System and Network Security OverviewWhat is network security about ?What is it about ?Other examplesCryptographyNetwork/System Security OverviewTwo kinds of securityVulnerabilities of comp sysComputer securityFailures of security mechanismsNetwork securityImportance of network securityOSI Reference ModelMost mentioned network termsDifferences from systems securityReactions to Information SecurityMethods of defence (1)Methods of defence (2)Introduction to Network SecurityIntro Network SecurityClassification of Security ServicesThreatsIllegal InterceptionTraffic analysisDenial of ServiceUn-authorized ModificationFabrication and ImpersonationReplay attacksMan-in-the-middle attackModification of messageHow to defeat these attacks?Key escrow for law enforcementKey escrow for careless usersDigital Pest: Virus, Worms, Trojan HorsesMore on Digital PestWhere do they come from ?Virus CheckerBest practicesBest Practices: How to protect a machineAuthentication and authorizationAccess Control ListsDiscretionary and Nondiscretionary Access Controls (DAC & MAC)Philosophy behind these access controlsMulti-level model of securityInformation Flow controlCovert channelsCovert channels (cont.)The Orange BookOrange book (cont.)System and System and Network Security Network Security OverviewOverview2 What is network security What is network security about ?about ?It is about secure communicationIt is about secure communicationWhat do we mean by secure What do we mean by secure communication?communication?Everything is connected by the InternetEverything is connected by the InternetWe will often use Alice and Bob We will often use Alice and Bob Alice is on a vacation and wants to send Alice is on a vacation and wants to send a command to her assistant—Bob—or a command to her assistant—Bob—or just a computer to control the nuclear just a computer to control the nuclear power plant, how can she do that?power plant, how can she do that?3 What is it about ?What is it about ?There are eavesdroppers that can There are eavesdroppers that can listen on the communication listen on the communication channelschannelsInformation needs to be forwarded Information needs to be forwarded through packet switches, and these through packet switches, and these switches can be reprogrammed to switches can be reprogrammed to listen to or modify data in transitlisten to or modify data in transitIs it hopeless for Alice?Is it hopeless for Alice?4 Other examplesOther examplesAlice sends Bob some sensitive Alice sends Bob some sensitive information via Internetinformation via InternetNetwork manager remotely changes Network manager remotely changes some Access Control Lists some Access Control Lists (intercepts, impersonation)(intercepts, impersonation)On-line stock trading, customer On-line stock trading, customer denies that she has sent the orderdenies that she has sent the order5 CryptographyCryptographyCryptography allows us to disguise Cryptography allows us to disguise data so that eavesdroppers gain no data so that eavesdroppers gain no information from listeninginformation from listeningCryptography also allows us to create Cryptography also allows us to create unforgettable message and detect if it unforgettable message and detect if it has been modified in transit: a digital has been modified in transit: a digital signature is often used for this signature is often used for this purpose—a magic numberpurpose—a magic number6 Network/System Security Network/System Security OverviewOverviewCryptographyCryptographySecret key cryptographySecret key cryptographyModes of operationModes of operationHashes and message digestHashes and message digestPublic key cryptographyPublic key cryptographySome number theory, AES and elliptic curve cryptographySome number theory, AES and elliptic curve cryptographyAuthenticationAuthenticationHow can Alice prove that she is Alice on networks?How can Alice prove that she is Alice on networks?StandardsStandardsKerberos, PKI, IPSec, Kerberos, PKI, IPSec, SSLSSLThe underlying philosophy for these standards, that is, The underlying philosophy for these standards, that is, intuition behind various choices, design decisions, and flaws intuition behind various choices, design decisions, and flaws in these standardsin these standardsEmail securityEmail securityFirewalls and secure systemsFirewalls and secure systems7 Two kinds of securityTwo kinds of securityComputer security Computer security Network securityNetwork security8 Vulnerabilities of comp Vulnerabilities of comp syssysattacks on hardware attacks on hardware attacks on softwareattacks on softwaredeletion, modification (Trojan horse, deletion, modification (Trojan horse, trapdoor/backdoor, covert channel), trapdoor/backdoor, covert channel), infection through computer virus, theft, infection through computer virus, theft, copyingcopyingattacks on dataattacks on datacompromising secrecy & integritycompromising secrecy & integrityattacks on other resourcesattacks on other resourcesstorage media, time, key peoplestorage media, time, key people9 Computer securityComputer securityThe goal is to protect data and The goal is to protect data and resourcesresourcesHow to design security mechanisms?How to design security mechanisms?Cost/benefitsCost/benefitsThreat modelThreat modelTrust modelTrust modelAvailable toolsAvailable toolsWhere to use security toolWhere to use security toolSecurity is not only about cryptographySecurity is not only about cryptographyIdentify the weakest pointIdentify the weakest point10 Failures of security Failures of security mechanismsmechanismsFailure to understand the threat modelFailure to understand the threat modelFailure to understand what a mechanism Failure to understand what a mechanism protects against and what it does notprotects against and what it does notBad designBad designImplementation faultImplementation faultMisconfigurationMisconfigurationBad interaction with other partsBad interaction with other partsBad user interfaceBad user interface11 Network securityNetwork securitySecurity of data in transitSecurity of data in transitSecurity of data at restSecurity of data at rest12 Importance of network Importance of network securitysecurityIncreasing large deployment of networked Increasing large deployment of networked