Network Security Essentials

Network Security Essentials
Secure Systems
1. Security policy
– What needs to be protected
– Kinds / level of protection
– Responsibilities
– Auditing policy
2. Security environment
– Physical environment
– Physical security
– Hardware, operating system
– firewalls, etc
Module Code and Module Title Title of Slides

Secure Systems
3. Security mechanisms
– cryptographic technologies
– authentication methods
– security protocols
4. Monitoring and auditing procedures

– monitor access
– audit trails
– feedback on failures, security breaches
– containment and recovery

Acceptable Use Policy
Should include at least:
• An access policy - defines access rights and privileges
• An accountability policy - defines the responsibilities of
users, operating staff, and management
• An authentication policy - establishes trust via
something the user knows, has, or is
• A privacy policy - defines reasonable expectation of
monitoring of email, access to user files, etc
• A technology policy - guidelines for purchasing,
configuring, and auditing computer systems

Security Management
• A security policy defines what information is to be protected

and from whom
• Security mechanisms implement aspects of the security
policy, and their effectiveness must be monitored
• Security policies apply to resources under control of the
enterprise; acceptable use policies apply to people and
interfaces.
• Security procedures implement aspects of the acceptable
use policy, and compliance must be monitored

Security Policy
The implications are:

• implementing the acceptable use policy is essentially a
management issue;
• implementing the security policy is more of a technical issue;
• security policy implementation mechanisms must provide
information necessary for enforcement of the acceptable use
policy.
• Monitoring effectiveness of mechanisms and compliance with
policies (accountability) requires keeping track of activity (audit
trails)

Security Protocols
In practice, no single mechanism is adequate to address all

goals, so a mix of mechanisms will be required to enforce
security policies.
A protocol is an orderly sequence of steps that two or more
parties follow in order to accomplish some joint task
e.g. protocols for
• authentication of participants in an exchange of messages
• data integrity checks

Encryption, Cryptography
 The Internet is a public access network

 Messages can be intercepted and read by anyone
 Messages can be modified in transit
 Message senders can be impersonated
Encryption is a mechanism that can be incorporated

into security protocols

Encryption and Security

Cryptographic techniques
 Encryption: Scrambling a message
 Algorithm: Method used for scrambling
 Key: the output of certain encryption algorithms is controlled
by a value called an encryption key.
More formally: The algorithm is used to transform plaintext into
cyphertext

Cryptographic techniques
 Properties of algorithms:
 reversible: can transform cyphertext back to plaintext
 symmetric: uses one key for both encryption and decryption
 Most Important classes of algorithms

 Reversible, symmetric (Conventional)
 Reversible, asymmetric (Public Key)
 One-Way (Hash)

Symmetric, Reversible (Shared Key)
Repeat several times using

cyphertext as plaintext
Need to know the

substitution alphabet
and the number of
iterations to decrypt

Asymmetric, Reversible (Public Key)
Uses a key pair (a,b) Public key Private key
• What one key does, the other can undo

– Either key can be used to encrypt a message -
the other key is then used to decrypt it
– The message cannot be decoded with the key
that encoded it
– The message can only be decoded by a
matching key
• Knowledge of one key does not allow the other to be deduced
One key can be published while the other is kept secret and secure
Asymmetric, Reversible (Public Key)
- Private Message
- All devices can use a station’s public key to encrypt data to
send to the station.
- The receiving station decrypts the data using its own private
key.
- Assured Message
- Sender uses private key to encrypt data
- The receiving station decrypts the data using the sender’s
public key.
- If the private key is kept secure, cannot deny sending the
message (non-repudiation)

One-Way Algorithms (Hash
functions)
• Create a message digest or “fingerprint”
• Plaintext message can not be deduced from its hash
• Size of the digest is always the same, regardless of the size of
the message
• Algorithm is designed so that a small change in the plaintext
produces a big change in the message digest.
• Plaintext is run through the algorithm and compared to a
trusted, stored copy
• Used for passwords by operating systems, HTTP basic
authentication

/etc/shadow
When the system administrator sets up an account, the password is typed in for
the first time. The system stores the encrypted password in a secure database.
User : Password : UID : GID : GCOS : Home : Shell

root:KnR8gQb3hDYg6:0:0:root:/root:/bin/bash
httpd:zYFuFaKw6ZovI:15:60:Apache_1.2.4:/home/httpd:/bin/bash
tomas:k6x5IqJcB1C.Q:500:500:TommyGun:/home/tomas:/bin/bash
guest:qfRc424I3/QGI:502:502:Guest User:/home/guest:/bin/pdmsh
jacob:dbBOzTSdCX5HU:503:503:Linux User:/home/jacob:/bin/bash
peterlai:T5RlEJUib7wOk:504:504:Linux User:/home/peterlai:/bin/bash
toshiba:DPz8cCRkIQc1Q:505:502:SLIP User:/home/rest:/usr/sbin/dip -i
victor:wiSml8WiVwJt2:506:506:Linux User:/home/victor:/bin/bash
dolphin:5JaZ7KmR7hEzM:508:507:Mail User:/home/dolphin:/usr/bin/pine
Each time the user logs in after that, the system encrypts the password that has
been typed in and compares it to the cyphertext stored in the database.
Mechanisms to Protocols: Digital
Signatures
Use two algorithms: a “one-way” algorithm and a “public key” algorithm

1. Create a message
2. Generate a message digest
3. Encrypt the message digest with private key
4. Send both
Receiver runs the plaintext message through the same hash algorithm
and compares the outcome with the message digest that was
received
– one-way (hash) assures integrity
– public key assures non-reputability

Digital Signatures
The digest that is sent with the message serves as a trusted,
stored copy, like the password database
The message itself does not need to be encrypted, although it
can be.
The encrypted message digest is the digital signature
-----BEGIN PGP MESSAGE-----Version:

2.6.3ihIwDOds8UfDZJ60BA/9IkThuRPJUtYCoaYFdNusnSGg/GR91uIGh6GI5azCgk6qHVe
4CRODsc0saK1e5ZHWOsTSFpIOsdofE4Nms7a70xL/WjYBN4ZBedRgUe7ox0AC3D18Z6baJ+x
eSoGxbn4oOfdh+DoYjo38tltSbBmMVK4LLhLxscasVUskQDDOoA6YAAAEibz1Z3BMGTRtH1k
jdb5pUTOpFvbdLXvvDFlo00QAmW6Leuwb1Q4+Ny5MSIlJ3mxxkDCjfc2qCp/KUwxhDTqW8hg
oFx6O4Yynmu+OQyomA5Aloo9WEJljtuRbkGM38dD2AfqmnmkwcAp2SFOIfabaIv7AcfEwWEK
QvlThpRIxi5uJjgXhXXFyLpMC4SUCeDmhYgNESVsZAY2Y+zVtMTvlQP+
+lHOzP3gW9HdVKAzQX4xESXq5bKPD6Wr2IZ2c4+j/psS4ytTzJMa4msL9z5L2vZF1GmsEVt8
bxHWVgH1rLl4L8mmirCU3jZFjWGZY30RYjEjghgQNNgTREqRfWQW6SQWmdN60cEYOFjr8fa1
PGQFL42sjBZlv7+uKbx33PLtEeRlQ==a+bB
-----END PGP MESSAGE-----

Message Digest: Integrity
Checking
Transmit Electronically PAY WING $180 // 1352
(Message
PAY WONG $100 // 1352 Altered PAY WING $180
Split
in transit)
Combine
Hash = 1352 Hash algorithm
Hash = 1352
New Hash = 3972
Hash algorithm No Compare
PAY WONG $100

Yes
hash failure detects tampering if message is altered

Mechanisms to Protocols:
Session Keys
• Public Key Algorithms are ‘computationally intensive’

– 1000 times slower on average than symmetric systems.
• Conventional Algorithms require secure key exchange
– If the key is intercepted, confidentiality will be compromised
SO ...
• Generate a symmetric ‘session key’
– Used only for this communication session
– Random number
• Use public key to encrypt
• Then use the session key to exchange data

Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
Application SSL is a commonly-used protocol for

managing the security of message
transmission.
SSL
TLS is the IETF standard version of SSL.
SSL is a layer between the application
TCP and TCP layers
IP
Data Link

Security Protocols
Example: Mutual authentication and session key agreement via public keys
Both Alice and Bob can be confident that the session key is a secret shared only by
them, provided that they have the correct public keys - otherwise this method is
vulnerable to attack by a third party impersonating Alice to Bob and Bob to
Alice.

Security Protocols
The Man-in-the-Middle attack works when public keys all look the
same, and people exchange keys directly.
• Digital Certificates are used to assure authenticity of the sender.

• Issued by third parties: certificate authorities (CA).
• Individuals and companies apply by sending CA their public key
and identifying info.
• CA verifies this info and creates a certificate containing public key
and identifying info and encrypts this using its private key.
• Usually have an expiration date and a a confidence limit (“valid for
transactions  this amount”)

Digital Certificate
0. CA AUTHENTICATES
SENDER, DIGITALLY
4. DECRYPT SENDER’S SIGNS CERTIFICATE
MESSAGE USING
SENDER’S PUBLIC KEY
3. VERIFY IDENTITY
OF SENDER.
2. VERIFY THAT CA
NAME MATCHES.
1. USE CA’S PUBLIC KEY

TO VERIFY CERTIFICATE
IS GENUINE AND HAS
NOT BEEN ALTERED.
From FORD & BAUM,

SECURE ELECTRON IC COMMERCE
SSL overview
1. Client requests secure session with web site and sends a random
challenge string
2. Web site sends its certificate containing its public key plus identity
3. Client checks certificate, authenticates server
4. Client sends its certificate, plus encrypted session key and signed
connection ID
5. Sever sends signed challenge string, session ID
6. Client and server communicate using session key

How Secure is Encryption?
• Function of the algorithm

– should be such that even if opponent knows the algorithm
and has the ciphertext, he is unable to decrypt or to
determine the key used
• Function of the length of the key

– Generally, the longer the key, the harder to break the
message by trying all the possibilities: “Brute Force Attack”
– A binary key of 4 bits has 24 =16 possibilities, while a 56 bit
key has 256  72 quadrillion possibilities

Analysing Security Tradeoffs
• Tradeoffs must be made between achieving security goals

and goals for affordability, usability, performance, and
availability.
• Security adds to the amount of management work (i.e. login IDs,
passwords, and audit logs)
• Packet filters and data encryption consume CPU power and memory on
hosts, routers, and servers (1.5% of available CPU power).
• Security can reduce network redundancy, and make it harder to offer
load balancing

Things to do: TLS
Configuration files are ready to implement TLS

for communications between MUAs and the
MSA and the MAA
(bla bla bla)
Requires:
 Generating public and private keys
 Generating a self-signed certificate
 Changing configuration files

stunnel
• We use stunnel rather than the native SSL

capabilities of postfix, dovecot, and ldap
because it is simpler to have one configuration
and adapt it rather than munging all of the config
files ... and it demonstrates the concept of port
forwarding.


Network Security Essentials

Uploaded by

Copyright:

Available Formats

You might also like

Network Security Essentials

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security Essentials

Uploaded by

Copyright:

Available Formats

Network Security Essentials

Module Code and Module Title Title of Slides

4. Monitoring and auditing procedures

Module Code and Module Title Title of Slides

Module Code and Module Title Title of Slides

• A security policy defines what information is to be protected

Module Code and Module Title Title of Slides

The implications are:

Module Code and Module Title Title of Slides

In practice, no single mechanism is adequate to address all

Module Code and Module Title Title of Slides

 The Internet is a public access network

Encryption is a mechanism that can be incorporated

Module Code and Module Title Title of Slides

Module Code and Module Title Title of Slides

Module Code and Module Title Title of Slides

 Most Important classes of algorithms

Module Code and Module Title Title of Slides

Repeat several times using

Need to know the

Module Code and Module Title Title of Slides

Uses a key pair (a,b) Public key Private key

• What one key does, the other can undo

Module Code and Module Title Title of Slides

Module Code and Module Title Title of Slides

User : Password : UID : GID : GCOS : Home : Shell

Use two algorithms: a “one-way” algorithm and a “public key” algorithm

Module Code and Module Title Title of Slides

-----BEGIN PGP MESSAGE-----Version:

Module Code and Module Title Title of Slides

Transmit Electronically PAY WING $180 // 1352

Hash algorithm No Compare

PAY WONG $100

hash failure detects tampering if message is altered

• Public Key Algorithms are ‘computationally intensive’

Module Code and Module Title Title of Slides

Application SSL is a commonly-used protocol for

Module Code and Module Title Title of Slides

Module Code and Module Title Title of Slides

• Digital Certificates are used to assure authenticity of the sender.

Module Code and Module Title Title of Slides

1. USE CA’S PUBLIC KEY

From FORD & BAUM,

Module Code and Module Title Title of Slides

• Function of the algorithm

• Function of the length of the key

Module Code and Module Title Title of Slides

• Tradeoffs must be made between achieving security goals

Module Code and Module Title Title of Slides

Configuration files are ready to implement TLS

Module Code and Module Title Title of Slides

• We use stunnel rather than the native SSL

Module Code and Module Title Title of Slides

You might also like