11 Network Security

8/3/2019 11 Network Security

1/24

Network Security


2/24

Lecture Content

Network Concepts

Network Threats

Attack Profiles Transit Threats

Impersonation

Network Security Controls

2 www.coventry.ac.uk Coventry University


3/24

Coventry University www.coventry.ac.uk3

Network Concepts

Networks are both fragile and strong

Redundancy reduces single point of failure butcannot be avoided at end points

Complex routing algorithms can re-direct aroundfailures and overloaded segments

Networks use nodes and connections to form

a topology Ranging from a pair of hosts to the Internet


4/24


Network Concepts

For many networks it is impossible to knowwhich hosts it comprises and who owns and

controls it

Communication is via media, e.g. cable,optical fibre, microwave, infrared or satellitevia protocols such as Transmission Control

Protocol and Internet Protocol (TCP/IP)architecture


5/24


Network Concepts

Common network types:

Local Area Network (LAN) small, locallycontrolled, physically protected

Wide Area Network (WAN) single control,significant distances, physically exposed

Internetworks federated, enormous,heterogeneous, physically and logically exposed


6/24

Network Threats

Networks are vulnerable because of:

Anonymity attackers may be physically remote

Many attack surfaces both for origin and target

Sharing networks cater for many shared users

Complexity too complex for reliable security

Unknown Perimeters has to allow access to

potentially malicious users Unknown Path networks rarely control routing



7/24

Attack Profiles

Because vulnerable networks are frequentlyconnected to the Internet, attacks usually

begin by finding out as much as possible

about the target. Typical activities:

Port Scan tools such as NMAP are used toidentify target host ports, services, operatingsystem and running applications



8/24

Attack Profiles

Typical activities:

Social Engineering using social skills andpersonal interaction to obtain security-relevant

information Intelligence Gathering from all sources,

including dumpster diving

OS and Application Fingerprinting once

running applications and versions are identifiedknown vulnerabilities can be exploited



9/24

Attack Profiles

Typical activities:

Bulletin Boards and Chats numerousunderground bulleting boards and chat rooms

support the exchange of information Vendor documentation vendors may distribute

information useful to an attacker

Time is usually on the side of the attacker

The best defence is silence

Reveal as little information as possible



10/24

Transit Threats

Networks involve data in transit; the easiestattack is to simply listen in

Cable packet sniffer or inductance

Microwave line of sight interception possible

Satellite large signal footprint

Optical Fibre must be tuned before newconnection made and cannot be tapped withoutdetection. Inductive tap is not possible. But,repeaters, splices, connections are all susceptible



11/24

Transit Threats

Networks involve data in transit; the easiestattack is to simply listen in

Wireless WiFi signals are strong for ~70 metres.

Key issues:

Interception up to 85% of wireless users do notencrypt connections

Theft of service clients negotiate a one-time IP

address via a DHCP server



12/24

Impersonation

Person/process impersonation may be easier

A more significant threat in a WAN than LAN

Typically, an attacker chooses between:

Guessing target identity and authentication

Getting target identity and authentication fromprevious communication or wiretapping

Going round or disabling target authentication

Using a target than will not be authenticated

Using a target with known authentication data



13/24


Start with a Security Threat Analysis

Adopt sound principles of system analysis,design, implementation and maintenance

Adopt a security architecture, i.e.:

Segmentation use multiple segments, e.g.separate machines for web server, application

server and database to reduce overall vulnerability



14/24


Adopt a security architecture, i.e.:

Redundancyavoid all eggs in one basket;design failover mode solutions, e.g. a pair of web

servers asking each other are you still alive? If one fails, the other takes over, albeit with reduced

performance

Single points of failure identify these and

eliminate if possible, i.e. rather than a singledatabase distribute it



15/24


Encryption

Probably the most important and versatile tool

But, not a silver bullet

Encryption only protects that which is encrypteddata remains exposed prior to encryption and afterdecryption

If an attacker guesses or deduces a weak

encryption key, the encryption fails

Key distribution is always a problem



16/24


Network encryption types: Link encryption

Data are encrypted just prior to being placed uponlowest level of physical communications link and

decrypted at arrival at destination computer Within hosts message is in plaintext

With good physical host security this may be OK

But, if intermediate hosts are not trustworthy, this

is a problem



17/24


Network encryption types: Link encryption

It is invisible to the user

It is fast and reliable

It is appropriate when the transmission line isconsidered the greatest vulnerability



18/24


Network encryption types: End-to-endencryption

Can be done by either a hardware device or

software

It runs at highest levels of OSI model

The message is transmitted in encrypted formthroughout the network

Messages can pass through insecure hosts andremain protected



19/24


Link Encryption?

Data exposed in sendinghosts

Data exposed in

intermediate nodes Applied by sending host

Invisible to user

Host maintains encryption

One facility for all users

End-to-end Encryption?

Data encrypted in sendinghost

Data encrypted in

intermediate nodes Applied by sending process

User applied algorithm

User must find algorithm

User selects encryption



20/24


Link Encryption?

Typically done in hardware

All or no data encrypted

Requires one key per hostpair

Provides nodeauthentication

End-to-end Encryption?

Either software or hardware

User chooses to encrypt ornot, for each data item

Requires one key per userpair

Provides user authentication



21/24


Virtual Private Networks

Link encryption can give users a sense of being ona private network, even when it is part of a public

network this is called a VPN Typically, physical and administrative security are

strong enough to protect transmission within anetwork perimeter. The greatest risk is between

the users workstation and the perimeter of thehost network or server



22/24



A firewall is an access control device between twonetworks or network segments

Many firewalls can be used to implement VPNs The user establishes communication with the

firewall and requests a VPN session

The users client and firewall negotiate a session

encryption key and all subsequent traffic betweenthem is encrypted



23/24



Many firewalls can be used to implement VPNs

To the user it feels like the network is private

Communication is said to pass through anencrypted tunnel



24/24


Other common network security controls:

PKI and Certificates

SSH Encryption

SSL Encryption (now known as TLS)

IPSec

Signed Code

Encrypted e-mail


11 Network Security

Documents

Transcript of 11 Network Security