NETWORING and SECURITYNETWORING and SECURITY

NETWORING and SECURITYNETWORING and SECURITY

ALHAD G APTEALHAD G APTEBARC

SACET09 October 28, 2009

PRESENTATION OUTLINE

• Information Security – Overview & Definitions

• Information Security Technologies

• Approach to Information Security• Approach to Information Security

• ISO StandardsISO Standards

• Security Issues in Computing Grids


Information asset: Information of value to organization, g ,

which is owned by the organization, and equipment, devices

d th h d d ft d tand other hardware and software used to

process, store and communicate the information.

Information security: preservation of

In addition, attributes such as

authenticity,

confidentiality, integrity and availability

non-repudiationaccountability

reliabilityavailabilityattributes of information

assets.

yare also to be assured.

Information assurance


Information assurance

Confidentiality: ensuring that information isConfidentiality: ensuring that information is accessible only to those authorized to have access

Integrity: the accuracy and completeness of assetsIntegrity: the accuracy and completeness of assets

Availability: accessibility and usability upon demand by an authorized entity.

Authentication: A process that establishes theAuthentication: A process that establishes the origin of information, or validates an entity's identity .

Non-repudiation: A service that provides protection against false denial of involvement in a communication


communication


Information Security Components

Vulnerability:yAn exploitable capability or weakness that could result in a successful attack causing damage to the asset

Threat:An event which could have an undesirable impact

asset.

An event which could have an undesirable impact on an asset.

Risk:The potential that a given threat will exploit vulnerabilities and cause harm to the assetvulnerabilities and cause harm to the asset.


on

qd

.)

DOS/DDOSWWW attacksAutoscans

Malicious codesBOTs/ Zombies

ph

isti

cati

edg

e (R

eq

Packet Spoofing/Sniffing

Backdoors

tack

So

per

Kn

ow

le Backdoors

1980

Att

Intr

ud

e

Password CrackingViruses

1980 1990 2000 2010


Owners

Value

Wish to minimiseO e s

Countermeasures

Wish to minimise

ImposeTo reduce

That may

Vulnerabilities

That maybe reduced by

posses

L di tMay be aware of

Attacker Risk

Leading toThatexploit

That increase toGive Rise

Threats Assetstoto

Wish to abuse and/or may damageWish to abuse and/or may damage

Security Concepts and Relationships


Security Concepts and Relationships

Information Security Life Cycle

PLAN

PDCA Model

PLAN

DOACT

Model

CHECK

Secure network and application setup

S it A ditMonitoring and

Security Audito to g a d

knowledge update

POLICY PLAN EXECUTION


POLICY PLAN EXECUTION

The McCumber Cube

WhereWhere

What How







Security Issues in Computing Grids


Firewall:

A set of security measures, located at a network

gateway,

to prevent unauthorized electronic access

to a networked computer system.to a networked computer system.

It is configured

to permit deny encrypt decrypt or proxyto permit, deny, encrypt, decrypt, or proxy

all computer traffic

between different security domains

based upon a set of rules and other criteria.


Internet

Firewalls – Defence-in-depth

Firewall DMZ

WWWEmailGW

DNSExtranet Servers

E il I t t

Firewall

Emailserver

Intranetservers Firewall

Intranet Server Segment Intranet

Client Segment


• Firewall

Information Security Systems

• Firewall

• Intrusion Detection & Prevention

• Server hardening

• Access Control

• Client Security• Client Security

• Network Security

• Communication Security

SACET09 October 28, 2009• Storage Security

Technological Solutions

EncryptionSymmetric Encryption

Virtual Private Networking (VPN)

Asymmetric Encryption – Public Key Infrastructure

Virtual Private Networking (VPN)Network Level VPN

Application Level VPNApplication Level VPN

Client Security

Secure Network Access System

Client Security









Graded approach:

A process or method in which the stringency of the control measuresthe stringency of the control measures

and conditions to be applied is commensurate, to the extent practicable,

with the likelihood and possible consequences ofwith the likelihood and possible consequences of, and the level of risk associated with,

a loss of control.


EXAMPLE ZONE MODEL

INTRANET SECURE PUBLICC&I

- CLIENTSEGMENT

INTERNETSERVERS

INTERNETC&I ASSETS

Data flow

INTRANETSERVERS

Data flow

AccessCLASSIFIED ASSETS


Security Issues

External Cyber-attacks

Denail of Service attacksDenail of Service attacks

Security of client PCs:

Attacks through viruses/ malwareAttacks through viruses/ malware

Possible network bridging by users

PC sharing over networkPC sharing over network

Official Data on PC used for Internet

Conformance to Security Guidelines of MHAConformance to Security Guidelines of MHA

Limited services on separate networks


I want tight security

Balancing extreme viewsI want tight security.

I don’t bother what users get.

I want all services freely.Security is your responsibility.

Open environment Excessive constraints


Increase in vulnerability Denial of service justBy presence of threat

Approach to provision of Secure Services

Use of technological solutions

Strengthening the monitoring and reporting process

Classified/sensitive information kept physically isolated

Isolated intranet and Internet except for a secure channels for cross network transferfor cross network transfer

Defense-in-depth philosophy


p p p y

Defense in depth implementation

Multi layered network design -Firewalls,

Defense-in-depth implementation

Host & Network intrusion detection system,

Host hardening & Secure application configuration, g pp g ,

Firewalling around the applications,

only one application per serveronly one application per server,

Centralized antivirus/ antispyware system,

Advanced authentication system,

Client End Point Security and


ISMS (Information Security Monitoring System).

Public Networks Enterprise WAN

Firewall Level 1

DMZ-I-1

Firewall Level 1

DMZ-A-1

Firewall Level 2

DMZ-I-2

Firewall Level 2

DMZ I 2Secure

Internet Server Segment

INTRANETUSER

SEGMENT( S C )

Controlled services*

Secure

Fire-wall Level 3 (USER PCs)

Firewall Level 3

INTERNETUSER

SEGMENT(USER PCs)

Intranet Services


(USER PCs)








ISO 27001:Information security Management systems —

Requirements

• Establishment and Management ISMS

• Document and Records Control

• Management Responsibilities and Support

• ISMS Internal Audit

• ISMS Review

• ISMS Improvementp


ISO 27000 Series Standards

ISO 27001Specification for an information security management system

ISO 27002Renumbered ISO 17799 standard. ISMS Code of y g y

(an ISMS) Practice.

ISO 27003Intended to offer guidance for the implementation of an ISMS

ISO 27004Information security system management measurement

(IS Management System) . and metrics..

ISO 27005Methodology independent ISO standard for information

ISO 27006Guidelines for the accreditation of organizations offering ISMS


security risk management.. certification.

Information Security PolicyB d ISO 27002 St d d B t P ti

Controls

Based on ISO 27002 Standard Best Practices

• Policy Versions and approvals

• Security Management Set-up

• Classification of Information Assets

• Network Security and Access Control

• Digital Media Security

• Information Exchange e g email• Information Exchange e.g. email

• User Awareness and responsibilities

• Third Party Access/ Outsourcing

• Personnel Security

• Physical and Environmental Security

• Business Continuity


y

• Policy Conformance/ Auditing








GRID SECURITY REQUIREMENTS Grid

1. Security is one of the most important issue in Grid Environment.Secu ty s o e o t e ost po ta t ssue G d o e t

Privacy

Integrity

Authentication (& Authorization)

2 .Overcome the security challenges posed by grid applications through th G id S it I f t t ( GSI) It bli kthe Grid Security Infrastructure (or GSI). It uses public key cryptography (asymmetric cryptography as the basis for its functionality.

• The need for secure communication (authenticated and perhaps confidential) between elements of a computational Grid.

• The need to support security across organizational boundaries thusThe need to support security across organizational boundaries, thus prohibiting a centrally-managed security system.

• The need to support "single sign-on" for users of the Grid, including delegation of credentials for comp tations that in ol e m ltiple


delegation of credentials for computations that involve multiple resources and/or sites.

Proxy

PhysicalPhysicalDomain

1Virtual

Credentials

Organisation

User PhysicalDomain

2


Access to Resources Grid


Proxy Certificate (PC) Grid

Motivation:Motivation:

1. Dynamic (Credential) Delegation: In Grid, there is need for one entity wishing to grant another entity some of its privileges. g g y p g

E.g: A job submitted to the grid by the user goes to the Grid Scheduler (Resource Broker) and so this Grid Scheduler needs to be granted the user credentials, in order to further redirect the job to the actual compute machine on behalf of user.

2. Repeated Authentication: Private keys are encrypted with passphrase. Thi th t th ld h t i ( id th d) tThis means that the user would have to sign on (provide the password) to access the key and perform authentication.

.


ThanksThanks



Private NetworkOriginalData

VPN Adaptor

Zone I

VPN Tunnel

DataPacket

Shared Network Infra structure

Original Packetencrypted andtunneled by adding new header

Packets of data exchanged between two zones of a private

VPN AdaptorOriginal

new header zones of a private network are tunneled through the untrusted network by encrypting

Private NetworkZone II

gDataPacket

y yp gand encpsulating the original packet into another packet

New Technologies to be used: VPN Tunneling

pertaining to the untrusted network.


New Technologies to be used: VPN Tunneling


TARGET NETWORKNETWORK

Firewall SNAS Serversauthorization

Users with SNAS Monitoring

Web Client

Network devices

INTRANET

Network devices

S N t k A S t (SNAS)S N t k A S t (SNAS)Secure Network Access System (SNAS) Secure Network Access System (SNAS) developed by BARCdeveloped by BARC


New Technologies to be used: Endpoint Security


PUBLIC KEY INFRASTRUCTUREPUBLIC KEY INFRASTRUCTURE


Public key A Private key A

Public key B Public key CPrivate key B Private key C

PBPR

User A User B User C

Generate Key PairsGenerate Key Pairs

Public key C Public key C Public key BPublic key B Public key A Public key A PB

PR

User A User B User C

Distribution Key

User A wants to communicant with User BEncrypt with

PR(A) & PB(B)

Decrypt with PR(B) & PB(A)

User A User Bsend

PB(B)


A simple digital signature

Email:[email protected]

Name: A. G. Tole

Emp.Id: 3385##$$$%%%&!!!^^$$##

Private KeySignature

Email:[email protected]

Signature

Name: A. G. Tole

Emp Id: 3385##$$$%%%&

Public Key

Emp.Id: 3385

Email:[email protected]!!!^^$$##


y

How to maintain variable length signatures ?

Name:A.G.Tole##$$%%

H h f i M di P i k Digital

Email:tole@bar

Emp.No.:335

%%$$##

Hash function( mix )

Message digest Private key Digitalsignature

N A G T l##$$

Emp.No.:335

Email:tole@bar

Name:A.G.Tole %%%%$$##

Hash function( mix )

Message digest Private keyDigitalsignature

Achie es Integrit and Verification


Achieves Integrity and Verification

Sending Messages using PKI

Compute a session key S(N)

Get Message M

P: PB(B) [ PR(A) (S(N)] ]

Q: MD(M)

Encrypt session key with private/public keys.

Compute Message DigestQ: MD(M)

R: PR(A) [MD(M)]

T: S(N) [ M + R ]

Compute Message Digest.

Encrypt Message Digest with own private key.

E d d Di i h i kT: S(N) [ M + R ]

Transmit P & T

Encrypt message and encrypted Digest with session key.

M MDS


M MDS

Certificates Grid

A digital certificate is a digital document that certifies that a certain public key is owned by a particular user. This document is signed by a third party called the certificate authority (or CA).

Its all about trust - Having a certificate to prove to everyone else thatIts all about trust Having a certificate to prove to everyone else that your public key is really, truly, honestly yours allows us to conquer the third pillar of a secure conversation: authentication.


NETWORING and SECURITYNETWORING and SECURITY

Documents

Transcript of NETWORING and SECURITYNETWORING and SECURITY