnerabilities,
thousands of miles single computers are behaving, & host to another
& purposes are
away impossible to tell
more complex
which systems
bridge networks
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
11

11

Network C Network B
Network A
Host C

Network A Network B
Host A1

Host B3

Network D

Host D
Network E

Unknown Path
Unknown Perimeter

Issues
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
12

12
11/17/2024

2. Modification - 3. Fabrication
Data corruption
◦ May occur during data entry, at rest, in use, in transit, and retrieval Typing
Malicious Program
error
◦ May be intentional or unintentional, malicious or nonmalicious, code
Noise,
error

accident
directed or random Hardware
failure

◦ Sources of corruption include:


◦ Sequencing
◦ Permuting the order of data, such as packets arriving in sequence
◦ Substitution Software
◦ Replacement of one piece of a data stream with another flaw Transmission
problem Hacker Human
◦ Insertion activity mistake

◦ A form of substitution in which data values are inserted into a stream


◦ Replay
◦ Legitimate data are intercepted and reused

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
13

13

Data Corruption-Simple Replay Attack


Replay vs. Wiretapping vs MIM

Replay Attack

• legitimate data are intercepted and reused without Interception


modification.
ID
ID Password (encrypted)
PW Encryption
Wiretapping Attack
Server
ID
• The content of the data is obtained but not reused
Password (encrypted)
Replay
Man-in-the-middle Attack

• The content is modified to deceive both ends into


believing they are communicating directly

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
14

14
11/17/2024

4. Interruption: Loss of Service


o Redundancy and fault tolerance are important characteristics for robustness
o Denial of service is not binary! Service capacity can be reduced
o Issues include:

• Internet routing • Network capacity is • Component failures


protocols are finite and can be tend to be sporadic and
complicated, and one exhausted; an attacker unpredictable, and will
misconfiguration can can generate enough cause loss of service if
poison the data of many demand to overwhelm a not planned for
routers critical part of a
network
Excessive Component
Routing
demand failure
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 15

15

5. Port Scanning
Doesn’t fit cleanly into the category of threats
Port scanner is a program that reports which ports
respond to queries
Example
◦ NMAP
◦ Probes a range of ports, testing to see what
services respond
Why port scanning may constitute a threat?
It tells an attacker
1. which ports or services are up & running
2. what OS is installed
3. what applications and versions are present

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 16

16
11/17/2024

Example- Info from Nmap

17

Wireless Networks
Security
Vulnerabilities In Wireless Networks

18
11/17/2024

Wires are easy to protect because:


• they can be secured physically
• they are harder to intercept without detection
An attacker can:
• join the wireless network and participate in data exchanges
Vulnerabilities • merely observe the traffic as a bystander
in Wireless The following threats are available in WiFi networks
Networks • Disclosure. Every message is a broadcast, unencrypted messages can
be read by anyone who’s listening and within range (Confidentiality)
• Session forgery. When WiFi access points receive two streams of
communication claiming to be the same computer, stronger signal is
accepted! (Integrity)
• Destruction. WiFi creates new availability problems, such as session
hijacking, forced disassociation, and jamming! (Availability)
• Interception. Unauthorized WiFi access (CIA)

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
19

19

The following threats are available in WiFi networks:


• WiFi protocol weaknesses enables other forms of threats such as:
• Picking up the beacon
• Hidden SSIDs can easily be discovered by monitoring client requests
Vulnerabilities in for SSIDs in the absence of SSID beacons from the access point
Wireless Networks • SSID in all frames
• Like picking up the beacon, once a client connects to an access point,
(Cont.) the SSID is stored in all communication frames and can be sniffed that
way
• Association issues
• WiFi clients have preferred networks which they know and trust to
connect to automatically
• Attackers can spoof trusted SSIDs and trick devices into connecting to
rogue access points

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
20

20
11/17/2024

Failed Countermeasure: WEP


Wired equivalent privacy (WEP)
◦ Designed at the same time as the original 802.11 WiFi standards as the
mechanism for securing those communications
Weaknesses in WEP were first identified in 2001, four years after
release
More weaknesses were discovered over the course of years
◦ Any WEP-encrypted communication could be cracked in a matter of
minutes

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 21

21

How WEP Works


1) Client and access point (AP) have a pre-shared key
2) AP sends a random number to the client, which the client
then encrypts using the key and returns to the AP
3) The AP decrypts the number using the key and checks
that it’s the same number to authenticate the client
4) Once the client is authenticated, the AP and client
communicate using messages encrypted with the key

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
22

22
11/17/2024

WEP Weaknesses

1. Weak encryption key 2. Static key 3. Weak encryption process


WEP allows either 64- or 128- Since the key was just a value A 40-bit key can be brute forced
bit, but 24 of those bits are the user typed in at the client easily. Flaws were discovered in
reserved for IV and AP, and since users rarely the RC4 encryption algorithm WEP
Keys were alphanumeric or changed those keys, one key uses made the 104-bit keys easy to
hex phrases that users typed would be used for many crack as well
in and were therefore months of communications
vulnerable to dictionary
attacks

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
23

23

WEP Weaknesses (cont.)

4. Weak encryption 5. IV collisions 6. Faulty integrity 7. No authentication


algorithm check
WEP used RC4 in a strange There were only 16 million WEP messages included a Any client that knows the
way which resulted in a possible values of IV, which, checksum to identify AP’s SSID and MAC
flaw that allowed attackers in practice, is not that many transmission errors but address is assumed to be
to decrypt large portions to cycle through for cracking did not use one that legitimate
of any WEP They were not randomly could address malicious
communication selected modification

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
24

24
11/17/2024

WPA (WiFi Protected Access)


WPA fixes many shortcomings of WEP by using stronger encryption; longer, changing keys; and
secure integrity checks

WPA was designed in 2003 as Non-static encryption key Authentication


a replacement for WEP and
was quickly followed in 2004 New keys are generated for confidentiality WPA allows authentication by
by WPA2, the algorithm that and integrity of each session (hierarchy of password, token, or certificate
remains the standard today keys)
The encryption key is automatically changed
on each packet
The keys that are most important are used in
very few places and indirect ways, protecting
them from disclosure

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
25

25

WPA (cont.)

Strong encryption Integrity protection Session initiation Attacks against WPA


WPA adds support for AES, WPA includes a 64-bit WPA sessions begin with MIM
a much more reliably cryptographic integrity authentication and a four- Incomplete Authentication
strong encryption check way handshake that results Exhaustive Key Search
algorithm in separate keys for Attacks are either of very
encryption and integrity on limited effectiveness or
both ends require weak passwords

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
26

26
11/17/2024

Attacks on
Networks

27

Denial of Service (DoS)


DoS attacks are attempts to defeat a system’s availability
How Service Is Denied?
The source of a DOS attack is typically difficult or impossible to determine with certainty

Volumetric attacks Application-based attacks Disabled communications Hardware or software


failure
Increasing demand than Exhausting the application Cutting the Related to machinery or
what the system can that services a particular communications link programs fault tolerance
handle thus some data will network between two points
not move properly
through the network

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 28

28
11/17/2024

DoS Attack Example: Ping Flood


Ping of Death
The attack is limited by the smallest bandwidth on the attack
Ping Ping Ping
route Ping Ping Ping Ping Reply Ping Ping Reply V
Ping Ping Ping
If the attacker is on a 10-megabyte (MB) connection and the Attacker Victim
path to the victim is 100 MB or more, then the attacker alone (a) Attacker has greater bandwidth

cannot flood the victim


If the attacker is on a 100-MB connection and the victim is on Ping Reply Ping Reply Reply Ping Reply Ping V
a 10-MB connection, the attack succeed! The ping packets
will saturate the victim’s bandwidth Attacker Victim
(b) Victim has greater bandwidth

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
29

29

DoS Attack Example: Smurf Attack


Smurf attack
◦ A variation of a ping attack with two extra twists
◦ Spoofing the source address in the ping packet so that it appears to come from the victim
◦ Sending the request to the network in broadcast mode
Victim

Attacker

Attacker sends
broadcast ECHO Victim is saturated
request to network, All network hosts with ECHO replies
with victim’s return address reply to victim from entire network

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 30

30
11/17/2024

Chargen packet with echo bit on

Victim A Victim B
Echoing what you just sent me DoS Attack
Chargen another packet with echo bit on Example:
Echoing that again
Echo-Chargen
• Works between two hosts
Chargen another packet with echo bit on • Uses ICMP protocol
• Acts like a game of tennis

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
31

31

DoS Attack Example:


SYN Flood
• Uses the TCP protocol suite
• Uses ICMP protocol
• Acts like a game of tennis

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
32

32
11/17/2024

Fragment start = 10 len = 50


0

10 DoS Attack Example:


20

30 Teardrop Attack
40

Fragment start = 20 len = 60 50 • Misuses a feature intended to improve network


60
communication
70
• The attacker sends packets that cannot possibly
80 be reassembled (conflicting reassembly
90 instructions)
100
• In extreme cases, this can cause the entire OS
...

to lock up.
Fragment start = 40 len = 30

Reassembly Buffer

Packet Fragments

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
33

33

Please convert www.microsoft.com

7.0.1.1
DoS Attack
207.46.197.32
Example: DNS
User Attacker DNS server
Spoofing
Received too
late; ignored • The attacker acts as the DNS server in order to
redirect the user to malicious sites
• Any server can respond to a DNS lookup
request; the first responder wins

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
34

34
11/17/2024

DoS Attack Example: Rerouting Routing


90.0.0.0
• Routers advertise the routes they know to
10.0.0.0 A T
the adjacent routers
• Routers rely on the accuracy of these
20.0.0.0 B advertising messages
• If not accurate, DoS can ensue.

30.0.0.0 C

10.0.0.0 dist 3
20.0.0.0 dist 2
30.0.0.0 dist 1

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 35

35

Sender Attacker Receiver DoS Attack Example:


Data (len 5)
Seq = 10
Ack = 15
TCP Session Hijacking
Data (len 20)
Ack = 35
• An attacker tries to synchronize with a receiver
Seq = 15 while breaking synchronization with the sender
and resetting the sender’s connection.
• The attacker continues the TCP session while
Data (len 100) Hijack
Ack = 135 the sender thinks the connection just broke off
Seq = 35
Data (len 30)
Seq = 35
Data (len 25)
Seq = 135

Reset

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
36

36
11/17/2024

Distributed
Denial of
Victim
Service
1. Attacker plants
(DDoS)
Trojan horse in
zombies 2. Zombies attack
victim simultaneously
on command

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
37

37

Attacker Attacker

Master Master Master

C&C C&C C&C

Bot Bot Bot Bot Bot Bot Botnets


Victim

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
38

38
11/17/2024

Network
Protection
Cryptog raphy
Firewall
Intrusion Detection Systems (IDS)

39

Cryptography
in Network
Security

40
11/17/2024

7 M M 7
6 M M 6
5 M M 5
4 M M 4
3 M 3 M M 3 M 3
2 M 2 M M 2 M 2
1 M 1 M M 1 M 1
Link
Sender Intermediate node Receiver
Encryption
M Encrypted

M Plaintext

41

7 M M 7
6 M M 6
5 M M 5
4 M M 4
3 M 3 M M 3 M 3
2 M 2 M M 2 M 2
1 M 1 M M 1 M 1
End-to-End
Sender Intermediate node Receiver
Encryption
M Encrypted

M Plaintext

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
42

42
11/17/2024

Link vs. End-to-End

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 43

43

Secure Shell (SSH)


Originally developed for UNIX but now available on most OSs
Provides an authenticated, encrypted path to the OS command line over the network
Replacement for insecure utilities such as Telnet.
Protects against spoofing attacks and modification of data in communication

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 44

44
11/17/2024

SSL and TLS


Secure Sockets Layer (SSL) was designed in the 1990s to protect communication between a web
browser and server
In a 1999 upgrade to SSL, it was renamed Transport Layer Security (TLS)
While the protocol is still commonly called SSL, TLS is the modern, and much more secure,
protocol
SSL is implemented at OSI layer 4 (transport) and provides
◦ Server authentication
◦ Client authentication (optional)
◦ Encrypted communication

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 45

45

SSL Cipher Suites


At the start of an SSL session, the client and server negotiate encryption algorithms, known as
the “cipher suite”
The server sends a list of cipher suite options, and the client chooses an option from that list
The cipher suite consists of
◦ A digital signature algorithm for authentication
◦ An encryption algorithm for confidentiality
◦ A hash algorithm for integrity

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 46

46
11/17/2024

SSL Cipher Suites


(Partial List)
Cipher suite negotiation is at the
center of a very common SSL
configuration vulnerability

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
47

47

SSL Session
Established

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
48

48
11/17/2024

SSL
Certificate

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
49

49

Chain of
Certificates

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
50

50
11/17/2024

Onion Routing
Onion routing prevents an eavesdropper from learning
source, destination, or content of data in transit in a network
This is particularly helpful for evading authorities, such as
when users in oppressive countries want to communicate
freely with the outside world
Uses asymmetric cryptography, as well as layers of
intermediate hosts, so that
◦ The intermediate host that sends the message to the ultimate
destination cannot determine the original sender, and
◦ The host that received the message from the original sender
cannot determine the ultimate destination

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
51

51

To other
A1 A2 A3 A4 Virtual Private
sites
Networks (VPN)
Office A
Firewall A A VPN is an encrypted tunnel that
provides confidentiality and
integrity for communication
between two sites over public
networks
B1 B2 B3 B4 The VPN is terminated by firewalls
at both ends

Office B
Firewall B

Encrypted

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
52

52
11/17/2024

To other A1 A2 A3 A4
sites

Office
Firewall A

VPN
(cont.)
Teleworker

Encrypted

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
53

53

Firewalls

54
11/17/2024

Firewalls
A device that filters all traffic between a protected or “inside” network and less trustworthy or
“outside” network
Most firewalls run as dedicated devices
◦ Easier to design correctly and inspect for bugs
◦ Easier to optimize for performance
Firewalls implement security policies, or set of rules that determine what traffic can or cannot
pass through
A firewall is an example of a reference monitor, which means it should have three
characteristics:
◦ Always invoked (cannot be circumvented)
◦ Tamperproof
◦ Small and simple enough for rigorous analysis

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 55

55

Firewall Security Policy

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 56

56
11/17/2024

Types of Firewalls
1. Packet filtering gateways or screening routers
2. Stateful inspection firewalls
3. Application-level gateways, also known as proxies
4. Circuit-level gateways
5. Guards
6. Personal or host-based firewalls

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 57

57

Src: other addresses

Src: 100.50.25.x 100.50.25.x Network


Packet-Filtering Gateways
Controls access based on:
• Packet address
• Specific transport protocol type (e.g., HTTP traffic)

HTTP They maintain no state from one packet to the next

Telnet

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
58

58
11/17/2024

Stateful Inspection
10.1.3.1:4® 10.1.3.1:3® 10.1.3.1:2®
10.1.3.1:1
Firewall
It maintains state information from one packet to the
next

10.1.3.1
Further
10.1.3.1:x
traffic

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
59

59

Application Proxy
Filtered
commands It simulates the behavior of an application at OSI
layer 7
Results
• The real application receives only requests
to act properly.
Application proxies can serve several purposes:
• Filtering potentially dangerous application-
Logging layer requests
File
cache
• Log requests/accesses
• Cache results to save bandwidth
The most common form is a web proxy

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
60

60
11/17/2024

100.1.1.x network

Circuit-Level
Circuit
gateway
Gateway
A firewall that allows one network to be an
extension of another.
To Yes
200.1.1.x? It operates at OSI layer 5, the session layer
Encryption
No It functions as a virtual gateway between two
networks.
Main One use is to implement a VPN.
firewall

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
61

61

Guard
A sophisticated firewall that, like an application proxy, can interpret data at the protocol level
and respond
The distinction between a guard and an application proxy can be fuzzy; the more protection
features an application proxy implements, the more it becomes like a guard
Guards may implement any programmable set of rules; for example:
◦ Limit the number of email messages a user can receive
◦ Limit users’ web bandwidth
◦ Filter documents containing the word “Secret”
◦ Pass downloaded files through a virus scanner

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 62

62
11/17/2024

Personal Firewalls
• Restrict traffic by source IP and destination port
• Restrict which applications can use the network

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
63

63

Comparison of
Firewall Types

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
64

64
11/17/2024

Comparison of Firewall Types

65

Demilitarized Zone
(DMZ)
A form of network architecture in which a
network enclave is dedicated to services that
DMZ should be somewhat accessible from the
outside.
Firewall Web page server Email server FTP server

Firewall
Database

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
66

66
11/17/2024

Firewalls can protect an environment only if they control the entire perimeter

Firewalls do not protect data outside the perimeter

Firewalls are the most visible part of an installation to the outside, so they are an attractive target
for attack
/
Firewalls must be correctly configured. Configuration must be updated as the environment changes.
Firewall reports must be reviewed periodically for evidence of attempted or successful intrusion

Firewalls exercise only minor control over the content admitted to the inside. Inaccurate or
malicious code must be controlled by means inside the perimeter

What Firewalls Can and Cannot Do


FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
67

67

User host
(internal)
Destination
host (external)
Network Address
Translation (NAT)
192.168.1.35 65.216.161.24 Concealing the true address of the internal host
and prevents the internal host from being
reached directly.
packet
packet
Src: 192.168.1.35:80 ◦ The source firewall converts the source address in
Src: 173.203.129.90:80 the packet into the firewall’s own address.
Firewall

packet
173.203.129.90 Src: 173.203.129.90:80

Table of translations performed


Source Dest
192.168.1.35:80 65.216.161.24:80

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
68

68
11/17/2024

Data Loss Prevention (DLP)


DLP is a set of technologies that can detect and possibly prevent attempts to send sensitive data
where it is not allowed to go
Can be implemented as
◦ Agent installed as an OS rootkit
◦ Guard

DLP looks for indicators:


◦ Keywords
◦ Traffic patterns
◦ Encoding/encryption

DLP is best for preventing accidental incidents, as malicious users will often find ways to
circumvent it

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 69

69

Intrusion
Detection
Systems (IDS)

70
11/17/2024

Intrusion Detection
Raw event source
Systems (IDS)
(E)
Events
Ra ev
w en
or t d
• Monitor user and system activity
lo ata
w-
lev
el • Audit system configurations for vulnerabilities and
misconfigurations
(A) (S)
Analysis Storage
in H
ter ig
• Assess integrity of critical system and data files
pr h-l
et ev
ed e
ev l
en
• Recognize known attack patterns in system activity
ts

Reactions to • Identify abnormal activity through statistical analysis


(C) events
Countermeasures
• Manage audit trails and highlight policy violations
• Install and operate traps to record information about
intruders

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
71

71

Detection Signature-based
method
Heuristic

Location Front end

Internal

Types of IDS
Scope Host-based IDS (HIDS)

Network-based IDS (NIDS)

Capability Passive

Active, also known as intrusion prevention systems (IPS)

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
72

72
11/17/2024

Security Information and


IDSs
Event Management (SIEM)
OSs, Applications

Analysts need to log into each device individually on a


Cloud
Services
constant basis and must manually correlate events on one
Firewalls system against events on another
Log Data Log Data

SIEM This is impossible on any reasonably sized system


Databases

Proxy Servers
SIEM is SW systems that collect security-relevant data from a
variety of HW and SW products to create a unified security
Web Servers/ Switches
Applications
SOC
Analysts dashboard for security operations center personnel
Routers

Email Servers

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY
PEARSON EDUCATION, INC. ALL RIGHTS RESERVED.
73

73

Summary

Networks are threatened by DoS attacks come in many


WPA2 has many critical
attacks aimed at interception, flavors, but malicious ones
security advantages over
modification, fabrication, and are usually either volumetric
WEP
interruption in nature or exploit a bug

Network encryption can be A wide variety of firewall


There are many flavors of
achieved using specialized types exist, ranging from very
IDS, each of which detects
tools—some for link encryption basic IP-based functionality
different kinds of attacks in
and some for end-to-end—such to complex application-layer
very different parts of the
as VPNs, SSH, and the SSL/TLS logic, and both on networks
network
protocols and hosts

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:


9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 74

74

You might also like