11 Network Security
Transcript of 11 Network Security
-
8/3/2019 11 Network Security
1/24
Network Security
-
8/3/2019 11 Network Security
2/24
Lecture Content
Network Concepts
Network Threats
Attack Profiles Transit Threats
Impersonation
Network Security Controls
2 www.coventry.ac.uk Coventry University
-
8/3/2019 11 Network Security
3/24
Coventry University www.coventry.ac.uk3
Network Concepts
Networks are both fragile and strong
Redundancy reduces single point of failure butcannot be avoided at end points
Complex routing algorithms can re-direct aroundfailures and overloaded segments
Networks use nodes and connections to form
a topology Ranging from a pair of hosts to the Internet
-
8/3/2019 11 Network Security
4/24
Coventry University www.coventry.ac.uk4
Network Concepts
For many networks it is impossible to knowwhich hosts it comprises and who owns and
controls it
Communication is via media, e.g. cable,optical fibre, microwave, infrared or satellitevia protocols such as Transmission Control
Protocol and Internet Protocol (TCP/IP)architecture
-
8/3/2019 11 Network Security
5/24
Coventry University www.coventry.ac.uk5
Network Concepts
Common network types:
Local Area Network (LAN) small, locallycontrolled, physically protected
Wide Area Network (WAN) single control,significant distances, physically exposed
Internetworks federated, enormous,heterogeneous, physically and logically exposed
-
8/3/2019 11 Network Security
6/24
Network Threats
Networks are vulnerable because of:
Anonymity attackers may be physically remote
Many attack surfaces both for origin and target
Sharing networks cater for many shared users
Complexity too complex for reliable security
Unknown Perimeters has to allow access to
potentially malicious users Unknown Path networks rarely control routing
Coventry University www.coventry.ac.uk6
-
8/3/2019 11 Network Security
7/24
Attack Profiles
Because vulnerable networks are frequentlyconnected to the Internet, attacks usually
begin by finding out as much as possible
about the target. Typical activities:
Port Scan tools such as NMAP are used toidentify target host ports, services, operatingsystem and running applications
Coventry University www.coventry.ac.uk7
-
8/3/2019 11 Network Security
8/24
Attack Profiles
Typical activities:
Social Engineering using social skills andpersonal interaction to obtain security-relevant
information Intelligence Gathering from all sources,
including dumpster diving
OS and Application Fingerprinting once
running applications and versions are identifiedknown vulnerabilities can be exploited
Coventry University www.coventry.ac.uk8
-
8/3/2019 11 Network Security
9/24
Attack Profiles
Typical activities:
Bulletin Boards and Chats numerousunderground bulleting boards and chat rooms
support the exchange of information Vendor documentation vendors may distribute
information useful to an attacker
Time is usually on the side of the attacker
The best defence is silence
Reveal as little information as possible
Coventry University www.coventry.ac.uk9
-
8/3/2019 11 Network Security
10/24
Transit Threats
Networks involve data in transit; the easiestattack is to simply listen in
Cable packet sniffer or inductance
Microwave line of sight interception possible
Satellite large signal footprint
Optical Fibre must be tuned before newconnection made and cannot be tapped withoutdetection. Inductive tap is not possible. But,repeaters, splices, connections are all susceptible
Coventry University www.coventry.ac.uk10
-
8/3/2019 11 Network Security
11/24
Transit Threats
Networks involve data in transit; the easiestattack is to simply listen in
Wireless WiFi signals are strong for ~70 metres.
Key issues:
Interception up to 85% of wireless users do notencrypt connections
Theft of service clients negotiate a one-time IP
address via a DHCP server
Coventry University www.coventry.ac.uk11
-
8/3/2019 11 Network Security
12/24
Impersonation
Person/process impersonation may be easier
A more significant threat in a WAN than LAN
Typically, an attacker chooses between:
Guessing target identity and authentication
Getting target identity and authentication fromprevious communication or wiretapping
Going round or disabling target authentication
Using a target than will not be authenticated
Using a target with known authentication data
Coventry University www.coventry.ac.uk12
-
8/3/2019 11 Network Security
13/24
Network Security Controls
Start with a Security Threat Analysis
Adopt sound principles of system analysis,design, implementation and maintenance
Adopt a security architecture, i.e.:
Segmentation use multiple segments, e.g.separate machines for web server, application
server and database to reduce overall vulnerability
Coventry University www.coventry.ac.uk13
-
8/3/2019 11 Network Security
14/24
Network Security Controls
Adopt a security architecture, i.e.:
Redundancyavoid all eggs in one basket;design failover mode solutions, e.g. a pair of web
servers asking each other are you still alive? If one fails, the other takes over, albeit with reduced
performance
Single points of failure identify these and
eliminate if possible, i.e. rather than a singledatabase distribute it
Coventry University www.coventry.ac.uk14
-
8/3/2019 11 Network Security
15/24
Network Security Controls
Encryption
Probably the most important and versatile tool
But, not a silver bullet
Encryption only protects that which is encrypteddata remains exposed prior to encryption and afterdecryption
If an attacker guesses or deduces a weak
encryption key, the encryption fails
Key distribution is always a problem
Coventry University www.coventry.ac.uk15
-
8/3/2019 11 Network Security
16/24
Network Security Controls
Network encryption types: Link encryption
Data are encrypted just prior to being placed uponlowest level of physical communications link and
decrypted at arrival at destination computer Within hosts message is in plaintext
With good physical host security this may be OK
But, if intermediate hosts are not trustworthy, this
is a problem
Coventry University www.coventry.ac.uk16
-
8/3/2019 11 Network Security
17/24
Network Security Controls
Network encryption types: Link encryption
It is invisible to the user
It is fast and reliable
It is appropriate when the transmission line isconsidered the greatest vulnerability
Coventry University www.coventry.ac.uk17
-
8/3/2019 11 Network Security
18/24
Network Security Controls
Network encryption types: End-to-endencryption
Can be done by either a hardware device or
software
It runs at highest levels of OSI model
The message is transmitted in encrypted formthroughout the network
Messages can pass through insecure hosts andremain protected
Coventry University www.coventry.ac.uk18
-
8/3/2019 11 Network Security
19/24
Network Security Controls
Link Encryption?
Data exposed in sendinghosts
Data exposed in
intermediate nodes Applied by sending host
Invisible to user
Host maintains encryption
One facility for all users
End-to-end Encryption?
Data encrypted in sendinghost
Data encrypted in
intermediate nodes Applied by sending process
User applied algorithm
User must find algorithm
User selects encryption
Coventry University www.coventry.ac.uk19
-
8/3/2019 11 Network Security
20/24
Network Security Controls
Link Encryption?
Typically done in hardware
All or no data encrypted
Requires one key per hostpair
Provides nodeauthentication
End-to-end Encryption?
Either software or hardware
User chooses to encrypt ornot, for each data item
Requires one key per userpair
Provides user authentication
Coventry University www.coventry.ac.uk20
-
8/3/2019 11 Network Security
21/24
Network Security Controls
Virtual Private Networks
Link encryption can give users a sense of being ona private network, even when it is part of a public
network this is called a VPN Typically, physical and administrative security are
strong enough to protect transmission within anetwork perimeter. The greatest risk is between
the users workstation and the perimeter of thehost network or server
Coventry University www.coventry.ac.uk21
-
8/3/2019 11 Network Security
22/24
Network Security Controls
Virtual Private Networks
A firewall is an access control device between twonetworks or network segments
Many firewalls can be used to implement VPNs The user establishes communication with the
firewall and requests a VPN session
The users client and firewall negotiate a session
encryption key and all subsequent traffic betweenthem is encrypted
Coventry University www.coventry.ac.uk22
-
8/3/2019 11 Network Security
23/24
Network Security Controls
Virtual Private Networks
Many firewalls can be used to implement VPNs
To the user it feels like the network is private
Communication is said to pass through anencrypted tunnel
Coventry University www.coventry.ac.uk23
-
8/3/2019 11 Network Security
24/24
Network Security Controls
Other common network security controls:
PKI and Certificates
SSH Encryption
SSL Encryption (now known as TLS)
IPSec
Signed Code
Encrypted e-mail
Coventry University www.coventry.ac.uk24