Introducon to Security
Transcript of Introducon to Security
Introduc)ontoSecurity
6‐oct‐2009
Welcome!
Thiswillbealongjourney…
…solet’smakeitinteres)nganduseful!
2
CourseStructureNo. CourseTitle Date
1 IntroductiontoSecurity Today2 SecurityThreats 13‐oct‐20093 SecuringNetworkDevices 20‐oct‐20094 ACLs&AAA 27‐oct‐20095 Firewalls 3‐nov‐20096 IPS,IDS 10‐nov‐20097 MitigatingLayer2Attacks 17‐nov‐20098 Cryptography 24‐nov‐20099 VPNs 8‐dec‐200910 ImplementingMPLSVPN 15‐dec‐200911 WANTechnologies 22‐dec‐200912 PoliciesandBestPractices 12‐ian‐2009
3
LabSchedule
AllWednesdays
14‐16 EG106(RR) ED011(BS)16‐18 EG106(RR) ED011(BS)18‐20 Thelectureyou’rewatchingrightnow20‐22 EG106(RR) ED011(BS)
(sixlabs,intotal)
Greatelyskilledlabassistants: RăzvanRughiniș(RR) BogdanSass(BS)
4
Grading Thecoursegradeismadeupof:
Mid‐termassessment–singlechoice,mul)pleanswer,fromthefirst6lectures:2points
Finalassessment–thefinal6lectures:2points
Thelabgradeismadeupof: Labac)vity:2points Hands‐onexam:2points
Thethingyou’veallbeenwai)ngtohear: TheSTARTINGgradeis3.00!
ThePASSINGgradeis5.00
5
Researchassignment Researchassignmentamountsfor12creditpoints. Therewillbeagradeattheendofeachsemester. Researchprojects
willbepublishedby19thOctober canextendover2or3semesters
caninvolveteamsof2or3people
Yourweeklyscheduleincludes12hoursofresearch.
Iwillexpect6hoursofin‐personlabresearch.
6
Alialemoredetail…(1) Lecture1–Introduc)on
Theconceptofsecurity Thehumanaspectofsecurity Securitypolicies
Lecture2–SecurityThreats Networkaaacks Thepurposebehindanaaack Aaackmethodologies Destruc)vesocware:worms,viruses,trojans Howtodealwithanaaack Howtopreventanaaack
7
Alialemoredetail…(2) Lecture3–SecuringNetworkDevices
Neverforget(about)passwords!
Applica)onvulnerabili)es Networkprotocolsthatyoushoulduse
NetworkprotocolsthatyoushouldNOTuse
Userprivileges Securingaccess
Securingdata Securingdeviceconfigura)ons–why?
8
Alialemoredetail…(3)
Lecture4–ACL&AAA ACLs=AccessControlLists
Learntoiden)fyandselecttrafficusingACLs
RestrictaccesstonetworksanddeviceswithACLs
AAA=Authen)ca)on,Authoriza)on,Accoun)ng Authen)cate:enteryourusername&passsword
Authorize:youcannowdothisandthat
Account:weknowwhenandhowyoudidthisandthat!
9
Alialemoredetail…(4) Lecture5–Firewalls
Basicprinciplesoffirewalls Howdotheywork?
Whatdotheydo?
Howsmartisafirewall? Learnaboutsocware‐basedfirewallandhardware‐basedones
Usingfirewallstosecureyournetwork
Learntokeepyourfirewallsuptodate
10
Alialemoredetail…(5) Lecture6–IPS,IDS
IPS=IntrusionPreven)onsSystem
IDS=IntrusionDetec)onSystem What’sthedifference?
Typesofintrusions Howtoiden)fyintrusions–signaturesandanomalies
Implemen)ngIPS/IDS MonitoringIPS/IDSfunc)onality
11
Alialemoredetail…(6) Lecture7–Mi)ga)ngLayer2Aaacks
Endpointsecurity
STP&MACaaacks Wirelesssecurity
VoIPsecurity
Howtomakealltheabovemoresecure
Lecture8–Cryptography Simpleandnot‐so‐simpleencryp)onalgorithms…youdothemath
12
Alialemoredetail…(7) Lecture9–VPN
VirtualPrivateNetwork
Whyisit“virtual”? Howdowemakeit“private”?
TypesofVPNs
Tunneling
Lecture10‐Implemen)ngMPLSVPN AdvantagesofMPLS
Whyisitsuchawidespreadtechnology Implemen)ngVPNsoveranMPLSnetwork
13
Alialemoredetail…(8) Lecture11–WANTechnologies
Making“long‐distancecalls”innetworking…
Physicalconnec)ons Carriers
Layer2protocolsinWANs
Lecture12–Securitypoliciesandbestprac)ces Howtoimplementasecuritypolicy
Keepinginmindthatyou’redealingwithpeople
…andtheyarealwaystheweakestlink.
14
Computersecurity Security’sfirstmythsays:
“Thereissecurity!”
…andweknowmythsarejustwrong!
15
Whatistheretosecure?(1) Storeddata
Businessdatamustnotbeleakedtocompe)tors
Personalinforma)on(employees,customers,users,etc)
Copyrightedsocware
Securingdatamustalsoensurepersistence Datamustnotbelostduetoaaacksorlackofskill
Transac)ons Protectinforma)onfrombeingtamperedwith
Makesurethatthesenderiswhohe/sheclaimstobe
Makesurethereceiveristheoneintended
Dataisocensentacrosspublic(insecure)networks–itcaneasilybeintercepted
16
Intercep)ngdata Intercep)ngisalsoknownas“sniffing”. Itisocenexecuteddirectlyatthephysicallayer. “Listening”forinteres)ngtrafficonatransmissionmediumisnoteverregardedasanaaack.
Ques)on:Canyouavoidhavingyoursensi)vedatabeingsniffed?
Answer:NO.Butyoucanmakethatdatauselesstotheinterceptor.
17
Protec)ngtransac)ons Encrypteddatamustnotbeinterpretedbyasniffer,evenifitiscaptured.
Thus,encryp)onis)ghtlyconnectedtothesender’sandreceiver’siden))es.
Encryp)onmethodscanbeweakor…beaer. Weakencryp)on=itcanbebrokeninareasonable)me
Strongencryp)on=itcanbebrokentoo……butitmighttakeyoumorethanalife)me
Alotmoreaboutencryp)oninalaaerlecture.
18
Whatistheretosecure?(2) Secureaccess
Accesstocomputers
Accesstonetworks Accesstocertainprivileges
Humansaccesseverything
Humansaretheleasttrustworthy
19
20
Securityandhumans Securitypoliciesmustbeinplace …andmustbefollowed.
Regardlessofhowstrong(andexpensive)yoursecuredeploymentis: Humanscans)llwritetheirpasswordsonpost‐itnotes
Humanscans)llgivetheirpasswordstoanyonetheytrust
Humanscans)llopentemp)ngaaachments…
21
Socialengineering(1) Non‐technicalintrusion Involvestrickingpeopletobreaksecuritypolicies
Manipula)on
Reliesonfalseconfidence Everyonetrustssomeone
Authorityisusuallytrustedbydefault Non‐technicalpeopledon’twanttoadmittheirlackofexper)se Theyaskfewerques)ons.
Mostpeopleareeagertohelp. Whentheaaackerposesasafellowemployeeinneed.
22
Socialengineering(2)
Peoplearenotawareofthevalueoftheinforma)ontheyposess.
Vanity,authority,eavesdropping–theyallwork.
Whensuccessful,socialengineeringbypassesANYkindofsecurity.
23
Whyisitworkingsowell?
24
Securityandcomplexity
Downside:Complexitybringsvulnerability Howsecureisa1000‐computernetworkwith>1000usersand200differentapplica)ons?
Howsecureisasimplebuaon?
S)ll,weDOneedcomplexitytoaccomplishourtasks …sosecuritybecomesacon)nuousprocess.
…andatediousone!
25
Leastprivilege Complexsystemsaremoredifficulttosecure. Themoreapplica)ondeployed,themorepossiblevulnerabili)es.
Usersandapplica)onsmustreceivetheleastamountofprivilegesaspossible.
“Thethingsyouhaveaccesstoarethethingsyoucanbreak.”
26
TheFinalTruth
“ThereisnosecurityonthisEarth.Thereisonlyopportunity.”
DouglasMacArthur
27