NETWORING and SECURITYNETWORING and SECURITY
Transcript of NETWORING and SECURITYNETWORING and SECURITY
NETWORING and SECURITYNETWORING and SECURITY
ALHAD G APTEALHAD G APTEBARC
SACET09 October 28, 2009
PRESENTATION OUTLINE
• Information Security – Overview & Definitions
• Information Security Technologies
• Approach to Information Security• Approach to Information Security
• ISO StandardsISO Standards
• Security Issues in Computing Grids
SACET09 October 28, 2009
Information asset: Information of value to organization, g ,
which is owned by the organization, and equipment, devices
d th h d d ft d tand other hardware and software used to
process, store and communicate the information.
Information security: preservation of
In addition, attributes such as
authenticity,
confidentiality, integrity and availability
non-repudiationaccountability
reliabilityavailabilityattributes of information
assets.
yare also to be assured.
Information assurance
SACET09 October 28, 2009
Information assurance
Confidentiality: ensuring that information isConfidentiality: ensuring that information is accessible only to those authorized to have access
Integrity: the accuracy and completeness of assetsIntegrity: the accuracy and completeness of assets
Availability: accessibility and usability upon demand by an authorized entity.
Authentication: A process that establishes theAuthentication: A process that establishes the origin of information, or validates an entity's identity .
Non-repudiation: A service that provides protection against false denial of involvement in a communication
SACET09 October 28, 2009
communication
SACET09 October 28, 2009
Information Security Components
Vulnerability:yAn exploitable capability or weakness that could result in a successful attack causing damage to the asset
Threat:An event which could have an undesirable impact
asset.
An event which could have an undesirable impact on an asset.
Risk:The potential that a given threat will exploit vulnerabilities and cause harm to the assetvulnerabilities and cause harm to the asset.
SACET09 October 28, 2009
on
qd
.)
DOS/DDOSWWW attacksAutoscans
Malicious codesBOTs/ Zombies
ph
isti
cati
edg
e (R
eq
Packet Spoofing/Sniffing
Backdoors
tack
So
per
Kn
ow
le Backdoors
1980
Att
Intr
ud
e
Password CrackingViruses
1980 1990 2000 2010
SACET09 October 28, 2009
Owners
Value
Wish to minimiseO e s
Countermeasures
Wish to minimise
ImposeTo reduce
That may
Vulnerabilities
That maybe reduced by
posses
L di tMay be aware of
Attacker Risk
Leading toThatexploit
That increase toGive Rise
Threats Assetstoto
Wish to abuse and/or may damageWish to abuse and/or may damage
Security Concepts and Relationships
SACET09 October 28, 2009
Security Concepts and Relationships
Information Security Life Cycle
PLAN
PDCA Model
PLAN
DOACT
Model
CHECK
Secure network and application setup
S it A ditMonitoring and
Security Audito to g a d
knowledge update
POLICY PLAN EXECUTION
SACET09 October 28, 2009
POLICY PLAN EXECUTION
The McCumber Cube
WhereWhere
What How
SACET09 October 28, 2009
PRESENTATION OUTLINE
• Information Security – Overview & Definitions
• Information Security Technologies
• Approach to Information Security• Approach to Information Security
• ISO StandardsISO Standards
Security Issues in Computing Grids
SACET09 October 28, 2009
Firewall:
A set of security measures, located at a network
gateway,
to prevent unauthorized electronic access
to a networked computer system.to a networked computer system.
It is configured
to permit deny encrypt decrypt or proxyto permit, deny, encrypt, decrypt, or proxy
all computer traffic
between different security domains
based upon a set of rules and other criteria.
SACET09 October 28, 2009
Internet
Firewalls – Defence-in-depth
Firewall DMZ
WWWEmailGW
DNSExtranet Servers
E il I t t
Firewall
Emailserver
Intranetservers Firewall
Intranet Server Segment Intranet
Client Segment
SACET09 October 28, 2009
• Firewall
Information Security Systems
• Firewall
• Intrusion Detection & Prevention
• Server hardening
• Access Control
• Client Security• Client Security
• Network Security
• Communication Security
SACET09 October 28, 2009• Storage Security
Technological Solutions
EncryptionSymmetric Encryption
Virtual Private Networking (VPN)
Asymmetric Encryption – Public Key Infrastructure
Virtual Private Networking (VPN)Network Level VPN
Application Level VPNApplication Level VPN
Client Security
Secure Network Access System
Client Security
SACET09 October 28, 2009
PRESENTATION OUTLINE
• Information Security – Overview & Definitions
• Information Security Technologies
• Approach to Information Security• Approach to Information Security
• ISO StandardsISO Standards
• Security Issues in Computing Grids
SACET09 October 28, 2009
Graded approach:
A process or method in which the stringency of the control measuresthe stringency of the control measures
and conditions to be applied is commensurate, to the extent practicable,
with the likelihood and possible consequences ofwith the likelihood and possible consequences of, and the level of risk associated with,
a loss of control.
SACET09 October 28, 2009
EXAMPLE ZONE MODEL
INTRANET SECURE PUBLICC&I
- CLIENTSEGMENT
INTERNETSERVERS
INTERNETC&I ASSETS
Data flow
INTRANETSERVERS
Data flow
AccessCLASSIFIED ASSETS
SACET09 October 28, 2009
Security Issues
External Cyber-attacks
Denail of Service attacksDenail of Service attacks
Security of client PCs:
Attacks through viruses/ malwareAttacks through viruses/ malware
Possible network bridging by users
PC sharing over networkPC sharing over network
Official Data on PC used for Internet
Conformance to Security Guidelines of MHAConformance to Security Guidelines of MHA
Limited services on separate networks
SACET09 October 28, 2009
I want tight security
Balancing extreme viewsI want tight security.
I don’t bother what users get.
I want all services freely.Security is your responsibility.
Open environment Excessive constraints
SACET09 October 28, 2009
Increase in vulnerability Denial of service justBy presence of threat
Approach to provision of Secure Services
Use of technological solutions
Strengthening the monitoring and reporting process
Classified/sensitive information kept physically isolated
Isolated intranet and Internet except for a secure channels for cross network transferfor cross network transfer
Defense-in-depth philosophy
SACET09 October 28, 2009
p p p y
Defense in depth implementation
Multi layered network design -Firewalls,
Defense-in-depth implementation
Host & Network intrusion detection system,
Host hardening & Secure application configuration, g pp g ,
Firewalling around the applications,
only one application per serveronly one application per server,
Centralized antivirus/ antispyware system,
Advanced authentication system,
Client End Point Security and
SACET09 October 28, 2009
ISMS (Information Security Monitoring System).
Public Networks Enterprise WAN
Firewall Level 1
DMZ-I-1
Firewall Level 1
DMZ-A-1
Firewall Level 2
DMZ-I-2
Firewall Level 2
DMZ I 2Secure
Internet Server Segment
INTRANETUSER
SEGMENT( S C )
Controlled services*
Secure
Fire-wall Level 3 (USER PCs)
Firewall Level 3
INTERNETUSER
SEGMENT(USER PCs)
Intranet Services
SACET09 October 28, 2009
(USER PCs)
PRESENTATION OUTLINE
• Information Security – Overview & Definitions
• Information Security Technologies
• Approach to Information Security• Approach to Information Security
• ISO StandardsISO Standards
• Security Issues in Computing Grids
SACET09 October 28, 2009
ISO 27001:Information security Management systems —
Requirements
• Establishment and Management ISMS
• Document and Records Control
• Management Responsibilities and Support
• ISMS Internal Audit
• ISMS Review
• ISMS Improvementp
SACET09 October 28, 2009
ISO 27000 Series Standards
ISO 27001Specification for an information security management system
ISO 27002Renumbered ISO 17799 standard. ISMS Code of y g y
(an ISMS) Practice.
ISO 27003Intended to offer guidance for the implementation of an ISMS
ISO 27004Information security system management measurement
(IS Management System) . and metrics..
ISO 27005Methodology independent ISO standard for information
ISO 27006Guidelines for the accreditation of organizations offering ISMS
SACET09 October 28, 2009
security risk management.. certification.
Information Security PolicyB d ISO 27002 St d d B t P ti
Controls
Based on ISO 27002 Standard Best Practices
• Policy Versions and approvals
• Security Management Set-up
• Classification of Information Assets
• Network Security and Access Control
• Digital Media Security
• Information Exchange e g email• Information Exchange e.g. email
• User Awareness and responsibilities
• Third Party Access/ Outsourcing
• Personnel Security
• Physical and Environmental Security
• Business Continuity
SACET09 October 28, 2009
y
• Policy Conformance/ Auditing
PRESENTATION OUTLINE
• Information Security – Overview & Definitions
• Information Security Technologies
• Approach to Information Security• Approach to Information Security
• ISO StandardsISO Standards
• Security Issues in Computing Grids
SACET09 October 28, 2009
GRID SECURITY REQUIREMENTS Grid
1. Security is one of the most important issue in Grid Environment.Secu ty s o e o t e ost po ta t ssue G d o e t
Privacy
Integrity
Authentication (& Authorization)
2 .Overcome the security challenges posed by grid applications through th G id S it I f t t ( GSI) It bli kthe Grid Security Infrastructure (or GSI). It uses public key cryptography (asymmetric cryptography as the basis for its functionality.
• The need for secure communication (authenticated and perhaps confidential) between elements of a computational Grid.
• The need to support security across organizational boundaries thusThe need to support security across organizational boundaries, thus prohibiting a centrally-managed security system.
• The need to support "single sign-on" for users of the Grid, including delegation of credentials for comp tations that in ol e m ltiple
SACET09 October 28, 2009
delegation of credentials for computations that involve multiple resources and/or sites.
Proxy
PhysicalPhysicalDomain
1Virtual
Credentials
Organisation
User PhysicalDomain
2
SACET09 October 28, 2009
Access to Resources Grid
SACET09 October 28, 2009
Proxy Certificate (PC) Grid
Motivation:Motivation:
1. Dynamic (Credential) Delegation: In Grid, there is need for one entity wishing to grant another entity some of its privileges. g g y p g
E.g: A job submitted to the grid by the user goes to the Grid Scheduler (Resource Broker) and so this Grid Scheduler needs to be granted the user credentials, in order to further redirect the job to the actual compute machine on behalf of user.
2. Repeated Authentication: Private keys are encrypted with passphrase. Thi th t th ld h t i ( id th d) tThis means that the user would have to sign on (provide the password) to access the key and perform authentication.
.
SACET09 October 28, 2009
ThanksThanks
SACET09 October 28, 2009
SACET09 October 28, 2009
Private NetworkOriginalData
VPN Adaptor
Zone I
VPN Tunnel
DataPacket
Shared Network Infra structure
Original Packetencrypted andtunneled by adding new header
Packets of data exchanged between two zones of a private
VPN AdaptorOriginal
new header zones of a private network are tunneled through the untrusted network by encrypting
Private NetworkZone II
gDataPacket
y yp gand encpsulating the original packet into another packet
New Technologies to be used: VPN Tunneling
pertaining to the untrusted network.
SACET09 October 28, 2009
New Technologies to be used: VPN Tunneling
SACET09 October 28, 2009
TARGET NETWORKNETWORK
Firewall SNAS Serversauthorization
Users with SNAS Monitoring
Web Client
Network devices
INTRANET
Network devices
S N t k A S t (SNAS)S N t k A S t (SNAS)Secure Network Access System (SNAS) Secure Network Access System (SNAS) developed by BARCdeveloped by BARC
SACET09 October 28, 2009
New Technologies to be used: Endpoint Security
SACET09 October 28, 2009
PUBLIC KEY INFRASTRUCTUREPUBLIC KEY INFRASTRUCTURE
SACET09 October 28, 2009
Public key A Private key A
Public key B Public key CPrivate key B Private key C
PBPR
User A User B User C
Generate Key PairsGenerate Key Pairs
Public key C Public key C Public key BPublic key B Public key A Public key A PB
PR
User A User B User C
Distribution Key
User A wants to communicant with User BEncrypt with
PR(A) & PB(B)
Decrypt with PR(B) & PB(A)
User A User Bsend
PB(B)
SACET09 October 28, 2009
A simple digital signature
Email:[email protected]
Name: A. G. Tole
Emp.Id: 3385##$$$%%%&!!!^^$$##
Private KeySignature
Email:[email protected]
Signature
Name: A. G. Tole
Emp Id: 3385##$$$%%%&
Public Key
Emp.Id: 3385
Email:[email protected]!!!^^$$##
SACET09 October 28, 2009
y
How to maintain variable length signatures ?
Name:A.G.Tole##$$%%
H h f i M di P i k Digital
Email:tole@bar
Emp.No.:335
%%$$##
Hash function( mix )
Message digest Private key Digitalsignature
N A G T l##$$
Emp.No.:335
Email:tole@bar
Name:A.G.Tole %%%%$$##
Hash function( mix )
Message digest Private keyDigitalsignature
Achie es Integrit and Verification
SACET09 October 28, 2009
Achieves Integrity and Verification
Sending Messages using PKI
Compute a session key S(N)
Get Message M
P: PB(B) [ PR(A) (S(N)] ]
Q: MD(M)
Encrypt session key with private/public keys.
Compute Message DigestQ: MD(M)
R: PR(A) [MD(M)]
T: S(N) [ M + R ]
Compute Message Digest.
Encrypt Message Digest with own private key.
E d d Di i h i kT: S(N) [ M + R ]
Transmit P & T
Encrypt message and encrypted Digest with session key.
M MDS
SACET09 October 28, 2009
M MDS
Certificates Grid
A digital certificate is a digital document that certifies that a certain public key is owned by a particular user. This document is signed by a third party called the certificate authority (or CA).
Its all about trust - Having a certificate to prove to everyone else thatIts all about trust Having a certificate to prove to everyone else that your public key is really, truly, honestly yours allows us to conquer the third pillar of a secure conversation: authentication.
SACET09 October 28, 2009
SACET09 October 28, 2009