Security Technology in Information Security
-
Upload
eswin-angel -
Category
Documents
-
view
219 -
download
0
Transcript of Security Technology in Information Security
-
7/29/2019 Security Technology in Information Security
1/60
Security TechnologyChapter 8
-
7/29/2019 Security Technology in Information Security
2/60
Principles of Information Security - Chapter 8 Slide 2
Physical Design of theSecSDLC
The physical design phase of theSecSDLC is made up of two parts:
security technologies
physical security
-
7/29/2019 Security Technology in Information Security
3/60
Principles of Information Security - Chapter 8 Slide 3
-
7/29/2019 Security Technology in Information Security
4/60
Principles of Information Security - Chapter 8 Slide 4
Physical Design of theSecSDLC The physical design phase encompasses the
selection of technologies and processes tomanage risk
At the end of the physical design phase you
have: Selected technologies needed to support the information
security blueprint
Defined what the successful solution for a secured environmentwill encompass
Designed physical security measures that support the technicalsolutions
Prepared to create project plans in the implementation phase tofollow
-
7/29/2019 Security Technology in Information Security
5/60
Principles of Information Security - Chapter 8 Slide 5
FirewallsA firewall is any device that prevents a specific
type of information from moving between theuntrusted network outside and the trustednetwork inside
There are five recognized generations offirewalls
The firewall may be: a separate computer system a service running on an existing router or server a separate network containing a number of
supporting devices
-
7/29/2019 Security Technology in Information Security
6/60
Principles of Information Security - Chapter 8 Slide 6
First Generation
Called packet filtering firewallsExamines every incoming packet header
and selectively filters packets based on address, packet type, port request, and
others factorsThe restrictions most commonly
implemented are based on:
IP source and destination address Direction (inbound or outbound)
TCP or UDP source and destination port-requests
-
7/29/2019 Security Technology in Information Security
7/60Principles of Information Security - Chapter 8 Slide 7
-
7/29/2019 Security Technology in Information Security
8/60Principles of Information Security - Chapter 8 Slide 8
Second GenerationCalled application-level firewall or proxy server
Often a dedicated computer separate from thefiltering router
With this configuration the proxy server, rather
than the Web server, is exposed to the outsideworld
Additional filtering routers can be implementedbehind the proxy server
The primary disadvantage of application-levelfirewalls is that they are designed for a specificprotocol and cannot easily be reconfigured toprotect against attacks on protocols for which
they are not designed
-
7/29/2019 Security Technology in Information Security
9/60Principles of Information Security - Chapter 8 Slide 9
Third Generation Called stateful inspection firewalls
Keeps track of each network connection establishedbetween internal and external systems using a statetable which tracks the state and context of each packetin the conversation by recording which station sent what
packet and when If the stateful firewall receives an incoming packet that it
cannot match in its state table, then it defaults to its ACLto determine whether to allow the packet to pass
The primary disadvantage is the additional processing
requirements of managing and verifying packets againstthe state table which can possibly expose the system toa DoS attack
These firewalls can track connectionless packet trafficsuch as UDP and remote procedure calls (RPC) traffic
-
7/29/2019 Security Technology in Information Security
10/60Principles of Information Security - Chapter 8 Slide 10
Fourth Generation While static filtering firewalls, such as first and third
generation, allow entire sets of one type of packet to
enter in response to authorized requests, a dynamic
packet filtering firewall allows only a particular packet
with a particular source, destination, and port address to
enter through the firewall
It does this by understanding how the protocol functions,
and opening and closing doors in the firewall, based
on the information contained in the packet header. Inthis manner, dynamic packet filters are an intermediate
form, between traditional static packet filters and
application proxies
-
7/29/2019 Security Technology in Information Security
11/60Principles of Information Security - Chapter 8 Slide 11
Fifth Generation
The final form of firewall is the kernelproxy, a specialized form that works underthe Windows NT Executive, which is the
kernel of Windows NT It evaluates packets at multiple layers of
the protocol stack, by checking security in
the kernel as data is passed up and downthe stack
-
7/29/2019 Security Technology in Information Security
12/60Principles of Information Security - Chapter 8 Slide 12
Packet-filtering Routers Most organizations with an Internet connection have
some form of a router as the interface at the perimeterbetween the organizations internal networks and the
external service provider
Many of these routers can be configured to filter packets
that the organization does not allow into the network This is a simple but effective means to lower the
organizations risk to external attack
The drawback to this type of system includes a lack of
auditing and strong authentication The complexity of the access control lists used to filter
the packets can grow and degrade networkperformance
-
7/29/2019 Security Technology in Information Security
13/60Principles of Information Security - Chapter 8 Slide 13
Screened-Host FirewallSystems Combine the packet-filtering router with a separate,
dedicated firewall such as an application proxy server
Allows the router to pre-screen packets to minimize the
network traffic and load on the internal proxy
Application proxy examines an application layer
protocol, such as HTTP, and performs the proxy
services
This separate host is often referred to as a bastion-host,
as it represents a single, rich target for external attacks,
and should be very thoroughly secured
-
7/29/2019 Security Technology in Information Security
14/60Principles of Information Security - Chapter 8 Slide 14
-
7/29/2019 Security Technology in Information Security
15/60Principles of Information Security - Chapter 8 Slide 15
SOCKS Servers The SOCKS system is a proprietary circuit-level proxy
server that places special SOCKS client-side agents oneach workstation
Places the filtering requirements on the individualworkstation, rather than on a single point of defense
(and thus point of failure) This frees the entry router of filtering responsibilities, but
then requires each workstation to be managed as afirewall detection and protection device
A SOCKS system can require additional support andmanagement resources to configure and managepossibly hundreds of individual clients, versus a singledevice or set of devices
-
7/29/2019 Security Technology in Information Security
16/60Principles of Information Security - Chapter 8 Slide 16
Selecting the Right Firewall
What type of firewall technology offers the rightbalance of protection features and cost for theneeds of the organization?
What features are included in the base price?
What features are available at extra cost? Areall cost factors known?
How easy is it to set up and configure thefirewall? How accessible are staff technicians
with the mastery to do it well?Can the candidate firewall adapt to the growing
network in the target organization?
-
7/29/2019 Security Technology in Information Security
17/60Principles of Information Security - Chapter 8 Slide 17
Configuring and ManagingFirewalls
Each firewall device will have its own set ofconfiguration rules that regulate its actions
Simple mistakes can turn the device into a choke
point
When security rules conflict with the performance ofbusiness, security loses since organizations aremuch more willing to live with a potential risk than a
certain failure
-
7/29/2019 Security Technology in Information Security
18/60Principles of Information Security - Chapter 8 Slide 18
Firewall RecommendedPractices
All traffic from the trusted network is allowed out The firewall device is always inaccessible directlyfrom the public network
Allow Simple Mail Transport Protocol (SMTP) data topass through your firewall, but insure it is all routed to
a well-configured SMTP gateway to filter and routemessaging traffic securely All Internet Control Message Protocol (ICMP) data
should be denied Block telnet (terminal emulation) access to all internal
servers from the public networks When Web services are offered outside the firewall,deny HTTP traffic from reaching your internalnetworks by using some form of proxy access orDMZ architecture
-
7/29/2019 Security Technology in Information Security
19/60Principles of Information Security - Chapter 8 Slide 19
Dial-Up Protection While internal network connection via private networks
are now less popular due to the high cost of installation,maintenance, and protection, dial-up connections arestill quite common
Unsecured, dial-up access represents a substantialexposure to attack An attacker who suspects that an organization has dial-up lines
can use a device called a war-dialer to locate the connectionpoints
For the most part, simple username and passwordschemes are the only means of authentication
-
7/29/2019 Security Technology in Information Security
20/60Principles of Information Security - Chapter 8 Slide 20
Remote Authentication Dial-in User
Service The RADIUS system centralizes the management of user
authentication by placing the responsibility for authenticatingeach user in the central RADIUS server
-
7/29/2019 Security Technology in Information Security
21/60Principles of Information Security - Chapter 8 Slide 21
Intrusion Detection Systems(IDSs)
IDSs work like burglar alarms
IDSs require complex configurations to providethe level of detection and response desired
An IDS operates as either network-based, whenthe technology is focused on protecting networkinformation assets, or host-based, when thetechnology is focused on protecting server or
host information assets IDSs use one of two detection methods,
signature-based or statistical anomaly-based
-
7/29/2019 Security Technology in Information Security
22/60
Principles of Information Security - Chapter 8 Slide 22
-
7/29/2019 Security Technology in Information Security
23/60
Principles of Information Security - Chapter 8 Slide 23
Scanning and Analysis Tools Scanners, sniffers, and other analysis tools are
useful to security administrators in enablingthem to see what the attacker sees
Scanner and analysis tools can findvulnerabilities in systems
One of the preparatory parts of an attack isknown as footprinting collecting IP addressesand other useful data
The next phase of pre-attack data gatheringprocess is called fingerprinting scanning allknown addresses to make a network map of thetarget
-
7/29/2019 Security Technology in Information Security
24/60
Principles of Information Security - Chapter 8 Slide 24
Port Scanners
Port scanners fingerprint networks to findports and services and other usefulinformation
Why secure open ports?
An open port can be used to send commandsto a computer, gain access to a server, andexert control over a networking device
The general rule of thumb is to remove fromservice or secure any port not absolutelynecessary for the conduct of business
-
7/29/2019 Security Technology in Information Security
25/60
Principles of Information Security - Chapter 8 Slide 25
Vulnerability Scanners
Vulnerability scanners are capable ofscanning networks for very detailedinformation
As a class, they identify exposedusernames and groups, show opennetwork shares, expose configurationproblems, and other vulnerabilities in
servers
-
7/29/2019 Security Technology in Information Security
26/60
Principles of Information Security - Chapter 8 Slide 26
Packet SniffersA network tool that collects copies of packets
from the network and analyzes them
Can be used to eavesdrop on the network traffic
To use a packet sniffer legally, you must be:
on a network that the organization owns under direct authorization of the owners of the
network
have knowledge and consent of the content creators
(users)
-
7/29/2019 Security Technology in Information Security
27/60
Principles of Information Security - Chapter 8 Slide 27
Content Filters
Although technically not a firewall, acontent filter is a software filter that allowsadministrators to restrict accessiblecontent from within a network
The content filtering restricts Web siteswith inappropriate content
-
7/29/2019 Security Technology in Information Security
28/60
Principles of Information Security - Chapter 8 Slide 28
Trap and Trace
Better known as honey pots, they distractthe attacker while notifying theadministrator
Trace: determine the identity of someoneusing unauthorized access
-
7/29/2019 Security Technology in Information Security
29/60
Principles of Information Security - Chapter 8 Slide 29
Cryptography and Encryption
Sophisticated approach to securityMany security-related tools use
embedded encryption technologies
Encryption is the process of converting anoriginal message into a form that isunreadable by unauthorized individuals
The science of encryption, known ascryptology, encompasses cryptographyand cryptanalysis
-
7/29/2019 Security Technology in Information Security
30/60
Principles of Information Security - Chapter 8 Slide 30
Encryption Definitions Algorithm: the mathematical formula used to convert an
unencrypted message into an encrypted message. Cipher: the transformation of the individual components
(characters, bytes, or bits) of an unencrypted messageinto encrypted components.
Ciphertext or cryptogram: the unintelligible encrypted or
encoded message resulting from an encryption. Code: the transformation of the larger components
(words or phrases) of an unencrypted message intoencrypted components.
Cryptosystem: the set of transformations necessary to
convert an unencrypted message into an encryptedmessage. Decipher: to decrypt or convert ciphertext to plaintext. Encipher: to encrypt or convert plaintext to ciphertext.
-
7/29/2019 Security Technology in Information Security
31/60
Principles of Information Security - Chapter 8 Slide 31
Encryption Definitions Key or cryptovariable: the information used in
conjunction with the algorithm to create ciphertext fromplaintext. Keyspace: the entire range of values that can possibly
be used to construct an individual key. Link encryption: a series of encryptions and decryptions
between a number of systems, whereby each nodedecrypts the message sent to it and then re-encrypts itusing different keys and sends it to the next neighbor,until it reaches the final destination.
Plaintext: the original unencrypted message that is
encrypted and results from successful decryption. Steganography: the process of hiding messages in a
picture or graphic. Work factor: the amount of effort (usually in hours)
required to perform cryptanalysis on an encoded
message.
C t h d E ti
-
7/29/2019 Security Technology in Information Security
32/60
Principles of Information Security - Chapter 8 Slide 32
Cryptography and Encryption-Based Solutions
Simple forms of encryption are based on twoconcepts: the block cipher and the exclusive ORoperation
With the block cipher method the message is divided into blocks, i.e., 8 or 16 bit
and then each block is transformed using thealgorithm and key
The exclusive or operation (XOR) is a functionof Boolean algebra
T bl 8 3 E l i OR
-
7/29/2019 Security Technology in Information Security
33/60
Principles of Information Security - Chapter 8 Slide 33
Table 8-3 Exclusive OROperations
-
7/29/2019 Security Technology in Information Security
34/60
Principles of Information Security - Chapter 8 Slide 34
Encryption Operations In encryption the most commonly used algorithms include two
functions: substitution and transposition In a substitution cipher, you substitute one value for another
This type of substitution is based on a monoalphabeticsubstitution, since it only uses one alphabet
More advanced substitution ciphers use two or more alphabets, and
are referred to as polyalphabetic substitutions Just like the substitution operation, the transposition cipher is
simple to understand but can be complex to decipher if properlyused
Unlike the substitution cipher, the transposition cipher (orpermutation cipher) simply rearranges the values within a block to
create the ciphertext This can be done at the bit level or at the byte (character) level -
transposition ciphers move these bits or bytes to another location inthe block, so that bit 1 becomes bit 4, bit 2 becomes bit 7 etc
-
7/29/2019 Security Technology in Information Security
35/60
Principles of Information Security - Chapter 8 Slide 35
Vernam Cipher
Also known as the one-time pad, the Vernamcipher was developed at AT&T and uses a one-use set of characters, the value of which is
added to the block of text The resulting sum is then converted to text
When the two are added, if the values exceed26, 26 is subtracted from the total (Modulo 26) -the corresponding results are then convertedback to text
-
7/29/2019 Security Technology in Information Security
36/60
-
7/29/2019 Security Technology in Information Security
37/60
Principles of Information Security - Chapter 8 Slide 37
-
7/29/2019 Security Technology in Information Security
38/60
Principles of Information Security - Chapter 8 Slide 38
Data Encryption Standard (DES)Developed in 1977 by IBM
Based on the Data Encryption Algorithm (DEA)
Uses a 64-bit block size and a 56-bit key
With a 56-bit key, the algorithm has 256
possible keys to choose from (over 72quadrillion)
DES is a federally approved standard for nonclassified data
DES was cracked in 1997 when RSA put abounty on the algorithm offering $10,000 to theteam to crack the algorithm - fourteen thousandusers collaborated over the Internet to finally
break the encryption
-
7/29/2019 Security Technology in Information Security
39/60
Principles of Information Security - Chapter 8 Slide 39
Triple DES (3DES) Developed as an improvement to DES
Uses up to three keys in succession and also performsthree different encryption operations: 3DES encrypts the message three times with three different
keys, the most secure level of encryption possible with 3DES
In 1998, it took a dedicated computer designed by theElectronic Freedom Frontier (www.eff.org) over 56 hoursto crack DES
The successor to 3DES is Advanced EncryptionStandard (AES), based on the Rijndael Block Cipher, a
block cipher with a variable block length and a keylength of either128, 192, or 256 bits
It would take the same computer approximately4,698,864 quintillion years to crack AES
-
7/29/2019 Security Technology in Information Security
40/60
Principles of Information Security - Chapter 8 Slide 40
-
7/29/2019 Security Technology in Information Security
41/60
Principles of Information Security - Chapter 8 Slide 41
Digital SignaturesAn interesting thing happens when the
asymmetric process is reversed, that is theprivate key is used to encrypt a short message
The public key can be used to decrypt it, andthe fact that the message was sent by the
organization that owns the private key cannotbe refuted
This is known as nonrepudiation, which is thefoundation of digital signatures
Digital Signatures are encrypted messages thatare independently verified by a central facility(registry) as authentic
-
7/29/2019 Security Technology in Information Security
42/60
Principles of Information Security - Chapter 8 Slide 42
RSAOne of the most popular public key
cryptosystems
Stands for Rivest-Shamir-Aldeman, itsdevelopers
The first public key encryption algorithmdeveloped and published for commercialuse
Part of Web browsers from both Microsoftand Netscape
-
7/29/2019 Security Technology in Information Security
43/60
Principles of Information Security - Chapter 8 Slide 43
PKI or Public Key Infrastructure Public Key Infrastructure is the entire set of
hardware, software, and cryptosystemsnecessary to implement public key encryption
PKI systems are based on public-key
cryptosystems and include digital certificatesand certificate authorities (CAs) and can:
Issue digital certificates
Issue crypto keys
Provide tools to use crypto to secure information
Provide verification and return of certificates
-
7/29/2019 Security Technology in Information Security
44/60
Principles of Information Security - Chapter 8 Slide 44
PKI BenefitsPKI protects information assets in several
ways:
Authentication
Integrity
Privacy
Authorization
Nonrepudiation
Digital Certificates and
-
7/29/2019 Security Technology in Information Security
45/60
Principles of Information Security - Chapter 8 Slide 45
Digital Certificates andCertificate AuthoritiesA digital certificate is an electronic
document, similar to a digital signature,attached to a file certifying that this file isfrom the organization it claims to be fromand has not been modified from theoriginal format
A Certificate Authority is an agency that
manages the issuance of certificates andserves as the electronic notary public toverify their worth and integrity
-
7/29/2019 Security Technology in Information Security
46/60
Principles of Information Security - Chapter 8 Slide 46
Hybrid Systems In practice, pure asymmetric key encryption is
not widely used except in the area of certificates It is more often used in conjunction with
symmetric key encryption creating a hybridsystem
Use the Diffie-Hellman Key Exchange methodthat uses asymmetric techniques to exchangesymmetric keys to enable efficient, securecommunications based on symmetric keys
Diffie-Hellman provided the foundation forsubsequent developments in public keyencryption
-
7/29/2019 Security Technology in Information Security
47/60
-
7/29/2019 Security Technology in Information Security
48/60
Principles of Information Security - Chapter 8 Slide 48
Securing E-mail Encryption cryptosystems have been adapted to
inject some degree of security into e-mail: S/MIME builds on the Multipurpose Internet Mail
Extensions (MIME) encoding format by addingencryption and authentication
Privacy Enhanced Mail (PEM) was proposed by theInternet Engineering Task Force (IETF) as astandard to function with the public keycryptosystems
PEM uses 3DES symmetric key encryption and RSA
for key exchanges and digital signatures Pretty Good Privacy (PGP) was developed by Phil
Zimmerman and uses the IDEA Cipher along withRSA for key exchange
-
7/29/2019 Security Technology in Information Security
49/60
Principles of Information Security - Chapter 8 Slide 49
Securing the WebSecure Electronic Transactions (SET)
Secure Socket Layer (SSL)
Secure Hypertext Transfer Protocol
(SHTTP)Secure Shell (SSH)
IPSec
-
7/29/2019 Security Technology in Information Security
50/60
Principles of Information Security - Chapter 8 Slide 50
IPSec IP Security (IPSec) is the cryptographic
authentication and encryption product of theIETFs IP Protocol Security Working Group
Defined in RFC 1825, 1826, and 1827
Used to create Virtual Private Networks (VPNs)and is an open framework for securitydevelopment within the TCP/IP family ofprotocol standards
Combines several different cryptosystemelements and includes: the IP Security Protocol itself
the Internet Key Exchange
-
7/29/2019 Security Technology in Information Security
51/60
Principles of Information Security - Chapter 8 Slide 51
IPSec Operations IPSec works in two modes of operation:
In transport mode only the IP data is encrypted, notthe IP headers themselves
In tunnel mode, the entire IP packet is encrypted andis then placed as the payload in another IP packet
The implementation of these technologies isvery popular through a process known as VirtualPrivate Networks (VPNs
In the most common implementation, a VPNallows a user to turn the Internet into a privatenetwork between points on the public network
Figure 8 18 Kerberos
-
7/29/2019 Security Technology in Information Security
52/60
Principles of Information Security - Chapter 8 Slide 52
Figure 8-18 KerberosScenario: Initial Login
-
7/29/2019 Security Technology in Information Security
53/60
Principles of Information Security - Chapter 8 Slide 53
-
7/29/2019 Security Technology in Information Security
54/60
Principles of Information Security - Chapter 8 Slide 54
SesameTo solve some of the problems associated
with Kerberos, a new project, the SecureEuropean System for Applications in aMultivendor Environment (SESAME), was
developed as a European research anddevelopment project, partly funded by theEuropean Commission
SESAME is similar in part to Kerberos inthat the user is first authenticated to anauthentication server to receive a token
-
7/29/2019 Security Technology in Information Security
55/60
-
7/29/2019 Security Technology in Information Security
56/60
Principles of Information Security - Chapter 8 Slide 56
What You AreMost of the technologies that scan human
characteristics convert these images to someform of minutiae
Minutiae are unique points of reference that are
digitized and stored in an encrypted format Each subsequent scan is also digitized and then
compared with the encoded value to determineif users are who they claim to be
The problem is that some human characteristicscan change over time, due to normaldevelopment, injury, or illness
-
7/29/2019 Security Technology in Information Security
57/60
Principles of Information Security - Chapter 8 Slide 57
Effectiveness of Biometrics
Biometric technologies are evaluated on threebasic criteria: False Reject Rate False Accept Rate Crossover Error Rate
-
7/29/2019 Security Technology in Information Security
58/60
Principles of Information Security - Chapter 8 Slide 58
Effectiveness of Biometrics False Reject Rate
The percentage or value associated with the rateat which authentic users are denied or preventedaccess to authorized areas, as a result of a failurein the biometric device
Type I error
Probably of the least concern to security False Accept Rate
The percentage or value associated with the rateat which fraudulent or non-users are allowedaccess to systems or areas, as a result of a failure
in the biometric device Type II error This type of error is unacceptable to security, as it
represents a clear breach
-
7/29/2019 Security Technology in Information Security
59/60
Principles of Information Security - Chapter 8 Slide 59
Crossover Error Rate (CER) Crossover Error Rate
The crossover error rate is the point atwhich the number of false rejectionsequals the false acceptances, also known
as the equal error rate It is possibly the most common and
important overall measure of the accuracyof a biometric system
The optimal setting is somewhere near theequal error rate or CER
-
7/29/2019 Security Technology in Information Security
60/60
Acceptability of BiometricsWhile the use of one authentication area
is necessary to access the system, themore devices used the better
To obtain strong authentication, thesystems must use two or moreauthentication areas