Upload
ronald-gilbert
View
214
Download
0
Embed Size (px)
Citation preview
Chapter 9
Panko’s Business Data Networks and Telecommunications, 6th edition
Copyright 2006 Prentice-Hall
Security
2
Security Requirements
• Authenticity
• Confidentiality
• Integrity
• Non-repudiation
• Availability
3
Figure 9-2: Malware
• Malware (惡意軟體 )
– A general name for evil software
• Viruses
– Pieces of code that attach to other programs
– When infected programs execute, the virus executes
– Infects other programs on the computer
– Spreads to other computers by e-mail attachments, IM, peer-to-peer file transfers, etc.
– Antivirus programs are needed to scan arriving files• Also scans for other malware
4
Figure 9-2: Malware
• Worms
– Stand-alone programs that do not need to attach to other programs
– Can propagate like viruses through e-mail, etc.• But this require human gullibility, which is slow
– Vulnerability-enabled worms jump to victim hosts directly
– Can do this because hosts have vulnerabilities
– Vulnerability-enabled worms can spread with amazing speed
– Vendors develop patches for vulnerabilities but companies often fail or are slow to apply them
漏洞
5
Figure 9-2: Malware
• Payloads
– After propagation, viruses and worms execute their payloads (damage code)
– Payloads erase hard disks, send users to pornography sites if they mistype URLs
– Trojan horses: exploitation programs disguise (假裝 ) themselves as system files
6
Figure 9-2: Malware
• Attacks on Individuals
– Social engineering—tricking the victim into doing something against his or her interests
– Spam—unsolicited(未被懇求的 ) commercial e-mail
– Credit card number theft is performed by carders
– Identity theft: collect enough data to impersonate the victim in large financial transactions
– Fraud: get-rich-quick schemes( 一夜致富法 ), medical scams( 欺詐 )
Phishing
7
Figure 9-2: Malware
• Attacks on Individuals
– Adware pops up advertisements
– Spyware collects sensitive data and sends it to an attacker
– Phishing: sophisticated social engineering attack in which an authentic-looking e-mail or website entices the user to enter his or her username, password, or other sensitive information
8
Figure 9-3: Human Break-Ins (Hacking)
• Human Break-Ins
– Viruses and worms rely on one main attack method
– Humans can keep trying different approaches until they succeed
• Hacking
– Breaking into a computer
– Hacking is intentionally using a computer resource without authorization or in excess of authorization
9
Figure 9-3: Human Break-Ins (Hacking)
• Scanning Phase
– Send attack probes to map the network and identify possible victim hosts
– Nmap programming is popular (Figure 9-4)
10
Figure 9-4: Nmap
IP Range to Scan
Type of Scan
Identified Host and
Open Ports
11
Figure 9-3: Human Break-Ins (Hacking)
• The Exploit
– The actual break-in
– Noun: Exploit is the program used to make the break-in
– Verb: Attackers exploit the computer
(開拓 )
12
Figure 9-3: Human Break-Ins (Hacking)
• After the Break-In
– Become invisible by deleting log files
– Create a backdoor (way to get back into the computer)
• Backdoor account—account with a known password and super user privileges
• Backdoor program—program to allow reentry; usually Trojanized
• Rootkit—stealthy backdoor that cannot be detected by the operating system
– Do damage at leisure
New
13
Figure 9-5: Distributed Denial-of-Service Flooding Attack
Victim60.168.47.47
Attacker1.34.150.37
Handler
Handler
Zombie
Zombie
Zombie
AttackCommand Attack Packet
Attack Packet
Attack Packet
AttackCommand
AttackCommand Attack
Command
AttackCommand
The attacker installs handler and zombie programs on victimsThe attacker sends an attack command to handlers.
Handlers send attack commands to zombies.The zombies overwhelm the victim with attack packets.
TCP Syn Flooding
14
Figure 9-6: Bots
BotBotSoftware
Update
Command
Human Master
Bots are like zombies,but they can be updated
by the human masterto give new functionality.
15
Figure 9-19: Cryptographic Systems
• Cryptographic Systems
– Provide security to multi-message dialogues
• At the Beginning of Each Communication Session
– The two parties authenticate each other
Party A Party B
Initial Authentication
Credentials Credentials
16
Figure 9-19: Cryptographic Systems
• Message-by-Message Protection
– After this initial authentication, cryptographic systems provide protection to every message
– Encrypt each message for confidentiality so that eavesdroppers cannot read it
Party A Party BMessages Encrypted for Confidentiality
17
Figure 9-19: Cryptographic Systems
• Message-by-Message Protection
– Adds an electronic signature to each message
– The electronic signature authenticates the sender
– It also provides message integrity: receiver can tell if a message has been changed in transit
Party A Party BElectronic Signature
18
Symmetric and Public Key EncryptionSymmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Message“Hello”
EncryptionMethod &
Key
SymmetricKey
Party A
Party B
Network
Encrypted Message
Encryption uses anon-secret encryption method and
a secret key
19
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Encrypted Message
SymmetricKey
Party A
Party B
InterceptorNetwork
Interceptor cannot readencrypted messages
Encrypted Message
20
Figure 9-20: Symmetric and Public Key Encryption
Symmetric Key Encryption for Confidentiality
Message“Hello”
EncryptionMethod &
Key
Encrypted Message Message“Hello”
DecryptionMethod &
Key
SymmetricKey
SameSymmetric
Key
Party A
Party B
InterceptorNetwork
Receiver decrypts the messageUsing the same encryption message
And the same symmetric key
Encrypted Message
21
Types of Symmetric Key Encryption
DES 3DES AES
Key Length (bits) 56 112 or 168 128, 192, or 256
Strength Weak Strong Strong to Very Strong
Processing Requirements
Moderate High Modest
RAM Requirements Moderate High Modest
22
Figure 9-20: Symmetric and Public Key Encryption
Public Key Encryption for Confidentiality
EncryptedMessage
EncryptedMessage
Party A Party B
Encrypt withParty B’s Public Key
Decrypt withParty B’s Private Key
Decrypt withParty A’s Private Key
Encrypt withParty A’s Public Key
Note:Four keys are used to encryptand decrypt in both directions
23
Figure D-7: Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
Encrypted for Confidentiality
24
Figure D-7: Digital Signature: Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD withSender’s Private KeySender’s Private Key
To Create the Digital Signature:
1.1. HashHash the plaintext to create the plaintext to create
a brief message digesta brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the sender’s privatesender’s private
keykey to create the digital
Signature
Hash algorithms: MD5, SHA-1http://en.wikipedia.org/wiki/MD5http://en.wikipedia.org/wiki/SHA-1
25
Figure D-7: Digital Signature
SenderEncrypts Receiver
Decrypts
Send Plaintext Plus Digital SignatureEncrypted with Symmetric Session Key
DS Plaintext
Transmission
Receiver Decrypts the Message,Getting the Plaintext Plus Digital Signature
26
Figure D-7: Digital Signature: Receiver
DSReceived Plaintext
MDMD
1.Hash
2.Decrypt withTrue Party’sPublic Key
3.Are they Equal?
1. Hash the receivedplaintext with the samehashing algorithm the
sender used. This givesthe message digest.
2. Decrypt the digitalsignature with the sender’spublic key. This also should
give the message digest.
3. If the two match, the message is authenticated;The sender has the true
Party’s private key
27
Figure D-8: Public Key Deception
Impostor
“I am the True Party.”
“Here is TP’s public key.” (Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”
(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Impostor’s public key,
so Impostor can decrypt it
Verifier
Must authenticate True Party.
Believes now has TP’s public key
Believes True Partyis authenticated
based on Impostor’s public key
“True Party,here is a message encrypted
with your public key.”
CriticalDeception
28
Digital Certificates
• Digital certificates are electronic documents that give the true party’s name and public key
• Applicants claiming to be the true party have their authentication methods tested by this public key
• If they are not the true party, they cannot use the true party’s private key and so will not be authenticated
• Digital certificates follow the X.509 Standard
29
Figure D-10: Roles of Digital Certificates and Digital Signatures in Authentication
• Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature
DS Plaintext
Applicant
Verifier
Certificate Authority
DigitalCertificate:True Party’sPublic Key
30
Figure D-10: Roles of Digital Certificates and Digital Signatures in Authentication
DigitalSignature
Authentication
Applicant
Verifier
Certificate Authority
DigitalCertificate:True Party’sName andPublic KeyMust be Tested with
True Party’sDigital Certificate
31
Figure D-9: Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
2.Distribute
PrivateKey
Applicant (Lee)
Verifier(Cheng)
1.Create
Public Key/Private Key
Pair
32
Figure D-9: Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
4.Certificate
for Lee
Applicant (Lee)
Verifier(Cheng)
3. RequestCertificate
for Lee
33
Figure D-9: Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server 6. Request Certificate
Revocation List (CRL)
Applicant (Lee)
5.Certificate
for Lee
Verifier(Cheng)
7. CRL
34
Figure 9-9: Access Control
• Companies must then develop an access control plan for each asset
– The plan includes the AAA protections
– Authentication—proving the identity of the person wishing access
– Authorization—determining what the person may do if they are authenticated
– Auditing*—logging data on user actions for later appraisal
*3rd A: Accounting http://en.wikipedia.org/wiki/AAA_protocol
35
Figure 9-10: Authentication
Verifier
Applicant
Verifier
Applicant
1.Credentials
(Password, etc.)2. OK?
3. OK andAuthorizations
4. Welcome
AuthenticationServer
The applicant is the person who wishes to prove his or her identity.The verifier is the person who wants to authenticate the applicant.
The applicant sends credentials (passwords, etc.).Usually a central authentication server judges the credentials.
This provides consistency in authentication.
憑據
36
Figure 9-11: Password Authentication
• Passwords should be complex
– Mix case (A and a), digits (6), and other keyboard characters ($, #, etc.)
– Can only be cracked with brute force attacks (trying all possibilities)
• Passwords should be long
– Eight characters minimum
– Each added character increases the brute force search time by a factor of about 70
37
Figure 9-12: Digital Certificate Authentication
• Public and Private Keys
– Each party will have both a public key and a private key
– Each party makes its public key available to everybody
– Each party keeps the private key secret
• Digital Certificate
– Tamper-proof file giving a party’s public key
38
Figure 9-12: Digital Certificate Authentication
• Operation
– Applicant performs a computation with his or her private key, which only he or she should know
– Verifier tests the calculation with the public key in the digital certificate of the party the applicant claims to be
– If the test is successful, the applicant is authenticated as knowing the claimed party’s secret public key
– If the test fails, the applicant is rejected
39
Figure 9-12: Digital Certificate Authentication
Calculation Digital Certificate
Authentication
Public key ofthe person
the applicantclaims to be
Calculationcreated with the
private key ofapplicant
Verifier tests the calculation with the public key of theclaimed party. If the test succeeds, the applicant mustknow the secret private key of the claimed party, which
only the claimed party should know.
40
Figure 9-12: Digital Certificate Authentication
• Appraisal ( 評價 )
– Digital signature authentication gives extremely strong authentication
– Very expensive: must set up infrastructure for distributing public-private key pairs
– Must do the labor of creating, distributing, and installing private keys.
41
Figure 9-13: Biometric Authentication
• Biometric Authentication
– Authentication based on bodily measurements
– Promises to eliminate passwords
• Fingerprint Scanning
– Dominates biometrics use today
– Simple and inexpensive
– Substantial error rate (misidentification)
– Often can be fooled fairly easily by determined impostors
– Not a problem for low-risk situations like home computers
42
Figure 9-13: Biometric Authentication
• Iris Scanners
– Scan the iris (colored part of the eye)
– Irises are complex, so very strong authentication
– Expensive
• Face Recognition
– Camera allows analysis of facial structure
– Can be done surreptitiously—without the knowledge or consent of person being scanned
– Very high error rate and easy to fool
43
Figure 9-13: Biometric Authentication
• Error Rates and Deception( 欺騙 )
– Error rates are higher than vendors claim
– Deception is easier than vendors claim
– The usefulness of biometrics is uncertain
44
Figure 9-14: Firewall Operation
InternalCorporateNetwork
Attacker
AttackPacket
InternetFirewall
HardenedClient PC
AllowedLegitimate Packet
Hardened Server Internet
DeniedAttackPacket
Log File LegitimateHost
LegitimatePacket
Ingress Filtering
Egress Filtering
Firewalls inspect each packet.Legitimate packets are allowed through.
Provable attack packets are dropped and logged.
45
Figure 9-15: Stateful Firewall Filtering
• Stateful Firewall Filtering
– There are several types of firewall filtering
– Stateful inspection is the dominant methodology today
– Stateful firewalls often use other filtering mechanisms as secondary mechanisms
46
Figure 9-15: Stateful Firewall Filtering
• Connection Initiation
– Some Packets Attempt to Open a Connection• Example: packets with TCP segments whose SYN bits are set
• Stateful firewalls have default rules for connection-opening attempts
Site
StatefulBorderFirewall
ExternallyInitiated
Connections areRejected
By Default
Internally Initiated ConnectionsAre Allowed by default
47
Stateful Firewalls
All Packets
Connection-OpeningAttempts
Other Packets
Default Behaviorfor Connections
ACL Exceptions
Not Part ofPreviouslyPermitted
Connection
Part ofPreviouslyPermitted
Connection
Drop Packet Accept Packet
48
Figure 9-15: Stateful Firewall Filtering
• Perspective
– Simple operation leads to inexpensive stateful firewall operation
– However, stateful inspection firewall operation is highly secure
49
Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
• 1. If packet’s source and destination sockets are in the connection table, PASS.
– If the packet is part of an previously-established connection, pass it without further filtering.
• 2. If the packet’s source and destination sockets are not in the connection table and the packet is not a connection-opening attempt, DROP and LOG.
– Drop any packet that is not a connection-opening attempt and that is not part of an established connection.
50
Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
• 3. If protocol = TCP AND destination port number = 25, PASS and add connection to connection table
– This rule permits external access to all internal mail servers.
• 4. If IP address = 10.47.122.79 AND protocol = TCP AND destination port number = 80, PASS and add connection to connection table.
– This rule permits access to a particular webserver, 10.47.122.79
51
Figure 9-17: Ingress Access Control List (ACL) for a Stateful Inspection Firewall
• 5. Deny All AND LOG
– If earlier rules do not result in a pass or deny decision, this last rule enforces the default rule of banning all externally-initiated connection-opening attempts.
52
Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
• Firewalls
– Drop provable attack packets
• Intrusion Detection Systems (IDSs)
– Very sophisticated filtering—better than firewalls
– Identify suspicious packets
– Cannot drop--suspicious packets may be legitimate
• Intrusion Prevention Systems (IPSs)
– Use IDS filtering mechanisms
– Drop suspicious packets highly likely to be attacks
– Ignore other suspicious packets
53
Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
• IDS and IPS filtering
– Stream Analysis
• Analyze streams of packets to identify suspicious patterns
– Deep packet inspection
• Inspect headers and messages at the internet, transport, and application layers
54
Figure 9-18: Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems
Firewalls IDSs IPSs
Processing Power Needed
Modest Heavy Heavy
Maturity Fairly Mature Still immature. Too many false positives
Tuning reduces false positives but is labor-intensive
New.
Only used to stop attacks that can be identified fairly accurately.