ࡱ> OE( S/ 0LDTimes New Roman(0(B 0 @ .  @n?" dd@  @@`` tlw'A!          !"#$%&'()*+,-./0123456789:;<=>?@ABc AA1?@8 g4GdGd@B 0 ppp@ <4BdBdlpC 00ʚ;ʚ;<4ddddl%F 0Xr0___PPT10 2___PPT9/ 0? %9 Computer Network Security BasicsGLUMS-ACM Chapter Topic Presentation (Ameel Zia Khan; 8 December, 1999)&H$ #4What is Network Security?What are your goals? What do you hope to achieve? Keeping the network secure from: Cracking and phreaking (not  hacking ) Destruction and distortion of data Interruption and disruption in communications&SxSx` b@Goals4Features that should be present in a secure system are: Confidentiality: there should be no unauthorized access to data Integrity: there should be no modification of data by an unauthorized person Availability: the system should be available to authorized users (e.g. guard against denial-of-service attacks)X881 D dAGoalsAuthentication: the receiver of data should be able to ascertain its origin (i.e. guard against masquerading) Non-repudiation: the sender of data should not be able to deny sending data that he actually did send.`WCAchieving GoalsHow do you achieve these goals? Identify a security policy: Who is allowed to use what assets of your network How are they allowed use that asset Identify your system s features: Your weakest and strongest links Your most and least readily available and visible assets and links Your most crucial assets Your expendable assets b V! V! DAchieving Goals,Now that you know your system Try to identify threats posed to it: Who will want to attack it and why Where will they most likely attack Using the results of your security assessment Implement security mechanisms that incorporate your security policy and your system s features v%F._%F. _  FSecurity MechanismsWhich ones? Why? Could be as simple as a password mechanism Could be as complex as an encryption and authentication system How do you decide? What are you adding into the network?6j:j:LSecurity MechanismsPrevention Mechanisms Not letting the opportunity arise Detection Mechanisms Knowing when an attack/intrusion has occurred, seeing the signs of an impending attack Recovery Mechanisms Security is never perfect, realistically this is as important a part of security as are the other twot"Wf"Wf MSecurity Mechanisms\Mechanisms to be added: User awareness (tell users about the risks that they may take or pose in the way they use resources) Physical protection (prevent access to hardware) Access control (security inside software) Cryptography (for the transfer and storing of data) Auditing (recording all system activity to detect and prevent security breaches)&EENGeneral PrinciplesPrinciples to be followed: Principle of least privilege Power is easily abused Minimize trusted components It is easier to secure and then keep a watch on a few components So, how do you approach network security?vA+A +BApproaching Network SecurityWhat are the weaknesses? Where are the weaknesses? Who can exploit these weaknesses and how? What can be done about them? Who will do something about them? What are the strengths? How can they be used against intruders?tD"(D"( 3Approaching Network SecurityOSI Network layers: Vulnerability in each layer Exactly what goes on in that layer of the network Where it can be attacked Securing each layer Using its own strengths and weaknesses to make it more securebMDMD 5Physical LayerVulnerabilities: All communication ultimately takes place at this layer Methods of attack: Tapping into the actual medium to eavesdrop on the communi- cation Actual risk and method depends on the media usedL9|9|6 Physical LayerTapping into the media: Twisted pair/coaxial cable Most vulnerable Easy to tap (minimal equipment and knowledge of system needed) Hardest to secure at this layer; needs to be secured at a higher layer (encryption):= Physical LayerlTapping into the media: Fiber optic cable Least vulnerable Need proper equipment to break into the media and the  tap can never be hidden Still a risk because it can be broken into by > Physical Layer#Tapping into the media: Wireless communication Moderately difficult to eavesdrop Need special equipment, knowledge of the user and the network Can be partially secured within itself by using mechanisms like frequency hopping and by using special link-level encoding and encryption techniques:7Data Link LayerVulnerabilities: All network interfaces lie at this layer All media frames are created and sent at this layer Methods of attack:  Sniffing packets by putting an interface into  promiscuous mode in a broadcast mediumLa_a_GData Link LayerPacket sniffers: Network debugging tool in a netadmin s hands Powerful weapon for a cracker Methods of prevention: Encryption of data during transfer, especially logins and passwords Software is available (e.g. Kerberos, from MIT)LKtKt8 Network LayerVulnerabilities: All packet routing is performed at this layer Methods of attack: IP spoofing/masquerading Redirection of data L2.2.H Network LayerAttacks are moderately difficult but not impossible: Changing entries in or corrupting routing tables or ARP caches in a computer or router Masquerading your IP address Creating or getting around an access control list (IP filter) in a router&55I Network Layer]Methods of prevention: Proactive prevention is very, very difficult unless there the change is detected Network anomalies are no longer the only indications of an attack Logging and monitoring all communication is the best method to learn that an attack has occurred and how to prevent it on the future Trying it yourself is the second-best method! &GG9Transport LayerVulnerabilities: All network connections are made at this layer All flow control is performed at this layer Methods of attack: All application layer attacks begin here (port scans, SYN scans, port flooding, etc.)Lb\b\JTransport LayerFHost based security: Illegal entry attempts (login and back-door searches using port scans, etc.) DoS attacks (flood pings,  ping-of-death attack) The problems with host-based setups: Whenever host-based security or authentication is used the host becomes the primary source for all attacksL%k%kKTransport LayerdMethods of prevention: Secure the host machine Strip it down to only what it is used for Incorporate security mechanisms in the machine (encrypted passwords, directory access control, etc.) Hide the host machine Use another host as a back-up or a front for this machine (bastion hosts) Protect the machine from unauthorized access (access lists, firewalls)b PTransport LayerSecurity features for this level are tied to the lower application layer too: Adding end-to-end encryption (using SSL) Prevent connection hijacking (using cookies) Advances in TCP and IP help as well (random sequence numbers, etc.)&NN:Session & Presentation LayersVulnerabilities: It is virtually impossible to attack these layers It is also pretty useless to do so These layers just handle things like token management, synch- ronization and encoding translations These layers must have been very important in the movie Independence Day :-):< Application LayerVulnerabilities: All protocols are defined, run at controlled this layer All data is stored at this layer Methods of attack: Software attacks (Trojan horses, viruses, worms, bacteria, and trapdoors) Attacks to the OS (e.g. buffer flooding attacks)L\\OApplication LayerMethods of prevention: Point-to-point security Encryption (Kerberos, PGP, etc.), SSL, IP tunnels Perimeter control Firewalls, bastion hostsb22 QApplication LayerPoint-to-point security: Encryption Using Kerberos (password encryption) Using PGP (data encryption) SSL & IP tunnels Securing a point-to-point sessions by doing additional security checks Adds authentication (e.g. VeriSign), encryption (e.g. MD4), non-repudiation (e.g. cookies)b A A R Application LayerPerimeter control: Firewalls and Bastion Hosts Very exact access control for all users as defined in the security policy (at the application level) Excellent logging and monitoring facilities Data for advanced auditing and analysis:E Final ThoughtNetwork security can never be perfect: If you create a better system a better hacker will be there to point out a weakness in it Information is the key: monitoring, learning, trying, testing, checking, rechecking, auditing, searching, analyzing, etc.  The price of freedom is eternal vigilance -- General George PattonH'J',/dTUVWXYZ[\] ^ _ ` a bcdefghijklmnopqr8 ` f33` 3f3` ___>?" dd@,|?" dd@   " @ `"  n?" dd@   @@``@n?" dd@  @@``PR    @ ` ` p>> %    (  F J  JZ  s *?PP fN +   + Z2  s *?+ U Z2  s *?  Z2  s *?+TZ2  s *?Z2   s *?+UZ2   s *?Z2   s *?+UZ2   s *?Z   s *?Z2  s *?J%tZ2  s *?%Z2  s *?j%  N gֳgֳ ?P  T Click to edit Master title style! !.  Hgֳgֳ ?   RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  ZP1 ?``  Z* 2  Zp1 ?`   \*(2  Z1 ?`   \*(2N  6޽h? ? ___ ContemporaryM"   !!0 s!(   >F J   JZ   s *?P Z   s *?Z2   s *?+JUtZ2   s *?+UZ2   s *?+jUZ2   s *?+UZ2   s *?+UDZ2   s *?+UZ2   s *?+:UcZ2   s *?+UZ2   s *?+[UlT + j  # + jZ2   s *?+ jU Z2   s *? j Z2   s *?+jTZ2   s *?jZ2   s *?+jUZ2   s *?jZ2   s *?+jUZ2   s *?jZ2   s *?+U#N        B   c BC DEF?pp"-<HbutP}@w,riiiigglu{rke\ApbSF=843k"S-:4!4 *&3: {q"h(a(a*^*^*^-\/V3S4S=OCMHMNJQJSHYCY?Q2Q2Q/Q/Q+Q+Q)N)N&HA= <)^X2!n`-J3ro@Z c     c B8CDExF?#'(,.#pbW UW#`,g3t7k7b7]7U3%.'nEw k^RG>!7#-!*$#(3>GLLw8i(\QF:/&-8?JXi{}u}lgccaaglnnnlllH8*yl ^SE84443 !* 8888:HWcnnnnr   !!$$$/8CPWY^bbbglnr!t#w&w*t,t1r5g1\&PC:!4&+,(1*5+6+:/:8:=<?ACJCJ?N=S=SGNSY[denune^SH;1&&+16:?HJJJJ?O,M7D>;G6U6`?kJvXer|{{* 4>?]Nv^n}}l\N?3$'2;BFKQV_l|zjXDXj|?bufV/FL2e}rbN>-#}#|#xxvj#_#W$M-37CYepw#=@@{  z   c JB?CIDE\Fd?*A:H>H>C:A:>,8%-"   -8*A/0@ Q[   NIgֳgֳ ?p I T Click to edit Master title style! !  HIgֳgֳ ? p I W#Click to edit Master subtitle style$ $  ZHI1 ?`` I ^* 2  Z\I1 ?`  I `*(2  ZI1 ?`  I `*(2N  6޽h? ? ___ 0 zr0\ (  \ \ 0U P   U P*   \ 0U    U R*  d \ c $ ?  U \ 00U  0 U RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S \ 6|$U _P  U P*   \ 6*U _  U R*  H \ 0޽h ? 3380___PPT10.Y8a  (  l  C 4I ` I l  C I  p I H  0޽h ? f33y___PPT10Y+D=' = @B +a  @( ' l  C ZUP  U l  C \[U  U H  0޽h ? ___y___PPT10Y+D=' = @B +a  P( {4  l  C _UP  U l  C hU  U H  0޽h ? ___y___PPT10Y+D=' = @B +a  `(  p l  C xUP  U l  C $yU  U H  0޽h ? ___y___PPT10Y+D=' = @B +a  p ( P쫙 0  l   C LUP  U l   C U  U H   0޽h ? ___y___PPT10Y+D=' = @B +a  $(  $l $ C ȔUP  U l $ C U  U H $ 0޽h ? ___y___PPT10Y+D=' = @B +a  ((   (l ( C UP  U l ( C U  U H ( 0޽h ? ___y___PPT10Y+D=' = @B +a  @( q @l @ C (UP  U l @ C U ` U H @ 0޽h ? ___y___PPT10Y+D=' = @B +a  D(  Dl D C XUP  U l D C U  U H D 0޽h ? ___y___PPT10Y+D=' = @B +a   H( 4= Hl H C DUP  U l H C U  U H H 0޽h ? ___y___PPT10Y+D=' = @B +a   ( .,$ l  C UP  U l  C U  U H  0޽h ? ___y___PPT10Y+D=' = @B +   # (  l  C  UP  U l  C U  U   ZU1?0p = Application (2   ZdU1?0p > Presentation (2   ZU1?0p 9Session(2  ZU1?0p  ; Transport (2   Z Presentation (2   Z)1?0p 9Session(2  Z)1?0p  ; Transport (2   Z)1? 0p(  9Network(2  Z)1? 0pH  ; Data Link (2   Z )1?@ 0ph  :Physical (2 H  0޽h ? ___y___PPT10Y+D=' = @B +a   ( `j l  C 4)P  I l  C (5)  ) H  0޽h ? ___y___PPT10Y+D=' = @B +a  (  l  C pG)P  ) l  C H)  ) H  0޽h ? ___y___PPT10Y+D=' = @B +a  (  l  C S)P  ) l  C T)  ) H  0޽h ? ___y___PPT10Y+D=' = @B +  /' (  r  S b)P  ) r  S b)  )   Zd)1?0p = Application (2   Z`i)1?0p > Presentation (2   Zm)1?0p 9Session(2  Zo)1?0p  ; Transport (2   Zps)1? 0p(  9Network(2  Zv)1? 0pH  ; Data Link (2   Zz)1?@ 0ph  :Physical (2 H  0޽h ? ___y___PPT10Y+D=' = @B +a  p,(  ,l , C ,)P  ) l , C )  ) H , 0޽h ? ___y___PPT10Y+D=' = @B +  /' ( Ow@ r  S p)P  ) r  S D)  )   Z)1?0p = Application (2   Zg)1?0p > Presentation (2   ZС)1?0p 9Session(2  Z()1?0p  ; Transport (2   Z)1? 0p(  9Network(2  Z)1? 0pH  ; Data Link (2   Z)1?@ 0ph  :Physical (2 H  0޽h ? ___y___PPT10Y+D=' = @B +a  0(   0l 0 C Ŀ)P  ) l 0 C )  ) H 0 0޽h ? ___y___PPT10Y+D=' = @B +a  4( q 4l 4 C )P  ) l 4 C H)  ) H 4 0޽h ? ___y___PPT10Y+D=' = @B +  /'  ( Ow@ r  S P)P  ) r  S )  )   Zt)1?0p = Application (2   Z,)1?0p > Presentation (2   Z)1?0p 9Session(2  Z0)1?0p  ; Transport (2   Z)1? 0p(  9Network(2  Z)1? 0pH  ; Data Link (2   Z)1?@ 0ph  :Physical (2 H  0޽h ? ___y___PPT10Y+D=' = @B +a  8(   8l 8 C  P   l 8 C   `  H 8 0޽h ? ___y___PPT10Y+D=' = @B +a  <(  <l < C P   l < C    H < 0޽h ? ___y___PPT10Y+D=' = @B +a  P( ! Pl P C TP   l P C H%   H P 0޽h ? ___y___PPT10Y+D=' = @B +  /'0 ( Ow@ r  S /P   r  S l0     Z 21?0p = Application (2   Z61?0p > Presentation (2   Z:1?0p 9Session(2  Z=1?0p  ; Transport (2   Z@1? 0p(  9Network(2  Z0D1? 0pH  ; Data Link (2   ZH1?@ 0ph  :Physical (2 H  0޽h ? ___y___PPT10Y+D=' = @B +  /'P ( Ow@ r  S ZP   r  S Z     Zl\1?0p = Application (2   Z`1?0p > Presentation (2   Zd1?0p 9Session(2  Zxh1?0p  ; Transport (2   Z@l1? 0p(  9Network(2  Zo1? 0pH  ; Data Link (2   Zs1?@ 0ph  :Physical (2 H  0޽h ? ___y___PPT10Y+D=' = @B +a  L( {= Ll L C xP   l L C L   H L 0޽h ? ___y___PPT10Y+D=' = @B +a  T(  Tl T C P   l T C |   H T 0޽h ? ___y___PPT10Y+D=' = @B +a   X( ! Xl X C P   l X C    H X 0޽h ? ___y___PPT10Y+D=' = @B +a  `( \@a@ l  C 0P   l  C    H  0޽h ? ___y___PPT10Y+D=' = @B +  0 @`(  `X ` C \   U ` S 7U\ 0  U  H ` 0޽h ? 3380___PPT10.Y0z  0 Pd(  dX d C \   U d S @eU\ 0  U  H d 0޽h ? 3380___PPT10.Y0z  0 `h(  hX h C \   U h S XuU\ 0  U  H h 0޽h ? 3380___PPT10.Yp  0 pl(  lX l C \   U l S ܂U\ 0  U  H l 0޽h ? 3380___PPT10.Yp  0 p(  pX p C \   U p S U\ 0  U  H p 0޽h ? 3380___PPT10.Y  0 t(  tX t C \   U t S НU\ 0  U  H t 0޽h ? 3380___PPT10.Y  0 x(  xX x C \   U x S U\ 0  U  H x 0޽h ? 3380___PPT10.YP  0 |(  |X | C \   U | S 4U\ 0  U  H | 0޽h ? 3380___PPT10.YP  0 (  X  C \   U  S  U\ 0  U  H  0޽h ? 3380___PPT10.YP  0 (  X  C \   U  S U\ 0  U  H  0޽h ? 3380___PPT10.Y  0 (  X  C \   U  S NU\ 0  U  H  0޽h ? 3380___PPT10.Y(  0 (  X  C \   U  S )\ 0  U  H  0޽h ? 3380___PPT10.Y0  0 (  X  C \   I  S 1)\ 0  )  H  0޽h ? 3380___PPT10.Y0   0 (  X  C \   )  S LE)\ 0  )  H  0޽h ? 3380___PPT10.Y5   0  (  X  C \   )  S <)\ 0  )  H  0޽h ? 3380___PPT10.Yp   0 0(  X  C \   )  S \)\ 0  )  H  0޽h ? 3380___PPT10.Yp  0 @(  X  C \   )  S )\ 0  )  H  0޽h ? 3380___PPT10.YC  0 P(  X  C \   )  S $)\ 0  )  H  0޽h ? 3380___PPT10.Y  0 `(  X  C \   )  S )\ 0  )  H  0޽h ? 3380___PPT10.Y  0 p(  X  C \   )  S H)\ 0  )  H  0޽h ? 3380___PPT10.YPP  0 (  X  C \   )  S l)\ 0  )  H  0޽h ? 3380___PPT10.Y  0 (  X  C \     S 4\ 0    H  0޽h ? 3380___PPT10.Y  0 (  X  C \     S  \ 0    H  0޽h ? 3380___PPT10.Y]  0 (  X  C \     S #\ 0    H  0޽h ? 3380___PPT10.Y0  0 (  X  C \     S (.\ 0    H  0޽h ? 3380___PPT10.Y0  0 (  X  C \     S W\ 0    H  0޽h ? 3380___PPT10.Yp   0 (  X  C \     S \ 0    H  0޽h ? 3380___PPT10.Yx  0 (  X  C \     S č\ 0    H  0޽h ? 3380___PPT10.YP  0 (  X  C \     S l\ 0    H  0޽h ? 3380___PPT10.YP   0 (  X  C \     S ħ\ 0    H  0޽h ? 3380___PPT10.Y   0  (  X  C \     S \ 0    H  0޽h ? 3380___PPT10.Yp&r@WET|3qWuy-Z<0jK@0)dĶ=͍6zLv2FZn" 6 J^r #&%:'N)b+v-e/r Oh+'0( hp , L X dpxComputer Security BasicsiAmeel Zia KhantRC:\Program Files\Microsoft Office\Templates\Presentation Designs\Contemporary.potrAmeel Zia Khans39eMicrosoft PowerPointoso@vj}Q@0̤@tZGg  K    --$--'--$KKK--'--$K K^^ K --'--&$d b a ```abdefgggf e d --'--&$d&b&a'`(`)`+a,b,d-e,f,g+g)g(f'e&d&--'--&$d>b?a?`A`B`CaDbEdFeEfDgCgBgAf?e?d>--'--&$dqbqar`s`t`vawbwdxewfwgvgtgsfreqdq--'--&$dba```abdefgggfed--'--&$dba```abdefgggfed--'--&$dba```abdefgggfed--'--&$dba```abdefgggfed--'--&$dba```abdefgggfed--'--&$--'--&$65433345689:::986--'--&$ywvvuvvwyz{|||{zy--'--&$--'--&$--'--&$A?>>=>>?ABCDEDCBA--'--&$--'--&$--'--&$dXbXaY`Z`[`\a^b^d_e^f^g\g[gZfYeXdX--'--$j/R2P4K6H9E=?@<B9C2B0A,@)>&>#>!>>>?@CCDDDCCCDK L L L LHECB?=:8765512455310/.///0000012334455789:::;;::::::9776+  " -8B%K/R--'-- $       ~|zxwwwwtrqonnmmkihfffaacfhjjkkkkjihhgfffgfffginnooppttvxy|}}~~|yxwuuuuuvxxyyyxnnnnnmmkhbbaaaaaaa_^]\\[ZXVTSRPNLJHEBAEFFHIJKKLNNNNLOOMLKKLNQSUWXZ[\]_acfh h iijmoqsuw$y){-~047;>@BDE~F{GyHwItJrLoNmPiQgQdRaS^T\VZXW[T]Q_M`QaTbWcZc]dadddhdmdsdyca`^\ZWTQNJFB>;975430/...-+)(&"--'--,$cfffffcba`]]\\\\]_ac--'@Times New Roman-. 72 L[ Computer Network Security Basics)/,-")."Systempi-@Times New Roman-.  2 {LUMS '.-@Times New Roman-.  2 -.-@Times New Roman-. 2  ACM Chapter '  .-@Times New Roman-. "2 2Topic Presentation    .-@Times New Roman-. :2 o"(Ameel Zia Khan; 8 December, 1999)        .-՜.+,0@    On-screen Shown-s0 !Times New Roman Contemporary!Computer Network Security BasicsWhat is Network Security?GoalsGoalsAchieving GoalsAchieving GoalsSecurity MechanismsSecurity MechanismsSecurity MechanismsGeneral PrinciplesApproaching Network SecurityApproaching Network SecurityPhysical LayerPhysical LayerPhysical LayerPhysical LayerData Link LayerData Link LayerNetwork LayerNetwork LayerNetwork LayerTransport LayerTransport LayerTransport LayerTransport LayerSession & Presentation LayersApplication LayerApplication LayerApplication LayerApplication LayerFinal Thought  Fonts UsedDesign Template Slide Titles&_0 Ameel Zia KhanAmeel Zia Khan  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)Current UserSummaryInformation(XPowerPoint Document(0DocumentSummaryInformation8