Embed Size (px)
Citation preview
PAN African e-Network Project
PGDIT
Networking FundamentalsSemester - II
Session - 7
Mr. Kunal Gupta
Session Objective:
At the end of this session students should be able to understand the basic concepts of Computer Networks security
Lecture Schedule Networking
Session Number Module Covered
01 Module-1 & Module-202 Module-303 Module-404 Module-505 Module-606 Module-707 Module-8
Network Management Systems
• Collection of tools for network monitoring and control, integrated in these ways:– A single user-friendly operator interface for performing
most or all network management tasks– A minimal amount of separate equipment
• Consists of incremental hardware and software additions implemented among existing network components
• Designed to view the entire network as a unified architecture, and provide regular feedback of status information to the network control center
Network Management System Architecture
Components of the NMS
• All nodes run the Network Management Entity (NME) software
• Network control host or manager runs the Network Management Application (NMA)
• Other nodes are considered agents
Network Management Entity• Collection of software contained in each network node,
devoted to the network management task• Performs the following tasks:
– Collect statistics on communications and network-related activities.
– Store statistics locally– Respond to commands from the network control
center– Send messages to NCC when local conditions
undergo a significant change
(SNMP)• Originally developed for use as a network
management tool for networks and internetworks operating TCP/IP.
• A collection of specifications that include the protocol itself, the definition of a database, and associated concepts.
• Network Management Model– Management station– Agent– Management information base– Network management protocolP
• SNMP is a tool (protocol) that allows for remote and local management of items on the network including servers, workstations, routers, switches and other managed devices.
• Comprised of agents and managers•Agent - process running on each managed node collecting information about the device it is running on.
•Manager - process running on a management workstation that requests information about devices on the network.
Client Pull & Server Push
• SNMP is a “client pull” model
• SNMP is a “server push” model
The management system (client) “pulls” data from the agent (server).
The agent (server) “pushes” out a trap message to a (client) management system
The Three Parts of SNMP
SNMP network management is based on three parts:
•Structure of Management Information (SMI)
•Rules specifying the format used to define objects managed on the network that the SNMP protocol accesses
•Management Information Base (MIB)
•A map of the hierarchical order of all managed objects and how they are accessed
•SNMP Protocol
•Defines format of messages exchanged by management systems and agents.•Specifies the Get, GetNext, Set, and Trap operations
In Order to manage the network SNMP uses two protocols other than SNMP are: SMI and
MIB
Nodes
Items in an SNMP Network are called nodes. There are different types of nodes.
•Managed nodes
•Management nodes
•Nodes that are not manageable by SNMP
Typically runs an agent process that services requests from a management node
Typically a workstation running some network management & monitoring software
A node may not support SNMP, but may be manageable by SNMP through a proxy agent running on another machine
Nodes can be both managed nodes and a management node at the same time (typically this is the case, since you want to be able to manage the workstation that your management application is running on.)
SNMP Agents
Two basic designs of agents
•Extendible Agents
•Monolithic Agents
•not extendible•optimized for specific hardware platform and OS•this optimization results in less overhead (memory and system resources) and quicker execution
•Open, modular design allows for adaptations to new management data and operational requirements
Proxy & Gateway Agents
Proxy & Gateway Agents extend the capabilities of SNMP by allowing it to:
•Manage a device that cannot support an SNMP agent•Manage a device that supports a non-SNMP management agent•Allow a non-SNMP management system to access an SNMP agent•Provide firewall-type security to other SNMP agents (UDP packet filtering)•Translate between different formats of SNMP messages (v1 and v2)•Consolidate multiple managed nodes into a single network address (also to provide a single trap destination)
Four Basic Operations
•Get
•GetNext
•Set
•Trap
Retrieves the value of a MIB variable stored on the agent machine(integer, string, or address of another MIB variable)
Retrieves the next value of the next lexical MIB variable
Changes the value of a MIB variable
An unsolicited notification sent by an agent to a management application (typically a notification of something unexpected, like an error)
Traps
•Traps are unrequested event reports that are sent to a management system by an SNMP agent process•When a trappable event occurs, a trap message is generated by the agent and is sent to a trap destination (a specific, configured network address)•Many events can be configured to signal a trap, like a network cable fault, failing NIC or Hard Drive, a “General Protection Fault”, or a power supply failure•Traps can also be throttled -- You can limit the number of traps sent per second from the agent•Traps have a priority associated with them -- Critical, Major, Minor, Warning, Marginal, Informational, Normal, Unknown
How the SNMP works?
Networking Security
Objectives• Define the role of the Internetwork Operating
System (IOS).• Use Cisco CLI commands to perform basic router
and switch configuration and verification.• Given a network addressing scheme, select,
apply, and verify appropriate addressing parameters to a host.
• Use common utilities to verify network connectivity between hosts.
• Use common utilities to establish a relative performance baseline for the network.
Computer Security Concepts
• Integrity - Assets can be modified by authorized parties only
•Availability - Assets be available to authorized parties•Confidentiality - Requires information in a computer system only be accessible by authorized parties. Individuals set their own privacy requirements.
Addl. requirements:•Authenticity - Requires that a computer system be able to verify the identity of a user
•Accountability - Requires the detection and tracing of a security breach to a responsible party.
Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (i.e. hardware, software, firmware, information/data, and telecommunications)
Security
• Security is a fundamental component of every network design. When planning, building, and operating a network, you should understand the importance of a strong security policy.
• A security policy defines what people can and can't do with network components and resources
Security Threats to Assets
What is Security
• Security Activities Are based on 3 Types of Actions:– Prevent: Put protection measures/system to
protect assets and prevent unauthorized access.– Detect: Detect if an asset has been
compromised, when, by whom and gather information on the type of breach committed, activities and evidence logs.
– Act/React: Take measure to recover from attack and prevent same type of attacks or prevent attack in progress.
Types of security
Computer Security: The application of hardware, firmware and software security features to a computer system in order to protect against, or prevent, the unauthorized disclosure, manipulation, deletion of information.
- Scope: usually limited to a single computer- Protection from: the “bad guys”
Examples of Problems: • Viruses and Trojans• Key loggers• Unauthorized tampering
Information Security: The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.
- Scope: the entire application, even across a network. - Protection from:
• The “bad guys” • Careless good guys• Loophole in security policies
Examples of Problems: • Badly designed applications• Unsecured databases
Types of security
Types of security
Network Security: Protection of networks and their services from unauthorized modification, destruction, or disclosure. It provides assurance the network performs its critical functions correctly and there are no harmful side-effects.
- Scope: network components and applications- Protection from: the “bad guys”
Examples of Problems: • Viruses and worms: Code Red, SoBig, Blaster• Denial of Service (DoS) attacks• Distributed Denial of Service (DDOS) attacks
Framework for Attacks
Attacks
Physical AccessAttacks
--Wiretapping
Server HackingVandalism (Damage)
Dialog Attacks--
EavesdroppingImpersonation
Message Alteration
PenetrationAttacks (Access)
Social Engineering--
Opening AttachmentsPassword Theft
Information Theft
Scanning(Probing) Break-in
Denial ofService
(Rejection)
Malware--
VirusesWorms
Attacks and Defenses
• Physical Attacks: Access Control– Access control is the body of strategies and practices that a
company uses to prevent improper access– Prioritize assets– Specify access control technology and procedures for each
asset– This can be electronic: use access control to prevent certain
traffic in– This can be physical: use locks to prevent physical access to
devices.• If an attacker gains physical access to a device: that device
IS (or should be considered) compromised (in danger).– Test the protection.
Attacks and Defenses
• Social Engineering– Tricking an employee into giving out information or
taking an action that reduces security or harms a system
– Opening an e-mail attachment that may contain a virus
– Asking for a password claming to be someone with rights to know it
– Asking for a file to be sent to you
Attacks and Defenses
• Social Engineering Defenses
– Training
– Enforcement through permission.
– punishment
Attacks and Defenses
• Dialog Attacks and Defenses– Eavesdropping (Listening)– Encryption for Confidentiality– Imposters and Authentication
Eavesdropping on a Dialog
Client PCBob Server
Alice
Dialog
Attacker (Eve) interceptsand reads messages
Hello
Hello
Encryption for Confidentiality
Client PCBob
ServerAlice
Attacker (Eve) interceptsbut cannot read
“100100110001”
EncryptedMessage
“100100110001”
Original Message
“Hello”
Decrypted Message
“Hello”
Impersonation and Authentication
Client PCBob
ServerAlice
Attacker(Eve)
I’m Bob
Prove it!(Authenticate Yourself)
Message Alteration
Client PCBob
ServerAlice
Dialog
Attacker (Eve) interceptsand alters messages
Balance =$1
Balance =$1 Balance =
$1,000,000
Balance =$1,000,000
Secure Dialog System
Client PCBob Server
Alice
Secure Dialog
Attacker cannot read messages, alter
messages, or impersonate
Automatically HandlesNegation of Security Options
AuthenticationEncryption
Integrity
Network Penetration (Access) Attacks and Firewalls
AttackPacket
Internet
Attacker
HardenedClient PC
HardenedServer Internal
CorporateNetwork
Passed Packet
DroppedPacket
InternetFirewall
Log File
Scanning (Probing) Attacks
Probe Packets to172.16.99.1, 172.16.99.2, etc.
Internet
Attacker
Corporate Network
Host172.16.99.1
No Host172.16.99.2 No Reply
Reply from172.16.99.1
Results172.16.99.1 is reachable172.16.99.2 is not reachable…
Single-Message Break-In Attack
1.Single Break-In Packet
2.Server
Taken OverBy Single Message
Attacker
Denial-of-Service (DoS) Flooding Attack
Message Flood
ServerOverloaded ByMessage Flood
Attacker
Intrusion Detection System (IDS)
1.Suspicious
Packet
Internet
Attacker
NetworkAdministrator
HardenedServer Corporate Network
2. SuspiciousPacket Passed
3. LogSuspicious
Packet
4. Alarm IntrusionDetectionSystem (IDS)
Log File
Types of attack
• Classes of attack might include passive monitoring of communications, active network attacks, close-in attacks, exploitation by insiders, and attacks through the service provider. Information systems and networks offer attractive targets and should be resistant to attack from the full range of threat agents, from hackers to nation-states. A system must be able to limit damage and recover rapidly when attacks occur. There are five types of attack:
Passive Attack
• A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user
Active Attack
• In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS, or modification of data.
Levels of security
Physical securityAccess controlsSecurity in log-in Firewall Proxy server
Physical
• Threats to physical security include:– Interruption of services– Theft– Physical damage– Unauthorized disclosure– Loss of system integrity
• The goal of access control is to prevent attackers from gaining access, and stops them if they do.
• The best way to accomplish this is by: – Determine who needs access to the resources
located on the server.– Decide the access permissions for each resource. – Implement specific access control policies for each
resource. – Record mission critical resources.– Harden the server against attacks.– Disable invalid accounts and establish policies
Access Control
Firewalls
• Firewalls are designed to protect you from outside attempts to access your computer, either for the purpose of eavesdropping on your activities, stealing data, sabotage, or using your machine as a means to launch an attack on a third party.
Firewalls (Cont.)
• Hardware– Provides a strong degree of protection from the
outside world.– Can be effective with little or no setup– Can protect multiple systems
• Software– Better suite to protect against Trojans and worms.– Allows you to configure the ports you wish to
monitor. It gives you more fine control.– Protects a single system.
Firewalls
• Can Prevent– Discovery
• Network • Traceroute
– Penetration• Synflood • Garbage • UDP Ping• TCP Ping• Ping of Death
Proxy
• A proxy server is a buffer between your network and the outside world.
• Use an anonymous Proxy to prevent attacks.
IPSec
• Provides various security services for traffic at the IP layer
• These security services include– Authentication – Integrity– Confidentiality
Classical EncryptionTechniques
Classical encryption techniques
• As opposed to modern cryptography• Goals:
– to introduce basic concepts & terminology of encryption
– to prepare us for studying modern cryptography
Basic terminology
• Plaintext: original message to be encrypted
• Ciphertext: the encrypted message
• Enciphering or encryption: the process of converting plaintext into ciphertext
• Encryption algorithm: performs encryption
– Two inputs: a plaintext and a secret key
Symmetric Cipher Model
• Deciphering or decryption: recovering plaintext from ciphertext
• Decryption algorithm: performs decryption– Two inputs: ciphertext and secret key
• Secret key: same key used for encryption and decryption– Also referred to as a symmetric key
• Cipher or cryptographic system : a scheme for encryption and decryption
• Cryptography: science of studying ciphers
• Cryptanalysis: science of studying attacks against cryptographic systems
• Cryptology: cryptography + cryptanalysis
Ciphers
• Symmetric cipher: same key used for encryption and decryption
– Block cipher: encrypts a block of plaintext at a time
(typically 64 or 128 bits)
– Stream cipher: encrypts data one bit or one byte at a
time
• Asymmetric cipher: different keys used for encryption and decryption
Symmetric Encryption
• or conventional / secret-key / single-key• sender and recipient share a common key• all classical encryption algorithms are symmetric• The only type of ciphers prior to the invention of
asymmetric-key ciphers in 1970’s• by far most widely used
Symmetric Encryption
• Mathematically: Y = EK(X) or Y = E(K, X) X = DK(Y) or X = D(K, Y)
• X = plaintext• Y = ciphertext• K = secret key• E = encryption algorithm• D = decryption algorithm• Both E and D are known to public
Cryptanalysis
• Objective: to recover the plaintext of a ciphertext or, more typically, to recover the secret key.
• Kerkhoff’s principle: the adversary knows all details about a cryptosystem except the secret key.
• Two general approaches:– brute-force attack– non-brute-force attack (cryptanalytic attack)
Brute-Force Attack
• Try every key to decipher the ciphertext.• On average, need to try half of all possible keys • Time needed proportional to size of key space
Key Size (bits) Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years
26 characters (permutation)
26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years
Cryptanalytic Attacks
• May be classified by how much information needed by the attacker:– Ciphertext-only attack
– Known-plaintext attack
– Chosen-plaintext attack
– Chosen-ciphertext attack
Example: chosen-plaintext attack
• In 1942, US Navy cryptanalysts discovered that Japan was planning an attack on “AF”.
• They believed that “AF” means Midway island.• Pentagon didn’t think so.• US forces in Midway sent a plain message that their
freshwater supplies were low.• Shortly, US intercepted a Japanese ciphertext saying that
“AF” was low on water.• This proved that “AF” is Midway.
Chosen-ciphertext attack
• Given: (m1,c1), (m2,c2), …, (mk,ck), where c1, c2, …, ck are chosen by the adversary; and a new ciphertext c.
• Q: what is the plaintext of c, or what is the secret key?
Classical Ciphers
• Plaintext is viewed as a sequence of elements (e.g., bits or characters)
• Substitution cipher: replacing each element of the plaintext with another element.
• Transposition (or permutation) cipher: rearranging the order of the elements of the plaintext.
• Product cipher: using multiple stages of substitutions and transpositions
Caesar Cipher
• Earliest known substitution cipher• Invented by Julius Caesar • Each letter is replaced by the letter three positions
further down the alphabet.• Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• Example: ohio state RKLR VWDWH
Caesar Cipher
• Mathematically, map letters to numbers:a, b, c, ..., x, y, z0, 1, 2, ..., 23, 24, 25
• Then the general Caesar cipher is:c = EK(p) = (p + k) mod 26
p = DK(c) = (c – k) mod 26
• Can be generalized with any alphabet.
Cryptanalysis of Caesar Cipher
• Key space: {0, 1, ..., 25} • Vulnerable to brute-force attacks. • E.g., break ciphertext "UNOU YZGZK“
• Need to recognize it when have the plaintext• What if the plaintext is written in Swahili?
Mono alphabetic Substitution Cipher
• Shuffle the letters and map each plaintext letter to a different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyzCipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA
• What does a key look like?
Mono alphabetic Cipher Security
• Now we have a total of 26! = 4 x 1026 keys. • With so many keys, it is secure against brute-
force attacks.• But not secure against some cryptanalytic
attacks.• Problem is language characteristics.
Language Statistics and Cryptanalysis
• Human languages are not random.
• Letters are not equally frequently used.
• In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.
• Other letters like Z, J, K, Q, X are fairly rare.
• There are tables of single, double & triple letter frequencies for various languages
English Letter Frequencies
Statistics for double & triple letters
• In decreasing order of frequency
• Double letters: th he an in er re es on, …
• Triple letters: the and ent ion tio for nde, …
Use in Cryptanalysis
• Key concept: monoalphabetic substitution does not change relative letter frequencies
• To attack, we – calculate letter frequencies for ciphertext– compare this distribution against the known
one
Example Cryptanalysis
• Given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• Count relative letter frequencies (see next page)• Guess {P, Z} = {e, t}• Of double letters, ZW has highest frequency, so
guess ZW = th and hence ZWP = the• Proceeding with trial and error finally get:
it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow
Letter frequencies in ciphertext
P 13.33 H 5.83 F 3.33 B 1.67 C 0.00Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00U 8.33 V 4.17 T 2.50 I 0.83 N 0.00O 7.50 X 4.17 A 1.67 J 0.83 R 0.00M 6.67
