L ECTURE 2 EARLY ADULTHOOD B ETWEEN 20 S AND 30 S YEARS OLD 1.
Security Ecture 2
description
Transcript of Security Ecture 2
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 1
Module 2Module 2 Security Methodology Security Methodology
MModified by :Ahmad Al GhoulPPhiladelphia UniversityFFaculty Of Administrative & Financial SciencesBBusiness Networking & System Management DepartmentRRoom Number 32406EE-mail Address: [email protected]
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 2
Some standards bodies
the IETF (the Internet Engineering Task Force).
AES the Advanced Encryption Standard ETSI (the European Telecommunications
Standards Institute) IEEE the Institute of Electrical and
Electronics Engineers ISO international standard organization
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 3
The 10 Major Headings
Security Policy Security Organisation Asset Classification and Control Personnel Security Physical and Environmental Security Operational Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 4
International Standards International Standards in Information
Security are developed by Security Techniques Committee ISO/IEC JTC 1 SC 27
Three Areas– WG 1 - Security Management– WG 2 - Security Algorithms/Techniques– WG 3 - Security Assessment/Evaluation
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 5
Participating Members SAI Australia IBN Belgium ABNT Brazil SCC Canada CSBTS/CESI
China CSNI Czech Rep DS Denmark SFS Finland AFNOR France DIN Germany MSZT Hungary BIS India UNINFO Italy JISC Japan
KATS Korea, Rep of DSM Malaysia NEN Netherlands NTS/IT Norway PKN Poland GOST R Russian Fed SABS South Africa AENOR Spain SIS Sweden SNV Switzerland BSI UK DSTU Ukraine ANSI USA
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 6
WG 1 Security Management Two key standards:
– Guidelines for Information Security Management (GMITS) (TR 13335)
– Code of Practice for Information Security Management (IS 17799)
Other standards:– Guidelines on the use and management of trusted third parties (TR
14516)– Guidelines for implementation, operation and management of
Intrusion Detection Systems (WD 18043)– Guidelines for security incident management (WD 18044)
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 7
WG 2 Security Techniques There are International Standards for:
– Encryption (WD 18033)– Modes of Operation (IS 8372)– Message Authentication Codes (IS 9797)– Entity Authentication (IS 9798)– Non-repudiation Techniques (IS 13888)– Digital Signatures (IS 9796, IS 14888))– Hash Functions (IS 10118)– Key Management (IS 11770)– Elliptic Curve Cryptography (WD 15946)– Time Stamping Services (WD 18014)
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 8
WG 3 Security Evaluation Third Party Evaluation
– Criteria for an independent body to form an impartial and repeatable assessment of the presence, correctness and effectiveness of security functionality
“Common Criteria” (CC) (IS 15408
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 9
Common Criteria Produced by a consortium of Government bodies
in North America / European Union– Mainly National Security Agencies
Influenced by International Standardisation committee– Adopted as International Standard 15408
Adopted and recognised by other major Governments– All EU, Australia, Japan, Russia
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 10
Security Architecture– For end-to-end communications
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 11
Security Architecturefor End-to-End Communications
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 12
Authentication is the process of confirming a user's identity.
Authentication is one of the basic building blocks of computer security. It is achieved through the execution of an authentication protocol between two or more parties. One such protocol, the Secure Socket Layer (SSL) protocol
Authorization determines what services and access a user is authorized for.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 13
Authentication3 types of authentication: Something you know - Password, PIN,
mother’s maiden name, passcode. Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, DNA
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 14
Authentication is a process in which a system identifies a user. Access control determines what is permitted after authentication. Authentication is often closely tied to the concept of accounts, which are, generically, a set of information tied to a unique identifier. This information usually comprises the data needed to let someone use system resources. For example, it provides the location of the user's personal files or the user's real name.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 15
Models: Access Control
• What is access control?– Limiting who is allowed to do what
• What is an access control model?– Specifying who is allowed to do what
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 16
What is access control? Access control is the heart of security Definitions:
– The ability to allow only authorized users, programs or processes system or resource access
– The granting or denying, according to a particular security model, of certain permissions to access a resource
– An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on reestablished rules.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 17
How can AC be implemented?– Hardware– Software
• Application• Protocol (Kerberos, IPSec)
– Physical– Logical (policies)
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 18
What does AC hope to protect? Data - Unauthorized viewing, modification
or copying System - Unauthorized use, modification or
denial of service It should be noted that nearly every network
operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 19
Access control lists (ACL) A file used by the access control system to
determine who may access what programs and files, in what method and at what time
Different operating systems have different ACL terms
Types of access:– Read/Write/Create/Execute/Modify/Delete/
Rename
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 20
Defending Against Threats When talking about information security, vulnerability is a
weakness in your information system (network, systems, processes, and so on) that has the greatest potential of being compromised. There might be a single vulnerability, but typically there are a number of them. For instance, if you have five servers that have the latest security updates for the operating system and applications running, but have a sixth system that is not current, the sixth system would be considered a vulnerability. Although this would be a vulnerability, it would most likely not be the only one. To defend against threats, you must identify the threats to your C-I-A triad, determine what your vulnerabilities are, and minimize them.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 21
Building a Defense When building a defense, you should use a layered approach
that includes securing the network infrastructure, the communications protocols, servers, applications that run on the server, and the file system, and you should require some form of user authentication.
When you configure a strong, layered defense , an intruder has to break through several layers to reach his or her objective. For instance, to compromise a file on a server that is part of your internal network, a hacker would have to breach your network security, break the server's security, break an application's security, and break the local file system's security. The hacker has a better chance of breaking one defense than of breaking four layers of defense.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 22
Methods of Defense Having controls does no good unless they are used properly,
the next are some factors that affect the effectiveness of controls.
Effectiveness of Controls– Awareness of Problem– Likelihood of Use: the suitable and effective use
– Overlapping Controls: combinations of controls could be provided to one exposure.
– Periodic Review: few controls are permanently effective. When we finds a way to secure assets, the opposition doubles its efforts in an effort to defeat the the security mechanism. Thus, judging the effectiveness of a control is an ongoing task.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 23
–Principle of Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 24
Methods of Defense Controls In this section we will study some security control
tools that attempt to prevent exploitation of the vulnerabilities of computing system.
Encryption Software Controls
– internal program controls(data base): parts of the program that enforce security restrictions, such as access limitations in a data base management program.
– operating system controls: limitations enforced by the system to protect each user from all other users.
– development controls: quality standards under which a program is designed, coded, tested, and maintained.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 25
Methods of Defense Hardware Controls
– use the devices which have been invented to assist in computer security (e.g. smart card)
Hardware security modules (HSM) perform cryptographic operations, protected by hardware (PCI boards, SCSI boxes, smart cards, etc.)
These operations include:– Random number generation– Key generation (asymmetric and symmetric)– Private key hiding (security) from attack (no unencrypted private
keys in software or memory)• Private keys used for signing and decryption• Private keys used in PKI for storing Root Keys
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 26
Methods of Defense Policies
– operation policy: some of the simplest controls could do by change the password frequently, and that can be achieved essentially no cost but with tremendous effect.
– legal and ethical control:the law is slow to evolve, and the technology involving computers has emerged suddenly. Although legal protection is necessary and desirable.
– The area of computer ethics is unclear. It is not that computer people are unethical, but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior. Some organizations are attempting to devise codes of ethics for computer professionals.
Physical Controls– Some of the easiest, most effective, and least expensive controls are
physical controls. locks on door, guard at entry point, backup, etc.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 27
Basic Encryption and Decryption Encryption and Decryption
– encryption: a process of encoding a message so that its meaning is not obvious
– decryption: the reverse process encode(encipher) vs. decode(decipher)
– encoding: the process of translating entire words or phrases to other words or phrases
– enciphering: translating letters or symbols individually– encryption: the group term that covers both encoding
and enciphering
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 28
What is Encryption?
This is confidential.
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 29
What is Encryption?
This is confidential.
CJIN Network
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 30
Plaintext vs. Ciphertext Plaintext vs. Ciphertext
– P(plaintext): the original form of a message– C(ciphertext): the encrypted form
Basic operations– plaintext to ciphertext: encryption: C = E(P)– ciphertext to plaintext: decryption: P = D(C)– requirement: P = D(E(P))
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 31
Encryption Strategy Provide confidentiality of communications
Ensure integrity of information
Enhance Authentication
Provide for non-repudiation of sender or receiver
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 32
Encryption with key
– encryption key: KE
– daecryption key: KD
– C = E(KE, P)
– P = D(KD, E(KE, P))
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 33
Encryption with key Symmetric Cryptosystem: KE = KD
Asymmetric Cryptosystem: KE KD
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 34
Secret Key Encryption
This is a secret message
Not aNot asecuresecure
lineline This is a secret message
1. Bob types message to Jane and encrypts the message with secret key and sends it.3. Somehow he lets her know what his secret key is.
1. Jane receives Bobs secret message and is later told by Bob the secret key to unlock the message2. She decrypts and reads the message
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 35
Public Key Encryption
Jane, This is a secret message - Bob
Not asecure
line
1. Bob writes the message and encrypts it using Jane’s public key which is known to everyone2. Bob sends the message over the internet to Jane
Jane’s public key Jane’s private key
BobJane, This is a secret message - Bob
Jane
1. Jane receives the messageand decodes it with her private key, which only she knows.2. The secrecy of the private key is crucial
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 36
Uses of Encryption Digital Certificates use Public Key Web Access with SSL Virtual Private Networks (VPNs) Desktop Encryption
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 37
Digital signatureDigital signature is a sort ofprotocol that provides authenticityand identification of the user.
It is similar to the signature of aperson on a paper or check
It is used for many purposes in thenetwork security provision
Network Security Philadelphia University
Ahmad Al-Ghoul 2010-2011 38
Physical security Network security should begin by first
emphasizing the necessity for physical security. Most organizations limit physical access to hosts and servers, but it must talk into consideration networking devices, such as routers, switches, and the like. Even such simple elements as cabling and wiring.