Embed Size (px)
Citation preview
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
Lec
ture
13:
Sec
urity
Arc
hitec
ture
Pro
f. S
her
vin
Shirm
oham
mad
i
SIT
E, U
niv
ersity
of O
ttaw
a
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
Net
work
Ass
ets an
d S
ecurity
Thre
ats
•A
sset
s:–
Har
dw
are
(PC, w
ork
stat
ion, et
c)
–Ser
ver
s
–N
etw
ork
dev
ices
(ro
ute
rs, hubs, …
)
–Softw
are
(OS, pro
gra
ms, …
)
–Ser
vic
es (ap
plica
tions, n
etw
ork
ing ser
vic
es)
–D
ata
(sto
res, in-tra
nsit, d
atab
ases
, …
)
•Thre
ats:
–U
nau
thorize
d a
cces
s to
ass
ets.
–U
nau
thorize
d d
iscl
osu
re o
f in
form
atio
n
–D
enia
l of se
rvic
e
–Thef
t (d
ata,
har
dw
are,
softw
are
…)
–Corr
uption o
f dat
a, v
iruse
s, w
orm
s
–Physi
cal dam
age
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
Sec
urity
•N
etw
ork
Sec
urity
: Pro
tect
ion o
f net
work
and its
ser
vic
es
from
unau
thorize
d a
cces
s, m
odific
atio
n, des
truct
ion, or
dis
closu
re.
•N
eces
sary
for th
e net
work
per
form
ing its
critica
l fu
nct
ions
correc
tly.
•Req
uirem
ents
:–
Confiden
tial
ity: dat
a sh
ould
be
acce
ssib
le to a
uth
orize
d p
arties
only
.
–In
tegrity
: dat
a ca
n o
nly
be
modifie
d b
y a
uth
orize
d p
arties
.
–A
uth
entici
ty: re
ceiv
er should
be
able
to v
erify the
iden
tity
of
sender
.
•Typic
ally
cry
pto
gra
phy
is u
sed for fu
lfilling thes
e re
quirem
ents.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-4
Cry
pto
gra
phy
•The
encr
yption m
odel
for a
sym
met
ric-
key
cipher
.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-5
Pas
sive
Attac
ks
•Eav
esdro
ppin
gon tra
nsm
issions to
obta
in
info
rmat
ion
•Rel
ease
of m
essa
ge
conte
nts
–O
uts
ider
lea
rns co
nte
nt of tran
smis
sion
•Tra
ffic
anal
ysis
–By m
onitoring fre
quen
cy a
nd len
gth
of m
essa
ges
, ev
en e
ncr
ypte
d, nat
ure
of co
mm
unic
atio
n m
ay b
e gues
sed
•D
ifficu
lt to d
etec
t
•Can
be
pre
ven
ted
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-6
Act
ive
Attac
ks
•M
asquer
ade
–Pre
tendin
g to b
e a
diffe
rent en
tity
•Rep
lay
•M
odific
atio
nof m
essa
ges
•D
enia
l of Ser
vic
e
•M
ore
eas
y to d
etec
t
–D
etec
tion m
ay lea
d to d
eter
rent
•H
ard to p
reven
t
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-7
Subst
itution C
ipher
s
•Tw
o types
of Cip
her
s: substitution; tran
sposition
•Subst
ituti
on: Rep
lace
eac
h sym
bol w
ith a
noth
er
sym
bol
•A
substitution c
ipher
:
–a
b c
d e
f g
h i j k l m
n o
p q
r s t u v
w x
y z
–q w
e r t y u
i o
p a
s d
f g h j k
l z
x c
v b
n m
–at
tack
�Q
ZZQ
EA
•Bro
ken
using sta
tistic
al p
roper
ties
of th
e la
nguag
e.
–English
: e,
t, o, a,
n, i; th, in
, er
, re
, an
; th
e, ing, an
d, io
n
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-8
Tra
nsp
osi
tion C
ipher
s
•A
tra
nsp
osi
tion
cipher
:
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-9
Sym
met
ric-
Key
Alg
orith
ms
•U
ses a
shar
edse
cret
key
bet
wee
n the
sender
an
d the
rece
iver
.
•D
ES
–The
Dat
a Encr
yption S
tandar
d
•A
ES
–The
Advan
ced E
ncr
yption S
tandar
d
•Eac
h tec
hniq
ue
com
es w
ith a
num
ber
of
diffe
rent C
ipher
Modes
for sp
ecific
si
tuat
ions.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
0
Dat
a Encr
yption S
tandar
d
•1977
stan
dar
d o
f
NSA
.
•U
ses 56-
bit k
eys .
•Tak
es in
64-b
it
pla
inte
xt
segm
ents. (a
)G
ener
al o
utlin
e (b)det
ails
of one
iter
atio
n
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
1
DES p
roble
ms
•56-b
it k
ey too short; th
ese
day
s it c
an b
e bro
ken
by a
sub-
million d
ollar
mac
hin
e in
under
1 d
ay.
•N
SA
(N
atio
nal
Sec
urity
Agen
cy) su
spec
ted o
f
inco
rpora
ting “
secr
et d
esig
n”
to e
asily b
reak
DES for
itse
lf. A
ge
of univ
erse
≈20 b
illion y
ears
= 2
×10
10 yea
rs
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
2
Ele
ctro
nic
Code
Book M
ode
•Cip
her
Modes
add m
ore
sec
urity
for sp
ecific
si
tuat
ions.
•The
pla
inte
xt of a
file
encr
ypte
d a
s 16 D
ES
blo
cks:
•Con: one
can sw
itch
par
ts o
f ci
pher
textundet
ecta
bly
.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
3
Cip
her
Blo
ck C
hai
nin
g M
ode
•Cip
her
blo
ck c
hai
nin
g.
(a)Encr
yption. (b)D
ecry
ption.
•Con: nee
d to w
ait fo
r co
mple
te C
0(typic
ally
64-b
it) bef
ore
dec
ryption c
an o
ccur
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
4
Cip
her
Fee
dbac
k M
ode
•(a
)Encr
yption. (b)D
ecry
ption.
•Con: 1 b
it e
rror w
ill le
ad to a
n 8
-byte
tran
smission e
rror
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
5
Strea
m C
ipher
Mode
& C
ounte
r M
ode
•Strea
m C
ipher
Mode:
(a
)Encr
yption. (b)D
ecry
ption.
•Counte
r M
ode:
allow
s fo
r Ran
dom
Acc
ess-
the
ability to d
ecry
pt a
spec
ific
par
t of th
e m
essa
ge.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
6
Public-
Key
Alg
orith
ms
•A
lso k
now
n a
s as
ym
met
ric
algorith
m.
•U
ses a
pai
r of key
s, o
ne
public
and o
ne
privat
e.
•The
idea
is to
giv
e aw
ay y
our public
key
!
•Encr
ypt your m
essa
ges
using the
public
key
and y
ou
can d
ecry
pt it u
sing the
privat
e key
, an
d v
ice
ver
sa!
•Public-
key
alg
orith
m c
an b
e use
d for both
auth
entica
tion
and c
onfiden
tial
ity; al
though
diffe
rently for ea
ch.
•M
ain d
isad
van
tage:
slo
w p
roce
ssin
g.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
7
Dig
ital
Sig
nat
ure
s
•Sim
ilar
to a
sig
nat
ure
on a
docu
men
t, a
dig
ital
si
gnat
ure
val
idat
es the
auth
entici
tyof its si
gnee
:
–It w
as indee
d the signee
(and n
ot so
meo
ne
else
) w
ho
singed
this
docu
men
t
–It w
as indee
d this document(a
nd n
ot so
me
oth
er
docu
men
t), th
at the
signee
sig
ned
.
•U
pon rec
eivin
g such
dig
ital
sig
nat
ure
, one
can
pro
ve,
in a
court o
f la
w, th
at the
docu
men
t is
in
dee
d sig
ned
by the
per
son indic
ated
by h
is/h
er
signat
ure
.
•Typic
ally
use
s M
essa
ge
Dig
ests
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
8
Mes
sage
Dig
ests
•Cre
ates
a u
niq
ue,
fixed
-siz
ed,one-
way
dig
est using the
mes
sage.
•M
D5: ta
kes
512 b
it b
lock
s an
d g
ives
a 1
28-b
it d
iges
t
–Ess
ential
ly a
has
h c
onver
ter.
•D
igital
sig
nat
ure
s using m
essa
ge
dig
ests a
nd p
ublic-
key
en
cryption:
12
3
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-1
9
SH
A-1
•SH
A: Sec
ure
Has
h A
lgorith
m
•Tak
es 5
12 b
it b
lock
s an
d g
ives
a 1
60-b
it d
iges
t
•U
se o
f SH
A-1
and R
SA
for si
gnin
g n
on-s
ecre
t
mes
sages
.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
0
PK
Man
agem
ent: C
ertifica
tes
•W
ho to g
et the
certific
ate
from
?
–Cer
tifica
te A
uth
ority
(CA
)
•A
poss
ible
cer
tifica
te a
nd its sig
ned
has
h
Issu
ed b
y a
CA
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
1
PK
Man
agem
ent: X
.509
•W
hat
form
at to u
se for th
e ce
rtific
ate:
–O
ne
poss
ible
one:
IT
U X
.509
•The
bas
ic fie
lds of an
X.5
09 c
ertifica
te:
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
2
PK
Man
agem
ent:
Public-
Key
Infras
truct
ure
s•
Obvio
usl
y w
e ca
n’t h
ave
one
serv
er for th
e CA
for th
e w
hole
pla
net
–Sca
lability p
roble
ms
•Solu
tion: use
multip
le ser
ver
s, b
ut m
ake
sure
ther
e is
a h
iera
rchic
al
infras
truct
ure
to m
ainta
in inte
grity
and rel
iability.
•A
hie
rarc
hic
al P
KI.
Reg
ional
Auth
ority
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
3
Sec
urity
Adm
inis
trat
ion
•Sim
ilar
to req
uirem
ents a
nd flo
w a
nal
ysis, it
is im
portan
t to
fin
d o
ut w
hat
sec
urity
thre
ats
affe
ct the
net
work
, an
d h
ow
we
can p
rote
ct
agai
nst them
.
•Consists of tw
o c
om
ponen
ts:
–Thre
at a
nal
ysis
•In
consu
ltat
ion w
ith u
sers
, ad
min
istrat
ors
, an
oper
ators
, as
sets
and ris
ks ar
e re
cord
ed a
nd a
nal
yse
d.
–Polici
es a
nd p
roce
dure
s
•Rule
s of sy
stem
usa
ge
(what
to d
o, an
d w
hat
not to
do)
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
4
Thre
at A
nal
ysi
s
D/D
D/D
D/D
C/C
B/C
A/D
Physi
cal
Dam
age
D/D
B/C
B/B
B/B
B/B
B/B
Viruse
s
A/B
D/D
A/B
C/C
B/C
A/C
Corruption
A/B
C/C
A/B
B/B
B/D
A/D
Thef
t
D/D
B/B
B/B
B/B
B/B
B/B
Den
ial of
Ser
vic
e
A/B
B/C
A/B
C/C
B/B
B/C
Unau
thorize
d
Dis
closu
re
A/B
B/C
A/B
C/B
B/B
B/A
Unau
thorize
d
Acc
ess
Data
Servic
es
Soft
ware
Netw
ork
Ele
ments
Servers
Use
r
Devic
es
Eff
ect/
Prob.
Effec
t: A
=D
estruct
ive
B=D
isab
ling C
=D
isru
ptive
D=N
o Im
pac
t
Pro
bab
ility: A
=Cer
tain
B=U
nlikel
y C
=Lik
ely D
=Im
poss
ible
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
5
Polici
es a
nd P
roce
dure
s
•Form
al sta
tem
ents
on rule
s fo
r sy
stem
, net
work
, an
d
info
rmat
ion a
cces
s an
d u
se.
•U
nder
stan
d p
oss
ible
sec
urity
bre
aches
, an
d im
ple
men
t
polici
es to d
eal w
ith thes
e bre
aches
•Com
mon sec
urity
philoso
phie
s:
–D
eny spec
ific
s/per
mit a
ll e
lse
(open
net
work
philoso
phy)
–Per
mit spec
ific
s/den
y a
ll e
lse
(clo
sed n
etw
ork
philoso
phy)
•Polici
es should
incl
ude:
–Privac
ystat
emen
t (m
onitoring, lo
ggin
g, ac
cess
)
–A
ccounta
bility
stat
emen
t (a
uditin
g, re
sponsibility)
–A
uth
entica
tion
stat
emen
t (p
assw
ord
polici
es, re
mote
acc
ess)
–Rep
ortin
gvio
lations (p
roce
dure
s, c
onta
ct info
)
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
6
Sec
urity
Mec
han
ism
s
1.
Physi
cal Sec
urity
and A
war
enes
s–
Pro
tect
ion o
f dev
ices
fro
m p
hysica
l ac
cess
–Sec
urity
Aw
aren
ess in
ord
er to e
duca
te p
erso
ns
2.
Pro
toco
lan
d A
pplica
tion
Sec
urity
–Pac
ket
filte
rs
–SN
MPv3
–IP
Sec
3.
Encr
yption / D
ecry
ption
4.
Net
work
Per
imet
er–
Firew
alls a
nd N
AT
5.
Rem
ote
Acc
essse
curity
•N
ot al
l m
echan
ism
s ar
e ap
pro
priat
e/nee
ded
for al
l en
vironm
ents
–D
egre
e of pro
tect
ion it pro
vid
es
–Exper
tise
req
uired
for in
stal
lation a
nd c
onfigura
tion
–Cost o
f purc
has
ing, im
ple
men
ting a
nd o
per
atin
g it
–A
mounts o
f ad
min
istrat
ion a
nd m
ainte
nan
ce req
uired
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
7
Physi
cal Sec
urity
and A
war
enes
s
•Physi
cal se
curity
–Pro
tect
ed a
cces
s (e
.g. to
ser
ver
room
s et
c.)
–Bac
kup p
ow
er sourc
e an
d p
ow
er c
onditio
nin
g
–O
ff-s
ite
stora
ge
and ret
riev
al
–A
larm
syst
ems (f
ire,
also illeg
al e
ntry)
•A
war
enes
s
–Educa
ting u
sers
and thei
r in
volv
emen
t in
all a
spec
ts o
f
secu
rity
–Tra
inin
g, know
ledge
of bre
aches
–Bullet
ins an
d n
ewsl
ette
rs
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
8
Pro
toco
l an
d A
pplica
tion S
ecurity
•M
ost c
om
mon m
echan
ism
s in
this c
ateg
ory
:
–IP
sec
•Sec
ure
s an
yth
ing that
goes
in the
IP d
atag
ram
•A
ll lay
ers ab
ove
and incl
udin
g IP w
ill ben
efit fro
m this
•D
isad
van
tage?
–SN
MPv3
•N
OT S
NM
Pv1 o
r SN
MPv2 (th
ey h
ave
no sec
urity
)
•O
nly
sec
ure
s net
work
man
agem
ent
–Pac
ket
filte
ring
•Port o
r IP
blo
ckin
g.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-2
9
IPse
c
•A
pro
toco
l use
d to e
nhan
ce IP w
ith sec
urity
.
•Est
ablish
es a
sim
ple
x connection, know
n a
s Sec
urity
Ass
oci
atio
n(S
A).
–U
nlike
norm
al IP, th
at is co
nnec
tionle
ss.
–It’s
a sim
ple
x c
onnec
tion, so
we’
d n
eed tw
o S
Asfo
r a
full-d
uple
x sec
ure
connec
tion.
•Pro
vid
es A
uth
entica
tion H
eader
(AH
), a
nd
Enca
psu
lating S
ecurity
Pay
load
(ESP).
•A
H is use
d for au
then
tica
tion, ESP is use
d for :
auth
entica
tion a
nd c
onfiden
tial
ity.
•U
sed in tra
nsp
ort
mode
(host
-to-h
ost
), o
r tu
nnel
mode
(gat
eway
-to-g
atew
ay).
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
0
IPse
cA
H
•The
IPse
cau
then
tica
tion h
eader
in tra
nsp
ort m
ode
for
IPv4.
•H
ow
to let
the
rece
iver
know
that
this p
acket
is an
IPse
cpac
ket
?
–Set
the protocolfiel
d in the
IP h
eader
to b
e IP
sec
(val
ue
51)
HM
AC: H
ashed
Mes
sage
Auth
entica
tion C
ode
Pac
ket
, an
d som
e IP
hea
der
fiel
ds, a
re h
ashed
toget
her
with a
privat
ekey
to form
a
“dig
ital
sig
nat
ure
”.
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
1
IPse
cESP
(a)ESP in tra
nsp
ort m
ode.
(b)ESP in tunnel
mode.
(Host
to h
ost
) (gat
eway
to g
atew
ay)
•U
sed for both
auth
entica
tion
and c
onfiden
tial
ity.
•ESP h
eader
has
fie
lds si
milar
to the
AH
hea
der
, plu
s
som
e m
ore
for en
cryption p
urp
ose
s.
•H
MA
C is a
trai
ler (r
ather
than
a h
eader
) due
to e
asie
r
har
dw
are
imple
men
tation (like
Eth
ernet
’s C
RC).
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
2
SNMP Engine (identified by snmpEngineID)
Dispatcher
Message
Processing
Subsystem
Security
Subsystem
Access
Control
Subsystem
SN
MPv3
•Sec
urity
at th
e m
essa
ge
level
–A
uth
entica
tion
–Privac
yof m
essa
ge
via
sec
ure
com
munic
atio
n
•Fle
xib
leac
cess
control
–W
ho c
an a
cces
s?
–W
hat
can
be
acce
ssed
?
–W
hat
MIB
vie
ws?
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
3
Pac
ket
Filte
ring
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
4
Encr
yption / D
ecry
ption
•Pro
vid
es p
rote
ctio
n o
f th
e in
form
atio
nfr
om
bei
ng
use
d b
y a
n a
ttac
ker
.–
Oth
er sec
urity
mec
han
ism
s co
nce
ntrat
e on p
rote
ctio
n
agai
nst
unau
thorize
d a
cces
s an
d d
estruct
ion o
f re
sourc
es.
•M
ost
of th
ese
mec
han
ism
s w
ork
on e
ither
sy
mm
etric
key
or as
ym
met
ric
key
encr
yption.
•Cons
–D
egra
des
net
work
per
form
ance
15-8
5%
•H
ardw
are
solu
tion spee
d thin
gs up
–A
dm
inis
trat
ion a
nd m
ainte
nan
ce is re
quired
–Expen
sive
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
5
Net
work
Per
imet
er
•Pro
tect
s th
e ex
tern
al inte
rfac
esof your net
work
: th
e co
mponen
ts in y
our net
work
that
act
as co
nnec
tors
to the
exte
rnal
net
work
s.
•N
etw
ork
Addre
ss T
ranslat
ion (N
AT) is
the
most
co
mm
only
use
d tec
hniq
ue
to a
chie
ve
this
sec
urity
•N
AT w
as o
rigin
ally
dev
eloped
to solv
e IP
addre
ss
exhau
stio
n p
roble
m b
y introduci
ng p
rivat
e net
work
s:–
10.0
.0.0
–10.2
55.2
55.2
55 (cl
ass A
)
–172.1
6.0
.0 –
172.3
1.2
55.2
55 (cl
ass B)
–192.1
68.0
.0 –
192.1
68.2
55.2
55 (cl
ass C)
192.1
68.0
.1
NA
T
192.1
68.0
.2
192.1
68.0
.10
Inte
rnet
137.1
22.2
0.1
S-p
ort=8777
S-IP=192.1
68.0
.2
NA
T p
ort =
63211 port=8777 S-IP=192.1
68.0
.2
NA
T p
ort =
63212 port=6522 S-IP=192.1
68.0
.1
NA
T p
ort =
63210 port=5113 S-IP=192.1
68.0
.10
S-p
ort=63211
S-IP=137.1
22.2
0.1
D-p
ort=63211D
-IP=137.1
22.2
0.1
D-p
ort=8777
D-IP=192.1
68.0
2
Route
r
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
6
Firew
all
•Firew
alls
are
com
bin
atio
ns of one
or m
ore
sec
urity
m
echan
ism
s , p
lace
d a
t stra
tegic
loca
tions w
ithin
a n
etw
ork
.–
E.g
. port filte
ring, plu
s N
AT
•Can
be
stan
dal
one
dev
ices
, or par
t of oth
er e
quip
men
t (r
oute
rs, gat
eway
s, e
tc.)
•M
ay req
uire
know
ledge
of use
rs’re
quirem
ents
(te
lnet
, ftp,
etc.
)
•N
etw
ork
per
form
ance
deg
radat
ion –
up to 3
0%
•Can
com
plica
te L
AN
/MA
N/W
AN
tro
uble
shooting
Pro
f. S
her
vin
Shirm
oham
mad
iCEG
4185
13-3
7
Rem
ote
Acc
ess Sec
urity
•Rem
ote
acc
ess is
a c
om
mon o
per
atio
n w
her
e use
rs n
eed a
cces
s to
in
tern
al res
ourc
es v
ia d
ial-in
, poin
t-to
-poin
t se
ssio
ns, a
nd V
PN
s.
•Com
monly
know
n a
s A
AA
A•
Auth
entica
tion, A
uth
oriza
tion, A
ccounta
bility, an
d A
lloca
tion
•Consi
der
atio
ns
–Ser
ver
types
and loca
tions (D
MZs)
–In
tera
ctio
ns w
ith D
NS, ad
dre
ss p
ools, oth
er ser
vic
es.
Network
Network
Internet
User Computer
RADIUS
Server
Network Access
Server (NAS)
User Computer
dial
PP
P/P
PP
oE
RA
DIU
SP
PP
