© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET...
-
Upload
barbara-rogers -
Category
Documents
-
view
213 -
download
0
Transcript of © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET...
![Page 1: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/1.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
e-Health Security – An Overview
Faisal Karim Shaikh
DEWSNet GroupDependable Embedded Wired/Wireless Networks
www.fkshaikh.com/dewsnet
![Page 2: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/2.jpg)
eHealth Security – An overview 2
Course Structure and Contact Info
www.muet.edu.pk/~shaikh/courses/
Schedule Monday 3-5 pm
Exams 2-3 mid exams (can be surprise :) Home assignments Presentations in class (voluntarily) Final Exam
Faisal K. Shaikh [email protected] Office Hours (TL125): Monday 10:00 – 11:00
by appointment
![Page 3: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/3.jpg)
eHealth Security – An overview 3
Relevant Literature + Lecture Foils
Internet is open for all and for me too
Slides will be available on the lecture’s homepage I will try to upload the foils shortly before /after the lecture
Books Kaufman, Perlman and Speciner. Network Security: Private
Communication in a Public World. Stevens. TCP/IP Illustrated, vol. 1, the protocols. …….
![Page 4: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/4.jpg)
eHealth Security – An overview 4
Course Overview
Network Security Introduction to network security
• Secure network services• Attacks
Secure channels/network layers• Introduction to cryptography• Authentication• Cryptographic Protocols
– Strong authentication, key exchange Analysis of protocols Standards
• SSL/TLS, SSH, IPSEC• Kerberos, S/Key
Public Key Infrastructures• PKI: X.509• PGP
–
![Page 5: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/5.jpg)
eHealth Security – An overview 5
Course Overview
Packet filtering/Firewalls Intrusion detection Distributed Denial of Service attacks Network forensics/ vulnerability assessment
Data Security Body Area Networks Security
![Page 6: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/6.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
First concepts
Terminology
![Page 7: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/7.jpg)
eHealth Security – An overview 7
What is Security?
Definitions from the Amer. Herit. Dict. : Freedom from risk or danger; safety. (NO!) Measures adopted … to prevent a crime such as burglary
or assault. (ALMOST!) Network security measures:
Mechanisms to prevent, detect, and recover from network attacks, or for auditing purposes.
![Page 8: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/8.jpg)
eHealth Security – An overview 8
Terminology
Assets and liabilities Policies Security breeches Vulnerabilities Attacks Threats Threat Intensity
![Page 9: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/9.jpg)
eHealth Security – An overview 9
A Secured Network
A network is “secured” if it has deployed adequate measures for prevention of, detection of, and recovery from attacks. Adequate = commensurate with the value of the
network’s assets and liabilities, and the perceived threat intensity.
– By Breno
![Page 10: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/10.jpg)
eHealth Security – An overview 10
Security Goals
C onfidentialityI ntegrityA vailability
Other important security goals include auditability
![Page 11: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/11.jpg)
eHealth Security – An overview 11
Security operations
Prevention against adversarial or accidental capture and/or modification of information.
Audit of data accesses/modifications, and of privileged operations.
Detection of all improper access to data and system resources.
Recovery from unauthorized access, restoring data values, system integrity, and identifying compromised data/resources.
Retaliation (legal, PR, info. warfare)
![Page 12: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/12.jpg)
eHealth Security – An overview 12
Authentication
Used to prevent impersonation and detect unauthorized data modifications.
Some mechanisms to provide data integrity will not be considered: Enforcement of safe data manipulation methods
(file system protection mechanisms, database protection mechanisms).
![Page 13: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/13.jpg)
eHealth Security – An overview 13
Availability
Continuous service, quality of service, resource wastefulness reduction Typical attack: DoS, DDoS
Prevention by removal of bottlenecks Detection of attacks Recovery of service provision ability Audit of service requests
![Page 14: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/14.jpg)
eHealth Security – An overview 14
Concrete Security Measures
Securing an open network requires adoption of a myriad of measures: Policies, audit and evaluation Personnel training Physical security/ EM emanation shielding Authentication and access control Communication security: Cryptography-based
techniques.
![Page 15: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/15.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
Open Systems Interconnection
A standard-centric networking model
![Page 16: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/16.jpg)
eHealth Security – An overview 16
Open Systems
Open Systems: general-purpose networks that support standardized
communication protocols and may accommodate heterogeneous sub-networks transparently.
Corporate Intranets:• Ethernet, Token Ring and Wireless subnets.
Internet
![Page 17: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/17.jpg)
eHealth Security – An overview 17
Open Systems Interconnection Model
ISO’s layered approach to standardization
7. Application layer FTP, Telnet, SSH
6. Presentation layer MIME, XDR, SSH
5. Session layer NetBios, FTP, Telnet, SSH
4. Transport layer TCP,UDP,SSL/TLS
3. Network layer IP, ICMP, IPSEC
2. Data link layer Ethernet, PPP, ISDN
1. Physical layer pins, cabling, radio
![Page 18: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/18.jpg)
eHealth Security – An overview 18
1-2. Physical/Data Link Layers
Physical layer: Radio, fiber, cable, pinsData link layer orchestrates the
signaling capabilities of the physical medium (unreliable, noisy channel) into reliable transmission of protocol data units (PDUs).
PDUs contain control information, addressing data, and user data.
Hardware-based encryption operates at 1+2.
![Page 19: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/19.jpg)
eHealth Security – An overview 19
3. Network Layer
Exports a logical network interface, allowing for uniform addressing and routing over heterogeneous sub-networks. E.g.: IP can route between Ethernet- and 802.11x -
networks
![Page 20: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/20.jpg)
eHealth Security – An overview 20
Internet structure
AS1
AS2
AS3
AS4
BGP routes(negotiated)
![Page 21: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/21.jpg)
eHealth Security – An overview 21
4. Transport Layer
Permits connection and connectionless associations. Connections enable reliable transmission of data streams.
End-to-end security first becomes meaningful at this level. Security associations: An association is either a
connection or a connectionless transmission service at levels 4-7.
![Page 22: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/22.jpg)
eHealth Security – An overview 22
Levels 5 and Higher
Application through session protocol layers. Many network applications implement their own
session management. Moreover, they typically depend on system libraries for presentation layer capabilities. Such applications, from a data-path viewpoint, may be considered a single layer: PDUs only typically appear at the session layer.
![Page 23: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/23.jpg)
eHealth Security – An overview 23
Example: SSH
SSH provides services at all topmost three OSI layers. Application: Terminal/file transfer Presentation: Encryption Session: Connection, synchronization
Only at the session layer the data (encrypted buffers of user input) gets first packaged into a protocol data unit for transmission.
![Page 24: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/24.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
TCP/IP networking model
A data-path centric model
![Page 25: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/25.jpg)
eHealth Security – An overview 25
TCP/IP network model ( TCP/IP Protocol)
TCP/IP Application Layer
7. OSI Application
6. OSI Presentation
5. OSI Session
TCP/IP Transport Layer 4. OSI Transport
TCP/IP Network Layer 3. OSI Network
TCP/IP Data Link Layer 2. OSI Data Link Layer
TCP/IP Physical Layer 1. OSI Physical Layer
![Page 26: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/26.jpg)
eHealth Security – An overview 26
Protocol Data Wrapping
![Page 27: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/27.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
Fitting Security
How security measures fit into the network models
![Page 28: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/28.jpg)
eHealth Security – An overview 28
Association Model
An association is either a connectionless data transmission service or a connection at any of OSI layers 4-7, or TCP/IP application /transport layers
An N-association is the data-path through which N+1 entities communicate: Generally at session layer or below. N+1-layer data packaged into N-PDUs
![Page 29: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/29.jpg)
eHealth Security – An overview 29
Association Model (2)
V. L. Voydock and S. T. Kent
![Page 30: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/30.jpg)
eHealth Security – An overview 30
Security at levels 1 - 3
Implemented at the host/network interface level (lack notion of association): Link-to-link security.
Encryption/authentication requires operations at each network node.
Each network node must be trusted. Impractical for Open Systems?
![Page 31: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/31.jpg)
eHealth Security – An overview 31
Security protocols ≤ 3
Many VPN technologies work at level 2 PPTP, L2F, L2TP Rationale: Directed at dial-up VPN networks, (PPP is
level-2). Provide service to a variety of network-level protocols, such as IP or IPX.
IPSEC works at level 3, essentially extends IPv6/IPv4.
![Page 32: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/32.jpg)
eHealth Security – An overview 32
Security above level 3
Most flexible security measuresEnd-to-end security: The security
policies and mechanisms can be based on associations between entities (applications, processes, connections), as opposed to host-based: In multi-user environments, or when hosts
are not physically secure, host-based policies are not sufficiently fine-grained.
![Page 33: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/33.jpg)
eHealth Security – An overview 33
Summary
Security measures can take three main forms:1. End-to-end security at the TCP/IP application layer (5-7
OSI model layers)2. End-to-end security at the (TCP/IP,OSI) transport layer3. Link-to-link security at the network, data-link and
physical layers.
![Page 34: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/34.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
Attacks
A taxonomy
![Page 35: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/35.jpg)
© Neeraj SuriEU-NSF ICT March 2006
DEWSNetDependable Embedded Wired/Wireless Networks
MUET Jamshoro
Attack Types
And their impact on end-to-end communication security mechanisms
![Page 36: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/36.jpg)
eHealth Security – An overview 36
Passive Attacks
Observation of N+1-layer data in an N-layer PDU: release of data contents, or eavesdropping
Observation of control/ address information on the N-PDU itself: traffic analysis.
Transport/network boundary = End-to-end/ link-to-link boundary. Traffic analysis is least effective if N+1 = 4.
![Page 37: © Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro e-Health Security – An Overview Faisal Karim Shaikh.](https://reader035.fdocuments.us/reader035/viewer/2022062717/56649e195503460f94b05d0e/html5/thumbnails/37.jpg)
eHealth Security – An overview 37
Active Attacks
Impersonation Packet injection (attacker-generated PDU) Packet deletion/delay Packet modification/re-ordering Replay attacks
If a breech can be achieved by both active and passive attacks, which is more powerful? (problematic)