Upload
cbchellani
View
23
Download
0
Embed Size (px)
DESCRIPTION
Computer Network Security
Citation preview
Computer Network SecurityP.S.Dhekne BARC
Presentation at SASTRA
OrganizationWhat is Security all about?What is at Risk?Why Risks Exist?General Threat PerceptionsSecurityData (local, Remote)CommunicationsSecure BackupNetwork Perimeter SecurityGeneral PolicyMin. Security EnforcementIntrusion Detection SystemCryptographic SecurityVPN: A RoadmapPoints for ActionEmergency Response Team
Presentation at SASTRA
INFORMATION SECURITY The information systems are known to be vulnerable to many threats like cyber crime, hacking and terrorism Regardless of whether the information has been stolen by the attacker or not, the security breaches and virus attacks result in adverse publicity to the organization. Thus issues like protection and security of the information systems have become greater concern.
Presentation at SASTRA
85% detected computer security breaches within the last twelve months. 64% acknowledged financial losses due to computer breaches. 36% reported the intrusions to law enforcement; a significant increase from 2000, when only 25% reported them.Some Harsh Facts : (IDC report)
Presentation at SASTRA
INFORMATION SECURITY Information & Network penetration do occur- from outsiders & insidersin spite of having various security measures such as Anti-virus, Firewalls, Routers There are two ways to attack computers- Gain physical access to machines & conduct physical attack- Attack by use of malicious software; Malware
Presentation at SASTRA
What is Security all about?Confidentiality:Protecting sensitive information from unauthorized disclosure or intelligible interception; Only seen by entities to whom it is addressedIntegrity:Not modified/destroyed in a unauthorized way; safeguarding the accuracy & completeness of information & softwareAccess Control:Access (computation, data, service) follows the prescribed policyAuthentication: Verifying the identity claimed
Presentation at SASTRA
What is Security All About?Availability:System accessible/usable on demandNonrepudiation:Protection against false denial of comm.Audit Trail:Chronological record of system activities to enable reconstruction/examination of environments/activities leading to an operation from inception to final results.Privacy:Breach of confidentiality is also invasion of privacy.Collecting a dossier based upon his activities - inferring habits, movements, expenditures Security Risk
Presentation at SASTRA
What is at Risk?Data, Time and MoneyObvious: deletion/modification of data Slowly modifying data so that breach is not discovered right awayUsing Service providers software (say a online brokers CD software) provides flexibility than by standard browsers. However it is a golden opportunity for an attacker with the knowledge of how that software works.
Presentation at SASTRA
What is at Risk? (Contd)2. ConfidentialityData disclosure is often overlooked riskA breach of confidentiality is much less likely to be discovered than the deletion of dataBest Defence: well-designed cryptographic protected system note that the data must be in the clear at some point (it is here attacker can get in )
Presentation at SASTRA
What is at Risk? (Contd)Privacy:One of the things that is risk in todays computerized and networked world.Resource Availability:Denial of Service attacks
Presentation at SASTRA
Why Risks Exist?Erroneous ProgramLack of prudent Software Engineering PracticesComplexity of software (millions of lines)Urgently developed Components of The Shelf (COTS)The user (Systems should be User proof!)Responsibility lies with the user (ignorance/non co-operation are problems)Security policy should convince the usersPoor AdministrationConfiguration, backup procedures, constant updates, monitoring, disaster recovery
Presentation at SASTRA
General Threat PerceptionsNetwork threatened by external running malicious scripts (Malware)Adversaries attempting access protected services, break into machines, snoop communications, collect statistics of transactions Insiders and outsidersDisasters (natural and man-made)
Presentation at SASTRA
Secure Storing of Data(Local Storage)Physical SecurityProtect machineLimit network accessMost secure (without external access)Suppose it falls into an adversaryAll the data can be obtained in the clearCryptographic Secure.Protects even if the m/c falls to adversaryOf course person having access can delete -- Hence, BACKUPData IntegrityCryptography: FragileSystem issues, user interfaces , Crypto-file servers
Presentation at SASTRA
Secure Storing of Data(Remote Storage)Need (also advantages!):Data protected from local disk failureSharing of filesCentralized administration and backupUse of diskless workstationsAdding Security: passwords, cryptography, access control lists, capabilitiesPhysical security (Key servers etc)
Presentation at SASTRA
Prevent what you cannot detect and detect what you cannot preventSecurity of the backup itselfBackup over a networkCryptographic encryptionKey serversIncremental BackupDeleting BackupsSecure Backup
Presentation at SASTRA
Secure CommunicationCryptographyEncryption/decryptionKey managementSession key protocolsPublic Key InfrastructuresCertificationDigital Signatures
Presentation at SASTRA
Replay PreventionReplay attacks are simple yet very effectiveRecords a message say from A to B, and later replays it to impersonate AAttack is effective as attacker need not decryptNeeds to be addressed regardless of layer chosen
Presentation at SASTRA
Network Perimeter Security(Protection from Outsiders)General (Policies to be enforced)Policies delineating appropriate and inappropriate behaviourSecurity Classification of data and Machines and enforce access controlsOnly required access to be given to insidersEnforce Physical security for file servers, secure nodes, key servers, authentication servers, backups etc.Audit Procedures (manual and automated)
Presentation at SASTRA
Network Perimeter Security(Min. Security Enforcement)External Access: One point access: Internet, Dialups (callbacks), Broadband, DSL, wireless ; violation only with cryptographic encryptionMinimum Standards for Hardware Software Standards: OS, Browsers, Compilers, Tools prefer open sourceSecure Configuration email, mobile agents/systems, only required ports to be open, restrictions on shell (corresponding to required security levels)Viruses (continuous protection)Denial of Service Protection
Presentation at SASTRA
Minimum Security (contd)Web Security: embarrassing quite often;Have Exit Control (ensures web modifications through authentication)Check Mirror sites periodicallyAuditing the usage and trafficBackup (automatic, mirroring, remote, ) and disaster recovery -- Perhaps use
Presentation at SASTRA
Intrusion Detection SystemsAttack detection, with automated responseDamage prevention and containmentTracing and isolation of attack origin pointsMimic hackers attacking networks (including ISPs) continuously highlighting dangerous infrastructure flaws that could cripple the system Leads to required Upgrades in SecurityLeads to next generation design of devices
Presentation at SASTRA
Certification: Key Servers, PKI InfrastructureNeeded securityVia parameters identified in the policyAuthenticated usage Computing DataBackup of Data and its integrity Onlineoffline
Presentation at SASTRA
Securing CommunicationTrusted sitesUse of public networkSecure channelsTransparent to users
Presentation at SASTRA
Virtual Private Network:VPNSecure use of public communication channel with
Off the shelf hardwareIP tunnelingSoftware encryption
Presentation at SASTRA
Basic VPNFixed encryption algorithmStatic keys per pair of sitesAn encrypting PC router per siteOff the shelf hardwareCustom softwareSecures communication between sites
Presentation at SASTRA
Managing the VPNIntroduce key serversManage dynamic keys on the networkCustomize encryption algorithmsInvolves software upgrades at each site.Provide a scalable management model
Presentation at SASTRA
Tighten Exit SecurityFake traffic on the linksReroute trafficInsulate from statistical inferences
Presentation at SASTRA
Internal SecurityIntroduce encryption within a siteInvolves software upgrades to the OS
Minimize damage from within (may be crypto fileservers)
Presentation at SASTRA
Points for actionPolicyAccess Control and LogEncryptionCertificationBackupTeamsRoutine Audit and Management StructureEmergency Response TeamDynamic IDS and Crypto-Systems Work
Presentation at SASTRA
Emergency Response TeamPlan Person on firecall and in-charge Reaction to security breach. Internal expertise If not alternatives Determine chain of command
Presentation at SASTRA
- Loss of data- Loss of server up time- Loss of user's productivity- Loss of moneyAverage cost per virus encounter US $ 2454How much protection is enough ?No one knows!!COST OF UNPROTECTED ENVIRONMENT
Presentation at SASTRA
Information Security Management System (ISMS)Organization SecurityPersonnel SecurityPhysical & Environmental securitySecurity PolicyAsset Classification & ControlAccess ControlCommunications & Operations ManagementSystem Development & Maint.Security Standard Compliance: IS 15150/27001
Presentation at SASTRA
Information Security ApproachSecure Network Design, Layered approach (Defense in Depth concept), SPF and Application firewallsHarden the Operating SystemUse Secure Applications with Secure ConfigurationsCentralized logging and MonitoringIntrusion Detection System (HIDS,NIDS)EncryptionLocal Vulnerability tests, self auditing
Presentation at SASTRA
Secured Multi-layered Network DesignNAT FirewallWWWserverInternetMailGateway
DNSserverInternal Email ServerCentralizedLog serverAnd SMSISDNExchangeISDN linesPCPC2 Mbps192.168.x.xPCPCRemote AccessServer10.x.x.x202.41.86.x Router/Firewall
IDSBrowsing PCsBrowsing PCsBrowsing PCsPROXYServerVia VPNIDSIDSDMZ
Presentation at SASTRA
SECURITY BUILDING BLOCKSAuthentication (passwords, biometric devices) Encryption - so that unauthorized user cannot make sense of the data even if he intercepts it.Access control - a policy by the organization to decide who has access to what.Key management - the properties of the encryption/decryption keys.Resource isolation- so that damage is contained.Network Perimeter Protection Firewall, NAT
Presentation at SASTRA
Use of Secure Software
Centralized Logging and Security Monitoring System
Web-Pages Integrity check module for Apache Web-ServerSecuring Web Server
Securing Mail-gateways
Securing DNS servers Use of Public Domain Firewalls, Proxy and NAT servers with value additions
Presentation at SASTRA
Intrusion Detection SystemHost Intrusion Detection SystemSecurity Monitoring System Developed at BARCNetwork Intrusion Detection SystemOpen Source SNORT IDS implemented with rule set customized for our environment.
Presentation at SASTRA
Web Based Security Monitoring & IDS BARC has developed a Web based Security Monitoring & Intrusion Detection System For monitoring security of routers, all Internet connected servers and related software packages on a continuous basis. This software tool can detect network attacks in real-time by analyzing various log files and known signatures It allows system administrator to take appropriate corrective action before any damage to information can be caused by setting an alarm.
Presentation at SASTRA
Central Administration & MonitoringTo ensure that IT Security policies within a organization are properly implemented, it is necessary to conduct periodic audits Need powerful automated tools forAuditingIntrusion detectionPerformance measurementAnd to find a variety of threats, vulnerabilities and advance warning for any penetration that might occur
Presentation at SASTRA
Centralized logging & Monitoring System All Internet Servers, routers logs are collected on centralized log serverLogs are parsed for abnormal events on Routers, Internet connected hostsAll incoming/outgoing mail archivedMail logs are parsed for generating Mail usage, abnormal event statisticsProxy server logs are parsed for generating proxy server usage statistics
Presentation at SASTRA
Presentation at SASTRA
The loss of data