logging in or signing up internet security aSGuest90270 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 278 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: March 16, 2011 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide 1: Network Security INTERNET PAUL CHRISTIAN P ABAD FINALSSlide 2: Presentation Content What is Internet? What do we need to protect? Threat Motivation Attack Types Security Objectives Security mechanisms ReferencesSlide 3: What is Internet? The Internet is a worldwide IP network, that links collection of different networks from various sources, governmental, educational and commercial.Slide 4: What do we need to protect Data Resources ReputationSlide 5: Threat Motivation Spy Joyride Ignorance Score Keeper Revenge Greed TerroristSlide 6: Types of Attacks Passive Active Denial of Services Social EngineeringSlide 7: TCP 3 way handshake Server SYN(X) SYN(Y), ACK(X) ACK(Y) Client X, Y are sequence numbers Half open Full openSlide 8: TCP Session Hijack Server SYN(X) SYN(Y), ACK(X) Attacker Client, 146.135.12.1 Half open Valid TCP Connection Initiate TCP with 146.135.12.1 as source Complete TCP ConnectionSlide 9: Security Objectives Identification Authentication Authorization Access Control Data Integrity Confidentiality Non-repudiationSlide 10: Identification Something which uniquely identifies a user and is called UserID. Sometime users can select their ID as long as it is given too another user. UserID can be one or combination of the following: User Name User Student Number User SSNSlide 11: Authentication The process of verifying the identity of a user Typically based on Something user knows Password Something user have Key, smart card, disk, or other device Something user is fingerprint, voice, or retinal scansSlide 12: Authentication Cont. Authentication procedure Two-Party Authentication One-Way Authentication Two-Way Authentication Third-Party Authentication Kerberos X.509 Single Sign ON User can access several network resources by logging on once to a security system.Slide 15: Authorization The process of assigning access right to userSlide 16: Access Control The process of enforcing access right and is based on following three entities Subject is entity that can access an object Object is entity to which access can be controlled Access Right defines the ways in which a subject can access an object.Slide 17: Access Control Cont. Access Control is divided into two Discretionary Access Control (DAC) The owner of the object is responsible for setting the access right. Mandatory Access Control (MAC) The system defines access right based on how the subject and object are classified.Slide 18: Data Integrity. Assurance that the data that arrives is the same as when it was sent.Slide 19: Confidentiality Assurance that sensitive information is not visible to an eavesdropper. This is usually achieved using encryption.Slide 20: Non-repudiation Assurance that any transaction that takes place can subsequently be proved to have taken place. Both the sender and the receiver agree that the exchange took place.Slide 21: Security Mechanisms Web Security Cryptographic techniques Internet FirewallsSlide 22: Web Security Basic Authentication Secure Socket Layer (SSL)Slide 23: Basic Authentication A simple user ID and password-based authentication scheme, and provides the following: To identify which user is accessing the server To limit users to accessing specific pages (identified as Universal Resource Locators, URLsSecure Socket Layer (SSL): Secure Socket Layer (SSL) Netscape Inc. originally created the SSL protocol, but now it is implemented in World Wide Web browsers and servers from many vendors. SSL provides the following Confidentiality through an encrypted connection based on symmetric keys Authentication using public key identification and verification Connection reliability through integrity checking There are two parts to SSL standard, as follows: The SSL Handshake is a protocol for initial authentication and transfer of encryption keys. The SSL Record protocol is a protocol for transferring encrypted dataSlide 25: Secure Socket Layer Cont.. The client sends a "hello" message to the Web server, and the server responds with a copy of its digital certificate. The client decrypts the server's public key using the well-known public key of the Certificate Authority such as VeriSign. The client generates two random numbers that will be used for symmetric key encryption, one number for the receiving channel and one for the sending channel. These keys are encrypted using the server's public key and then transmitted to the server. The client issues a challenge (some text encrypted with the send key) to the server using the send symmetric key and waits for a response from the server that is using the receive symmetric key. Optional, server authenticates client Data is exchanged across the secure channel.Slide 26: Cryptographic Techniques Secret Key Algorithm Public Key Algorithm Secure Hash Function Digital Signature Certificate AuthoritySlide 27: Secret Key AlgorithmSlide 28: Public Key AlgorithmSlide 29: Secure Hash FunctionSlide 30: Digital SignatureSlide 31: Certificate AuthoritySlide 32: X.509 Certificate Is a ITU-T Recommendation . Specifies the authentication service for X.500 directories X.500 specifies the directory services. Version 1 was published in 1988. Version 2 was published in 1993. Version 3 was proposed in 1994 and approved in 1997. Binds the subject (user's) name and the user's public key.Slide 33: X.509 Certificate (cont..) X09 certificate consists of the following fields: Version Serial Number Algorithm Identifier Issuer name Validity period Subject name Subject public key information Issuer unique identifier (Version 2 & 3 only) Subject unique identifier (Version 2 & 3 only) Extensions (Version 3 only) SignatureSlide 34: X.509 Certificate (Cont..) Version 1 Basic Version 2 Adds unique identifier to prevent reuse of X.500 Version 3 Adds extension to carry additional information and some of them are Distinguish different certificates Alternative to X.500 name Limit on further certification by subject Policy and UsageSlide 35: X.509 Certificate Revocation List (CRL) Is to prevent fraud and misuse. A certificate may be revoked for one the following reason: The user’s private is compromised The user is no longer certified by this CA The CA’s private key a compromised Version 1 was published in 1988. Version 2 was published in 1997.Slide 36: X.509 CRL (cont..) X09 CRL consists of the following fields: Version Serial Number Revocation Date Algorithm Identifier Issuer name Last update Next update Extensions (Version 2 only) SignatureSlide 37: Internet Firewall A firewall is to control traffic flow between networks. Firewall uses the following techniques: Packet Filters Application Proxy Socks servers Secure Tunnel Screened Subnet ArchitectureSlide 38: Packet Filtering Most commonly used firewall technique Operates at IP level Checks each IP packet against the filter rules before passing (or not passing) it on to its destination. Very fast than other firewall techniques Hard to configureSlide 39: Packet Filter Cont..Slide 40: Application Proxy Application Level Gateway The communication steps are as follows User connects to proxy server From proxy server, user connects to destination server Proxy server can provide Content Screening Logging AuthenticationSlide 41: Application (telnet) Proxy Cont..Slide 42: SOCKS Server Circuit-level gateways Generally for outbound TCP traffic from secure network Client code must be installed on the user’s machine. The communication steps are as follows: User starts application using destination server IP address SOCKS server intercepts and authenticates the IP address and the userID SOCKS creates a second session to non-secure systemSlide 43: Socks Servers Cont..Slide 44: Secure Tunnel Cont..Slide 45: Secure IP Tunnel A secure channel between the secure network and an external trusted server through a non-secure network (e.g., Internet) Encrypts the data between the Firewall and the external trusted host Also identifies of the session partners and the messages authenticitySlide 46: VPN Solutions IP Security (IPSec) Layer 2 Tunnel Protocol (L2TP) Virtual Circuits Multi Protocol Label Switching (MPLS)Slide 47: IPSec Solution IPSec is an Internet standard for ensuring secure private communication over IP networks, and it was developed by IPSec working group of IETF IPSec implements network layer securitySlide 48: Principle of IPSec protocols Authentication Header (AH) Provides data origin authentication, data integrity and replay protection Encapsulating Security Payload (ESP) Provides data confidentiality, data origin authentication, data integrity and replay protection Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) Provides a method for automatically setting up security association and managing their cryptographic key. Security Association (SA) Provides all the relevant information that communicating systems need to execute the IPSec protocols.Slide 49: Operation Modes of IPSec Transport Mode The IP payload is encrypted and the IP headers are left alone IP Header Payload The IP datagram is encryptedSlide 50: Operation Modes of IPSec Conti... Tunnel Mode The entire original IP datagram is encrypted and it becomes the payload in the new IP New IP Header IP Header Payload The original IP datagram is the encrypted and is payload for the new IP headerSlide 51: IPSec Example This example combines IPSec protocols and is AH in tunnel mode protecting ESP traffic in transport mode. This example assume that the SA’s for communicates points have set up.Slide 52: IP Header H1 to H2 Payload New IP Hdr. G1 to G2 IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. AH Hdr. Encrypted Encrypted AuthenticatedSlide 53: New IP Hdr. G1 to G2 IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. AH Hdr. Encrypted Authenticated IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. Encrypted IP Header H1 to H2 PayloadSlide 54: Screened Subnet Architecture Cont..Slide 55: Screened Subnet Architecture The DMZ (perimeter network) is set up between the secure and non-secure networks It is accessible from both networks and contains machines that act as gateways for specific applicationsSlide 56: Firewall Conclusion Not the complete answer The fox is inside the henhouse Host security + User education Cannot control back door traffic any dial-in access Management problems Cannot fully protect against new viruses Antivirus on each host Machine Needs to be correctly configured The security policy must be enforced You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
internet security aSGuest90270 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 278 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: March 16, 2011 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide 1: Network Security INTERNET PAUL CHRISTIAN P ABAD FINALSSlide 2: Presentation Content What is Internet? What do we need to protect? Threat Motivation Attack Types Security Objectives Security mechanisms ReferencesSlide 3: What is Internet? The Internet is a worldwide IP network, that links collection of different networks from various sources, governmental, educational and commercial.Slide 4: What do we need to protect Data Resources ReputationSlide 5: Threat Motivation Spy Joyride Ignorance Score Keeper Revenge Greed TerroristSlide 6: Types of Attacks Passive Active Denial of Services Social EngineeringSlide 7: TCP 3 way handshake Server SYN(X) SYN(Y), ACK(X) ACK(Y) Client X, Y are sequence numbers Half open Full openSlide 8: TCP Session Hijack Server SYN(X) SYN(Y), ACK(X) Attacker Client, 146.135.12.1 Half open Valid TCP Connection Initiate TCP with 146.135.12.1 as source Complete TCP ConnectionSlide 9: Security Objectives Identification Authentication Authorization Access Control Data Integrity Confidentiality Non-repudiationSlide 10: Identification Something which uniquely identifies a user and is called UserID. Sometime users can select their ID as long as it is given too another user. UserID can be one or combination of the following: User Name User Student Number User SSNSlide 11: Authentication The process of verifying the identity of a user Typically based on Something user knows Password Something user have Key, smart card, disk, or other device Something user is fingerprint, voice, or retinal scansSlide 12: Authentication Cont. Authentication procedure Two-Party Authentication One-Way Authentication Two-Way Authentication Third-Party Authentication Kerberos X.509 Single Sign ON User can access several network resources by logging on once to a security system.Slide 15: Authorization The process of assigning access right to userSlide 16: Access Control The process of enforcing access right and is based on following three entities Subject is entity that can access an object Object is entity to which access can be controlled Access Right defines the ways in which a subject can access an object.Slide 17: Access Control Cont. Access Control is divided into two Discretionary Access Control (DAC) The owner of the object is responsible for setting the access right. Mandatory Access Control (MAC) The system defines access right based on how the subject and object are classified.Slide 18: Data Integrity. Assurance that the data that arrives is the same as when it was sent.Slide 19: Confidentiality Assurance that sensitive information is not visible to an eavesdropper. This is usually achieved using encryption.Slide 20: Non-repudiation Assurance that any transaction that takes place can subsequently be proved to have taken place. Both the sender and the receiver agree that the exchange took place.Slide 21: Security Mechanisms Web Security Cryptographic techniques Internet FirewallsSlide 22: Web Security Basic Authentication Secure Socket Layer (SSL)Slide 23: Basic Authentication A simple user ID and password-based authentication scheme, and provides the following: To identify which user is accessing the server To limit users to accessing specific pages (identified as Universal Resource Locators, URLsSecure Socket Layer (SSL): Secure Socket Layer (SSL) Netscape Inc. originally created the SSL protocol, but now it is implemented in World Wide Web browsers and servers from many vendors. SSL provides the following Confidentiality through an encrypted connection based on symmetric keys Authentication using public key identification and verification Connection reliability through integrity checking There are two parts to SSL standard, as follows: The SSL Handshake is a protocol for initial authentication and transfer of encryption keys. The SSL Record protocol is a protocol for transferring encrypted dataSlide 25: Secure Socket Layer Cont.. The client sends a "hello" message to the Web server, and the server responds with a copy of its digital certificate. The client decrypts the server's public key using the well-known public key of the Certificate Authority such as VeriSign. The client generates two random numbers that will be used for symmetric key encryption, one number for the receiving channel and one for the sending channel. These keys are encrypted using the server's public key and then transmitted to the server. The client issues a challenge (some text encrypted with the send key) to the server using the send symmetric key and waits for a response from the server that is using the receive symmetric key. Optional, server authenticates client Data is exchanged across the secure channel.Slide 26: Cryptographic Techniques Secret Key Algorithm Public Key Algorithm Secure Hash Function Digital Signature Certificate AuthoritySlide 27: Secret Key AlgorithmSlide 28: Public Key AlgorithmSlide 29: Secure Hash FunctionSlide 30: Digital SignatureSlide 31: Certificate AuthoritySlide 32: X.509 Certificate Is a ITU-T Recommendation . Specifies the authentication service for X.500 directories X.500 specifies the directory services. Version 1 was published in 1988. Version 2 was published in 1993. Version 3 was proposed in 1994 and approved in 1997. Binds the subject (user's) name and the user's public key.Slide 33: X.509 Certificate (cont..) X09 certificate consists of the following fields: Version Serial Number Algorithm Identifier Issuer name Validity period Subject name Subject public key information Issuer unique identifier (Version 2 & 3 only) Subject unique identifier (Version 2 & 3 only) Extensions (Version 3 only) SignatureSlide 34: X.509 Certificate (Cont..) Version 1 Basic Version 2 Adds unique identifier to prevent reuse of X.500 Version 3 Adds extension to carry additional information and some of them are Distinguish different certificates Alternative to X.500 name Limit on further certification by subject Policy and UsageSlide 35: X.509 Certificate Revocation List (CRL) Is to prevent fraud and misuse. A certificate may be revoked for one the following reason: The user’s private is compromised The user is no longer certified by this CA The CA’s private key a compromised Version 1 was published in 1988. Version 2 was published in 1997.Slide 36: X.509 CRL (cont..) X09 CRL consists of the following fields: Version Serial Number Revocation Date Algorithm Identifier Issuer name Last update Next update Extensions (Version 2 only) SignatureSlide 37: Internet Firewall A firewall is to control traffic flow between networks. Firewall uses the following techniques: Packet Filters Application Proxy Socks servers Secure Tunnel Screened Subnet ArchitectureSlide 38: Packet Filtering Most commonly used firewall technique Operates at IP level Checks each IP packet against the filter rules before passing (or not passing) it on to its destination. Very fast than other firewall techniques Hard to configureSlide 39: Packet Filter Cont..Slide 40: Application Proxy Application Level Gateway The communication steps are as follows User connects to proxy server From proxy server, user connects to destination server Proxy server can provide Content Screening Logging AuthenticationSlide 41: Application (telnet) Proxy Cont..Slide 42: SOCKS Server Circuit-level gateways Generally for outbound TCP traffic from secure network Client code must be installed on the user’s machine. The communication steps are as follows: User starts application using destination server IP address SOCKS server intercepts and authenticates the IP address and the userID SOCKS creates a second session to non-secure systemSlide 43: Socks Servers Cont..Slide 44: Secure Tunnel Cont..Slide 45: Secure IP Tunnel A secure channel between the secure network and an external trusted server through a non-secure network (e.g., Internet) Encrypts the data between the Firewall and the external trusted host Also identifies of the session partners and the messages authenticitySlide 46: VPN Solutions IP Security (IPSec) Layer 2 Tunnel Protocol (L2TP) Virtual Circuits Multi Protocol Label Switching (MPLS)Slide 47: IPSec Solution IPSec is an Internet standard for ensuring secure private communication over IP networks, and it was developed by IPSec working group of IETF IPSec implements network layer securitySlide 48: Principle of IPSec protocols Authentication Header (AH) Provides data origin authentication, data integrity and replay protection Encapsulating Security Payload (ESP) Provides data confidentiality, data origin authentication, data integrity and replay protection Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) Provides a method for automatically setting up security association and managing their cryptographic key. Security Association (SA) Provides all the relevant information that communicating systems need to execute the IPSec protocols.Slide 49: Operation Modes of IPSec Transport Mode The IP payload is encrypted and the IP headers are left alone IP Header Payload The IP datagram is encryptedSlide 50: Operation Modes of IPSec Conti... Tunnel Mode The entire original IP datagram is encrypted and it becomes the payload in the new IP New IP Header IP Header Payload The original IP datagram is the encrypted and is payload for the new IP headerSlide 51: IPSec Example This example combines IPSec protocols and is AH in tunnel mode protecting ESP traffic in transport mode. This example assume that the SA’s for communicates points have set up.Slide 52: IP Header H1 to H2 Payload New IP Hdr. G1 to G2 IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. AH Hdr. Encrypted Encrypted AuthenticatedSlide 53: New IP Hdr. G1 to G2 IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. AH Hdr. Encrypted Authenticated IP Header H1 to H2 Payload ESP Hdr. ESP Trl. ESP Auth. Encrypted IP Header H1 to H2 PayloadSlide 54: Screened Subnet Architecture Cont..Slide 55: Screened Subnet Architecture The DMZ (perimeter network) is set up between the secure and non-secure networks It is accessible from both networks and contains machines that act as gateways for specific applicationsSlide 56: Firewall Conclusion Not the complete answer The fox is inside the henhouse Host security + User education Cannot control back door traffic any dial-in access Management problems Cannot fully protect against new viruses Antivirus on each host Machine Needs to be correctly configured The security policy must be enforced