System and Network Security OverviewWhat is network security about ?What is it about ?Other examplesCryptographyNetwork/System Security OverviewTwo kinds of securityVulnerabilities of comp sysComputer securityFailures of security mechanismsNetwork securityImportance of network securityOSI Reference ModelMost mentioned network termsDifferences from systems securityReactions to Information SecurityMethods of defence (1)Methods of defence (2)Introduction to Network SecurityIntro Network SecurityClassification of Security ServicesThreatsIllegal InterceptionTraffic analysisDenial of ServiceUn-authorized ModificationFabrication and ImpersonationReplay attacksMan-in-the-middle attackModification of messageHow to defeat these attacks?Key escrow for law enforcementKey escrow for careless usersDigital Pest: Virus, Worms, Trojan HorsesMore on Digital PestWhere do they come from ?Virus CheckerBest practicesBest Practices: How to protect a machineAuthentication and authorizationAccess Control ListsDiscretionary and Nondiscretionary Access Controls (DAC & MAC)Philosophy behind these access controlsMulti-level model of securityInformation Flow controlCovert channelsCovert channels (cont.)The Orange BookOrange book (cont.)System and System and Network Security Network Security OverviewOverview2 What is network security What is network security about ?about ?It is about secure communicationIt is about secure communicationWhat do we mean by secure What do we mean by secure communication?communication?Everything is connected by the InternetEverything is connected by the InternetWe will often use Alice and Bob We will often use Alice and Bob Alice is on a vacation and wants to send Alice is on a vacation and wants to send a command to her assistant—Bob—or a command to her assistant—Bob—or just a computer to control the nuclear just a computer to control the nuclear power plant, how can she do that?power plant, how can she do that?3 What is it about ?What is it about ?There are eavesdroppers that can There are eavesdroppers that can listen on the communication listen on the communication channelschannelsInformation needs to be forwarded Information needs to be forwarded through packet switches, and these through packet switches, and these switches can be reprogrammed to switches can be reprogrammed to listen to or modify data in transitlisten to or modify data in transitIs it hopeless for Alice?Is it hopeless for Alice?4 Other examplesOther examplesAlice sends Bob some sensitive Alice sends Bob some sensitive information via Internetinformation via InternetNetwork manager remotely changes Network manager remotely changes some Access Control Lists some Access Control Lists (intercepts, impersonation)(intercepts, impersonation)On-line stock trading, customer On-line stock trading, customer denies that she has sent the orderdenies that she has sent the order5 CryptographyCryptographyCryptography allows us to disguise Cryptography allows us to disguise data so that eavesdroppers gain no data so that eavesdroppers gain no information from listeninginformation from listeningCryptography also allows us to create Cryptography also allows us to create unforgettable message and detect if it unforgettable message and detect if it has been modified in transit: a digital has been modified in transit: a digital signature is often used for this signature is often used for this purpose—a magic numberpurpose—a magic number6 Network/System Security Network/System Security OverviewOverviewCryptographyCryptographySecret key cryptographySecret key cryptographyModes of operationModes of operationHashes and message digestHashes and message digestPublic key cryptographyPublic key cryptographySome number theory, AES and elliptic curve cryptographySome number theory, AES and elliptic curve cryptographyAuthenticationAuthenticationHow can Alice prove that she is Alice on networks?How can Alice prove that she is Alice on networks?StandardsStandardsKerberos, PKI, IPSec, Kerberos, PKI, IPSec, SSLSSLThe underlying philosophy for these standards, that is, The underlying philosophy for these standards, that is, intuition behind various choices, design decisions, and flaws intuition behind various choices, design decisions, and flaws in these standardsin these standardsEmail securityEmail securityFirewalls and secure systemsFirewalls and secure systems7 Two kinds of securityTwo kinds of securityComputer security Computer security Network securityNetwork security8 Vulnerabilities of comp Vulnerabilities of comp syssysattacks on hardware attacks on hardware attacks on softwareattacks on softwaredeletion, modification (Trojan horse, deletion, modification (Trojan horse, trapdoor/backdoor, covert channel), trapdoor/backdoor, covert channel), infection through computer virus, theft, infection through computer virus, theft, copyingcopyingattacks on dataattacks on datacompromising secrecy & integritycompromising secrecy & integrityattacks on other resourcesattacks on other resourcesstorage media, time, key peoplestorage media, time, key people9 Computer securityComputer securityThe goal is to protect data and The goal is to protect data and resourcesresourcesHow to design security mechanisms?How to design security mechanisms?Cost/benefitsCost/benefitsThreat modelThreat modelTrust modelTrust modelAvailable toolsAvailable toolsWhere to use security toolWhere to use security toolSecurity is not only about cryptographySecurity is not only about cryptographyIdentify the weakest pointIdentify the weakest point10 Failures of security Failures of security mechanismsmechanismsFailure to understand the threat modelFailure to understand the threat modelFailure to understand what a mechanism Failure to understand what a mechanism protects against and what it does notprotects against and what it does notBad designBad designImplementation faultImplementation faultMisconfigurationMisconfigurationBad interaction with other partsBad interaction with other partsBad user interfaceBad user interface11 Network securityNetwork securitySecurity of data in transitSecurity of data in transitSecurity of data at restSecurity of data at rest12 Importance of network Importance of network securitysecurityIncreasing large deployment of networked Increasing large deployment of networked
View Full Document