View
218
Download
0
Tags:
Embed Size (px)
Citation preview
CPE 5002 Network securityCPE 5002 Network security
Look at the surroundings before Look at the surroundings before you leapyou leap
CPE5002 Network Security/
Srini
3
LecturersLecturers
Prof B Srinivasan – 990 32333, C4.47 [email protected]
Mr Pravin Shetty – 990 31945, B3.35 [email protected]
Guest Lecturers – Dr Le and Mr C Wilson
CPE5002 Network Security/
Srini
4
TopicsTopics
Basic principles (Access Control /Authentication/Models of threat & Practical Countermeasures).
Security issues over LANS & WANS[Earlier Models & Current Solutions].
Public key encryptions/ PKI/Digital signatures/Kerberos
Unix security [Internet=TCP/IP Security—VPNs/Firewalls.
Intrusion detection systems. Security in E-Commerce and banking, Including
WWW, EDI , EFT,ATM.
CPE5002 Network Security/
Srini
5
Rules of the game (1)Rules of the game (1)
11 weeks of lectures Assignment – written and a presentation of 15-
20 mts– Weightage: 40%– Presentation: during weeks 12 and 13
Examination: – Week 14, – Weightage: 60% – Assignment presentation topics are included in the
examination assessment.
CPE5002 Network Security/
Srini
6
Rules of the game (2)Rules of the game (2)
References: – Computer Security—Dieter Gollman– Network and Internetwork Security---William
Stallings.
– Open Systems Networking—David M Piscitello/ A Lyman Chapin.
No Formal Tutorial for this subject.
CPE5002 Network Security/
Srini
7
Where to look for notes materials?Where to look for notes materials?
http://beast.csse.monash.edu.au/cpe5002
Username: cpe5002 Password: srini
CPE5002 Network Security/
Srini
8
Today’s lecture isToday’s lecture is
Domain of network securityTaxonomy of security attacksAims or services of securityModel of internetwork securityMethods of defence
CPE5002 Network Security/
Srini
9
SecuritySecurity
Human nature– physical, financial, mental,…, data and
information security
CPE5002 Network Security/
Srini
10
Information SecurityInformation Security
1. Shift from the physical security to the protection of data and to thwart hackers (by means of automated software tools) – called computer securitycomputer security
CPE5002 Network Security/
Srini
11
Network SecurityNetwork Security
2. With the widespread use of distributed systems and the use of networks and communications require protection of data during transmission – called network security
CPE5002 Network Security/
Srini
12
Internetwork securityInternetwork security
The term Network Security may be misleading, because virtually all business, govt, and academic organisations interconnect their data processing equipment with a collection of interconnected networks – probably we should call it as internetwork security
CPE5002 Network Security/
Srini
13
Aspects of information securityAspects of information security
Security attack – any action that compromises the security of information.
Security mechanism – to detect, prevent, or recover from a security attack.
Security service – service that enhances and counters security attacks.
CPE5002 Network Security/
Srini
14
Security mechanismsSecurity mechanisms
No single mechanism that can provide the services mentioned in the previous slide. However one particular aspect that underlines most (if not all) of the security mechanism is the cryptographic techniques.
Encryption or encryption-like transformation of information are the most common means of providing security.
CPE5002 Network Security/
Srini
15
Why Internetwork Security?Why Internetwork Security?
Internetwork security is not simple as it might first appear.
In developing a particular security measure one has to consider potential countermeasures.
Because of the countermeasures the problem itself becomes complex.
Once you have designed the security measure, it is necessary to decide where to use them.
Security mechanisms usually involve more than a particular algorithm or protocol.
CPE5002 Network Security/
Srini
16
Security Attacks - TaxonomySecurity Attacks - Taxonomy
Interruption – attack on availabilityInterception – attack on confidentialityModification – attack on integrityFabrication – attack on authenticity
Propertythat is
compromised
CPE5002 Network Security/
Srini
17
InterruptionInterruption
also known as denial of services.Information resources (hardware,
software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction.
e.g: cutting a communication line, disabling a file management system, etc.
CPE5002 Network Security/
Srini
18
InterceptionInterception
also known as un-authorised access.Difficult to trace as no traces of intrusion
might be left.E.g: illegal eavesdropping or wiretapping
or sniffing, illegal copying.
CPE5002 Network Security/
Srini
19
ModificationModification
also known as tampering a resource.Resources can be data, programs,
hardware devices, etc.
CPE5002 Network Security/
Srini
20
FabricationFabrication
also known as counterfeiting.Allows to by pass the authenticity checks. e.g: insertion of spurious messages in a
network, adding a record to a file, counterfeit bank notes, fake cheques,…
CPE5002 Network Security/
Srini
21
Security Attacks - TaxonomySecurity Attacks - Taxonomy
InformationSource
InformationDestination
Normal
InformationSource
InformationDestination
Interruption
InformationSource
InformationDestination
Interception
InformationSource
InformationDestination
Modification
InformationSource
InformationDestination
Fabrication
CPE5002 Network Security/
Srini
22
Attacks – Passive typesAttacks – Passive types
Passive (interception) – eavesdropping on, monitoring of, transmissions.
The goal is to obtain information that is being transmitted.
Types here are: release of message contents and traffic analysis.
CPE5002 Network Security/
Srini
23
Attacks – Active typesAttacks – Active types
Involve modification of the data stream or creation of a false stream and can be subdivided into – masquerade, replay, modification of messages and denial of service.
CPE5002 Network Security/
Srini
24
AttacksAttacks
Passive
Interception(confidentiality)
Release ofMessage contents
Trafficanalysis
Active
Modification(integrity)
Fabrication(integrity)
Interruption(availability)
CPE5002 Network Security/
Srini
25
Security servicesSecurity services
ConfidentialityAuthenticationIntegrityNonrepudiationAccess controlAvailability
CPE5002 Network Security/
Srini
26
Model for internetwork securityModel for internetwork security
Information channel
Message Message
SecretinformationSecret
information
PrincipalPrincipal
Opponent
Trusted Third party
Gate Keeper
CPE5002 Network Security/
Srini
27
Methods of defence (1)Methods of defence (1)
Modern cryptology– Encryption, authentication code, digital
signature,etc.Software controls
– Standard development tools (design, code, test, maintain,etc)
– Operating systems controls– Internal program controls (e.g: access
controls to data in a database)– Fire walls
CPE5002 Network Security/
Srini
28
Methods of defence (2)Methods of defence (2)
Hardware controls– Security devices, smart cards, …
Physical controls– Lock, guards, backup of data and software,
thick walls, ….Security polices and proceduresUser educationLaw