Professional Documents
Culture Documents
Security of Communication Networks, InDP3 (IST, IRES, RSM)
Security of Communication Networks, InDP3 (IST, IRES, RSM)
Security of Communication Networks, InDP3 (IST, IRES, RSM)
Networks
Slim REKHIS
SUPCom
INDP3
IST, IRES, RSM
Semestre I, 2011/2012
Course outline
Content
Security Fundamentals
Virtual Private Networks
Firewalls
Access control and multi-level security
Intrusion detection
Chapter1
Security Fundamentals
INDP3
IST, IRES, RSM
Semestre I, 2011/2012
Slim REKHIS
SUPCom
Motivations
Information systems have been penetrated by
unauthorized users and rogue programs
Increased volume of security breaches (Computer
Emergency Response Team , CERT, reports a
tremendous increase of security incidents).
Security attacks are of increasing severity and
sophistication.
Distributed Denial of Service (DDOS) attacks.
Catagories of attacks
Interruption: A system asset is destroyed or becomes unavailable
Attack on availability
E.g., destroying file system, flooding a communication link with packets.
12
Active attacks
Masquerade: an entity pretends to be some other entity.
Replay: an entity captures a data unit and retransmit it to produce an
unauthorized effect.
Message modification : en entity modifies a portion of a legitimate message
to produce an undesirable effect.
Denial of service: Inhibits normal use of computer and communications
resources.
13
Attack features
Coordination: Multiple attackers can cooperate
through resource sharing, task allocation, and
synchronization.
Generated alerts are characterized by an amount
of uncertainty.
Should be taken into consideration when making
decisions based on generated alerts
Some definitions
Security attack: any action that compromises the
security of information owned by an organization
or an individual.
Security mechanism: a mechanism that
implements functions designed to prevent,
detect, or respond to a security attack.
Security service: A service that enhances the
security of data processing systems and
information transfers.
A security service uses one or more security
mechanisms to counter a security attack.
16
Some definitions
Alert: A message sent by attack detection tools
(e.g., IDS) when they observe an attack.
Threat: possible attack on the system.
Vulnerability: a weakness that may be exploited
to cause loss or harm
Risk: a measure of the possibility of security
breaches and severity of the obtained damages.
Requires assessment of threats and
vulnerabilities
17
Classifying vulnerabilities
Application-level vulnerabilities
Operating systems
Web applications (e.g., servers, servlets)
Database applications
Network protocol implementations
Protocol vulnerabilities
Human-related vulnerabilities
Misconfiguration of equipments (i.e firewall, router,
switch)
Weak password protection
Confidentiality violations
19
IIS catches this and returns an HTTP 404 - File not found response.
IPSpoofing
IP packet carries no authentication of
source address
IP spoofing is possible
IP spoofing can help malicious users to
bypass IP-based authentication mechanisms
IP spoofing occurs on other packet-switched
networks also, such as Novells IPX
24
Integrity/authenticity:
Requires that only authorized parties are able to modify computer system assets
and transmitted information ( information should be protected from tampering.).
Authentication:
Requires that the origin of a message or electronic document is correctly identified.
Any party can verify that the other party is who he or she claims to be
Non repudiation:
requires that neither the sender nor the receiver of message be able to
deny the transmission.
Access Control :
Requires that access to information resources may be controlled by or for
the target system.
25
Availability
Requires that a service/resource be accessible and usable upon demand by
an authorized entity.
Accountability
Requires that every activity undertaken by an entity be attributed or
traceable uniquely to that entity.
Identification
Requires that an information system possesses the characteristic of
identification when they are able to recognize individual users
26
Authorization:
verify that whether a legal person has the privilege to perform
a task or a right to access certain resources after the person
has been authenticated.
Example:
A process P created by a user U contacts a server to delete
a file F. The server needs to handle the two issues:
Is this actually the process of U ? (authentication)
Is U allowed to delete the file ? (authorization)
27