CS 5950/6030 Network SecurityClass 24 (W, 10/26/05)
Leszek LilienDepartment of Computer Science
Western Michigan University
Based on Security in Computing. Third Edition by Pfleeger and Pfleeger.Using some slides courtesy of:
Prof. Aaron Striegel — at U. of Notre DameProf. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington
Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands
Slides not created by the above authors are © by Leszek T. Lilien, 2005Requests to use original slides for non-profit purposes will be gladly granted upon a written
request.
2
4. Protection in General-Purpose OSs...4.5. User Authentication ...
SKIPPING FOR NOW:5. Designing Trusted OSs6. Database Security
7. Security in Networks7.1. Network Concepts
a) Introductionb) The networkc) Mediad) Protocols—PART 1
Class 23
3
To help you with your network security projects, we’re skipping for now two chapters:
5. Designing Trusted OSs6. Database Security We’ll cover these chapters later.
4
7. Security in Networks Network attacks are critical problems due to:
Widespread use of networks Fast changes in network technology
We’ll discuss security issues in network Design / Development / Usage
Outline7.1. Network Concepts
7.2. Threats in Networks7.3. Network Security Controls7.4. Tools
7.4.1. Firewalls7.4.2. Intrusion Detection Systems7.4.3. Secure E-Mail
7.5. Conclusions
5
7.1. Network Concepts Outline
a) Introductionb) The networkc) Mediad) Protocols
e) Types of networksf) Topologiesg) Distributed systemsh) APIsi) Advantages of computing networks
6
Media (3)5) Infrared
Line-of-sight transmission Convenient for portable devices Typically used in protected space (an office)
6) Satellitea. Geosynchronous orbit (incl. geostationary orbit over
equator) Speeding satellite seems to be fixed over a point on earth
22,240 miles (35,786 km) orbit, period: 1 day For some communication apps, satellites are alternative
to intercontinental cables on the ocean bottom Good for TV Bad for telephones – Delay: earth-satellite-earth
b. Low earth orbit (LEO) Seen from earth as moving satellites
~95 miles (150 km) above the earth, period: 90 minutes
Cover~660 miles (1000 km) radius For full coverage require a satellite constellation
E.g., Iridium has 66 satellites
7
d. Protocols (1) Media independence – we don’t care what media
used for communications
Protocols provide abstract view of communications View in terms of users and data The ‘how’ details are hiden
Protocol stack – layered protocol architecture Each higher layer uses abstract view (what)
provided by lower layer (which hides the ‘how’ details) Each lower layer encapsulates higher layer (in an
‘envelope’ consisting of header and/or trailer)
Two popular protocol stacks:1) Open Systems Interconnection (OSI)2) Transmission Control Protocol / Internet Protocol
(TCP/IP)
8
Protocols (2)
1) ISO OSI Reference Model (ISO = Int’l Standards Organization)
OSILaye
r
Name Activity
7 Application User-level messages
6 Presentation
Standardized data appearance, blocking, text compression
5 Session Sessions/logical connections among parts of an app; msg sequencing, recovery
4 Transport Flow control, end-to-end error detection & correction, priority service
3 Network Routing, msg same-sized packets
2 Data Link Reliable data delivery over physical medium; transmission error recovery, packets same-sized frames
1 Physical Actual communication across physical medium; transmits bits
9
Protocols (7)
OSI is a conceptual model — not actual implementation
Shows all activities required for communication Would be to slow and inefficient with 7 layers
An example implementation: TCP/IP
11
4. Protection in General-Purpose OSs...4.5. User Authentication ...
SKIPPING FOR NOW:5. Designing Trusted OSs6. Database Security
7. Security in Networks7.1. Network Concepts—PART 1
a) Introductionb) The networkc) Mediad) Protocols—PART 1
d) Protocols—PART 2e) Types of networksf) Topologiesg) Distributed systemsh) APIsi) Advantages of computing networks
Class 23
Class 24
12
Protocols (8)
2) Transmission Control Protocol/Internet Protocol (TCP/IP)
Invented for what eventually became Internet Defined in terms of protocols not layers
but can be represented in terms of four layers: Application layer Host-to-host (e2e =end-to-end) transport layer Internet layer Physical layer
Actually not TCP/IP but:TCP/IP/UDP (user datagram protocol)
13
Protocols (9)
TCP/IP vs. OSI
OSI Laye
r
Name Activity
7 Application
User-level data
6 Presentation
Standardized data appearance
5 Session Logical connection among parts
4 Transport Flow control
3 Internet(Network)
Routing
2 Data Link Reliable data delivery
1 Physical Actual communication across physical medium
[cf. B. Endicott-Popovsky and D. Frincke]
14
Protocols (10)
TCP/IP
Layer Action Responsibilities
Application Prepare messages from user interaction
User interaction, addressing
Transport Convert messages to packets
Sequencing of packets, reliability (integrity), error correction
Internet Convert packets to datagrams
Flow control, routing
Physical Transmit datagrams as individual bits
Actual data communication
15
Protocols (11)
TCP packet includes: Sequence nr Acknowledgement nr connecting packets of a
session Flags Source port nr Destination port nr
Port – nr of a channel for communication for a particular (type of) application running on a computer
Examples of port-application pairs: 23 – Telnet (remote terminal connection) 25 – SMTP (e-mail) 80 – HTTP (web pages) 161 – SNMP (network mngmt)
App has a waiting process monitoring its port When port receives data, app performs service on it
16
Protocols (12)
UDP - user datagram protocol (connectionless) Faster and smaller than TCP
No error checking/correction 8 bytes of control info (vs. 24 bytes for TCP)
Uses IP => actually UDP/IP
Applications use application-level protocols - which, in turn, use TCP/IP or UDP/IPApps do not use TCP/IP or UDP/IP directly
Examples - cf. Table 7-3, p.379 (shows 4 protocol layers)
Examples of App Protocols using TCP/IP: SMTP (e-mail) / HTTP (web pages) / FTP (file transfer) /
Telnet (remote terminal connection)
Examples of App Protocols using UDP/IP: SNMP (network mngmt) / Syslog (entering log records)
/ Time (synchronizing network device time)
17
Protocols (13)
Network addressing scheme Address – unique identifier for a single point in the
network WAN addressing must be more standardized than
LAN addressing LAN addressing:
Each node has unique address E.g. = address of its NIC (network interface card)
Network admin may choose arbitrary addresses WAN addressing:
Most common: Internet addr. scheme – IP addresses 32 bits: four 8-bit groups In decimal: g1.g2.g3.g4 wher gi [0, 255]
E.g.: 141.218.143.10 User-friendly representation
E.g.: cs.wmich.edu (for 141.218.143.10)
18
Protocols (14)
Parsing IP addresses From right to left Rightmost part, known as top-level domain
E.g., .com, .edu, .net, .org,. gov, E.g., .us, .in, .pl Top-level domain controlled by Internet
Registrars IRs also control 2nd-level domains (e.g., wmich in
wmich.edu) IRs maintain tables of 2nd-level domains within
„their” top-level domains
Finding a service on Internet – e.g., cs.wmich.edu Host looking for a service queries one of tables at
IRs for wmich.edu Host finds numerical IP address for wmich.edu Using this IP address, host queries wmich.edu to get
from its table numerical address for cs.wmich.edu
19
Protocols (15)
Dissemination of routing information Each host knows all other hosts directly connected
to it Directly-connected => distance = 1 hop
Each host passes information about its directly connected hosts to all its neighbors
Example – Fig. 7-2 p.366 System 1 (S1) informs S2 that S1 is 1 hop away
from Clients A, B, and C S2 notifies S3 that S2 is 2 hops away from A, B, C S3 notifes S2 that S3 is 1 hop away from D, E
and S4 S2 notifies S1 that S2 is 2 hops away from D, E
and S4 Etc., etc.
20
e. Types of networks LANs
Small - < 100 users / within 3 km Locally controlled – by a single organization Physically protected – no public access to its nodes Limited scope – supports a single group, dept, project, etc.
WANs Single control of the whole network Covers wide area – even the whole globe Physically exposed – use public communication media
Internetworks (Internets) Internetwork = network of networks A.k.a. internet (lower case „i”) Most popular, largest internet: the Internet (upper case „I”!)
Internet Society controls (loosely) the Internet – basic rules
Internet is: federation / enormous / heterogeneous / exposed
21
f. Topologies Topology can affect security Topologies:
Common bus – Fig.7-11a Convenient for LAN All msgs accessible to every node
Star / Hub – Fig.7-11b Central „traffic controller” (TC) node
TC can easily monitor all traffic TC can defeat covert channels
Msg read only by TC and destination Unique path between any 2 nodes
Ring – Fig.7-11c All msgs accessible to many node
All between source S and destination D on one of the 2 paths between S and D
No central control Natural fault tolerance – 2 paths between any S-D pair
22
g. Distributed systems Distributed system = system in which computation is
spread across ≥ 2 computers Uses multiple, independent, physically separated
computers Computers connected directly / via network
Types of DS include: Client-server systems
Clients request services from servers Peer-to-peer systems
Collection of equals – each is a client and a server
Note:Servers usually protect themselves fr. hostile clientsClients should also protect themselves – fr. rogue servers
23
h. APIs API (Application Programming Interface) = definition
of interfaces to modules / systems Facilitate component reuse Facilitate using remote services
GSSAPI (Generic Security Services API) = template for many kinds of security services that a routine could provide
Template independent of mechanisms, implementation, etc.
Callers need credentials to use GSSAPI routines
CAPI (Cryptographic API) = Microsoft API for cryptographic services
Independent of implementation, etc.
24
i. Advantages of computing networks
Networks advantages include: Resource sharing
For efficient use of common resources Afffordability of devices that individual users could not
afford Workload distribution
Can shift workload to less occupied machines Increased reliability
„Natural” fault tolerance due to redundancy of most of network resources
Easy expandability Can add nodes easily
Top Related