Scribd Logo
Upload

Welcome to Scribd!

  • 14 views

    Unit6 Security

    Uploaded by

    gloudpsdk
    The document discusses network security and its key principles. It covers topics like security services, the need for security services, types of network security and key principles of security such as confidentiality, integrity, availability and authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Unit6 Security

    Uploaded by

    gloudpsdk
    14 views78 pages
    The document discusses network security and its key principles. It covers topics like security services, the need for security services, types of network security and key principles of security such as confidentiality, integrity, availability and authentication.

    Original Description:

    SPPU TE CNS U 6 Notes

    Original Title

    Unit6_Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses network security and its key principles. It covers topics like security services, the need for security services, types of network security and key principles of security such as confidentiality, integrity, availability and authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    14 views78 pages

    Unit6 Security

    Uploaded by

    gloudpsdk
    The document discusses network security and its key principles. It covers topics like security services, the need for security services, types of network security and key principles of security such as confidentiality, integrity, availability and authentication.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 78

    Computer Networks and Security

    Subject code:310247

    Unit VI Security

    Instructor: Dr. Salman Baig


    Unit VI Security
    Introduction to Network Security

    • Computer network security consists of measures taken by business or some organizations to


    monitor and prevent unauthorized access from the outside attackers.
    • Different approaches to computer network security management have different
    requirements depending on the size of the computer network. For example, a home office
    requires basic network security while large businesses require high maintenance to prevent
    the network from malicious attacks.
    • Network security is the security provided to a network from unauthorized access and risks.
    It is the duty of network administrators to adopt preventive measures to protect their
    networks from potential security threats.
    • Computer networks that are involved in regular transactions and communication within the
    government, individuals, or business require security. The most common and simple way of
    protecting a network resource is by assigning it a unique name and a corresponding
    password
    Unit VI Security
    Introduction to Computer Security

    • Privacy: Privacy means both the sender and the receiver expects confidentiality. The transmitted message
    should be sent only to the intended receiver while the message should be opaque for other users. Only the
    sender and receiver should be able to understand the transmitted message as eavesdroppers can intercept the
    message. Therefore, there is a requirement to encrypt the message so that the message cannot be intercepted.
    This aspect of confidentiality is commonly used to achieve secure communication.

    • Message Integrity: Data integrity means that the data must arrive at the receiver exactly as it was sent. There
    must be no changes in the data content during transmission, either maliciously or accident, in a transit. As
    there are more and more monetary exchanges over the internet, data integrity is more crucial. The data
    integrity must be preserved for secure communication.
    Unit VI Security
    Introduction to Computer Security

    • End-Point Authentication: Authentication means that the receiver is sure of the sender’s
    identity, i.e., no imposter has sent the message.

    • Non-Repudiation: Non-Repudiation means that the receiver must be able to prove that
    the received message has come from a specific sender. The sender must not deny sending
    a message that he or she send. The burden of proving the identity falls on the receiver.
    For example, if a customer sends a request to transfer the money from one account to
    another account, then the bank must have a proof that the customer has requested for the
    transaction.
    Unit VI Security
    Security Services

    • Network security can provide the following services related to a message and entity.
    1. Message confidentiality
    • It means that the content of a message when transmitted across a network must remain
    confidential, i.e. only the intended receiver and no one else should be able to read the message.
    • The users; therefore, want to encrypt the message they send so that an eavesdropper on the
    network will not be able to read the contents of the message.
    Unit VI Security
    Security Services
    2. Message Integrity
    • It means the data must reach the destination without any alterations/modifications
    • There must be no changes during transmission, neither accidentally nor
    maliciously.
    • Integrity of a message is ensured by attaching a checksum to the message.
    • The algorithm for generating the checksum ensures that an intruder cannot alter the
    checksum or the message.
    Unit VI Security
    Security Services

    3.Message Authentication
    • In message authentication the receiver needs to be .sure of the sender’s identity i.e. the receiver has to make sure
    that the actual sender is the same as claimed to be.
    • There are different methods to check the genuineness of the sender :
    1. The two parties share a common secret code word. A party is required to show the secret code word to the
    other for authentication.
    2. Authentication can be done by sending digital signature.
    3. A trusted third party verifies the authenticity. One such way is to use digital certificates issued by a
    recognized certification authority.
    4. Message non-repudiation
    • Non-repudiation means that a sender must not be able to deny sending a message that it actually sent.
    • The burden of proof falls on the receiver.
    • Non-repudiation is not only in respect of the ownership of the message; the receiver must prove that the
    contents of the message are also the same as the sender sent.
    • Non-repudiation is achieved by authentication and integrity mechanisms.
    5. Entity Authentication
    • In entity authentication (or user identification) the entity or user is verified prior to access to the system
    resources .
    Unit VI Security
    Need of Security Services
    • The most basic example of Network Security is password protection where the user of the network
    oneself chooses
    • The network security solutions protect various vulnerabilities of the computer systems such as:
    1. Users
    2. Locations
    3. Data
    4. Devices
    5. Applications
    • There are many layers to consider when addressing network security across an organization. Attacks
    can happen at any layer in the network security layers model, so your network security hardware,
    software and policies must be designed to address each area.
    • Network security typically consists of three different controls: physical, technical and administrative.
    These are explained as
    ▪ Physical Network Security
    ❖ Physical security controls are designed to prevent unauthorized personnel from gaining physical
    access to network components such as routers, cabling cupboards and so on. Controlled access,
    such as locks, biometric authentication and other devices, is essential in any organization.
    Unit VI Security
    Need of Security Services
    ▪ Technical Network Security
    ❖ Technical security controls protect data that is stored on the network or which is in transit across,
    into or out of the network. Protection is twofold; it needs to protect data and systems from
    unauthorized personnel, and it also needs to protect against malicious activities from employees.
    ▪ Administrative Network Security
    ❖ Administrative security controls consist of security policies and processes that control user
    behavior, including how users are authenticated, their level of access and also how IT staff
    members implement changes to the infrastructure

    Types of Network Security:


    Network Access Control
    • To ensure that potential attackers cannot infiltrate your network, comprehensive access control policies
    need to be in place for both users and devices.
    • Network Access Control (NAC) can be set at the most granular level. For example, you could grant
    administrators full access to the network but deny access to specific confidential folders or prevent their
    personal devices from joining the network.
    Unit VI Security
    Need of Security Services
    Types of Network Security:
    Antivirus and Anti-malware Software
    • Antivirus and anti-malware software protect an organization from a range of malicious software,
    including viruses, ransomware, worms and trojans.
    • The best software not only scans files upon entry to the network but continuously scans and tracks files.

    Firewall Protection
    • Firewalls, as their name suggests, act as a barrier between the untrusted external networks and your
    trusted internal network.
    • Administrators typically configure a set of defined rules that blocks or permits traffic onto the network.
    Unit VI Security
    Need of Security Services
    Types of Network Security:
    Virtual Private Networks
    • Virtual Private Networks (VPNs) creates a connection to the network from another endpoint or site.
    For example, users working from home would typically connect to the organization's network over a
    VPN. Data between the two points is encrypted and the user would need to authenticate to allow
    communication between their device and the network
    Unit VI Security
    Key Principles of Security
    • The protection afforded to an automated information system in order to attain the applicable
    objectives of preserving the integrity, availability, and confidentiality of information system
    resources (includes hardware, software, firmware, information/ data, and telecommunications).
    • This definition of security introduces three key objectives that are at the heart of computer
    security:
    • Confidentiality: This term covers two related concepts:
    • Data confidentiality: Assures that private or confidential information is not made
    available or disclosed to unauthorized individuals.
    • Privacy: Assures that individuals control or influence what information related to them
    may be collected and stored and by whom and to whom that information may be
    disclosed.
    • Integrity: This term covers two related concepts:
    • Data integrity: Assures that information and programs are changed only in a specified
    and authorized manner.
    • System integrity: Assures that a system performs its intended function in an unimpaired
    manner, free from deliberate or inadvertent unauthorized manipulation of the system.
    • Availability: Assures that systems work promptly and service is not denied to authorized users.
    • These concepts form what is often referred to as the CIA triad
    Unit VI Security
    Threats and Vulnerabilities

    • Threat: A potential for violation of security, which exists when there is a circumstance, capability,
    action, or event that could breach security and cause harm. That is, a threat is a possible danger that
    might exploit a vulnerability.
    • A threat/vulnerability is a potential violation of security.
    • Flaws in design, implementation, and operation.
    • An attack is any action that violates security.
    • Active adversary (actively/continuously getting information)
    • An attack has an implicit concept of “intent”
    • Router mis-configuration or server crash can also cause loss of availability, but they are not
    attacks
    • Vulnerabilities occur due to Hardware, Software, Network and Procedural vulnerabilities.
    1. Hardware Vulnerability:
    A hardware vulnerability is a weakness which can used to attack the system hardware through physically or remotely. For Eg:
    1. Old version of systems or devices
    2. Unprotected storage
    3. Unencrypted devices, etc.
    Unit VI Security
    Threats and Vulnerabilities
    2. Software Vulnerability:
    A software error happen in development or configuration such as the execution of it can violate the security policy. For
    examples:
    1. Lack of input validation
    2. Unverified uploads
    3. Cross-site scripting
    4. Unencrypted data, etc.
    3. Network Vulnerability:
    A weakness happen in network which can be hardware or software. For examples:
    5. Unprotected communication
    6. Malware or malicious software (e.g.: Viruses, Keyloggers, Worms, etc)
    7. Social engineering attacks
    8. Misconfigured firewalls
    4. Procedural Vulnerability:
    A weakness happen in an organization operational methods. For examples:
    9. Password procedure – Password should follow the standard password policy.
    10. Training procedure – Employees must know which actions should be taken and what to do to handle the
    security.
    Unit VI Security
    Types of attacks

    • Two generic types of attacks


    • Passive

    • Active
    Unit VI Security
    Types of attacks

    Active Attacks:
    • An Active attack attempts to alter system resources or effect their operations. Active
    attack involves some modification of the data stream or creation of false statement. Types
    of active attacks are as following:
    1. Masquerade • Masquerade attack takes place when one entity pretends to be different
    entity. A Masquerade attack involves one of the other form of active attacks.
    Unit VI Security
    Types of attacks

    2. Modification of Messages
    • It means that some portion of a message is altered or that message is delayed or
    reordered to produce an unauthorized effect. For example, a message meaning “Allow
    JOHN to read confidential file X” is modified as “Allow Smith to read confidential file
    X”.
    Modifies the message
    and sends to Johns

    3. Repudiation
    • This attack is done by either sender or receiver. The sender or receiver can deny later that
    he/she has send or receive a message. For example, customer ask his Bank “To transfer an
    amount to someone” and later on the sender(customer) denies that he had made such a
    request. This is repudiation.
    Unit VI Security
    Types of attacks
    4. Replay
    • It involves the passive capture of a message and its subsequent the transmission to produce
    an authorized effect.

    5. Denial of Service
    • It prevents normal use of communication facilities. This attack may have a specific
    target. For example, an entity may suppress all messages directed to a particular
    destination. Another form of service denial is the disruption of an entire network wither by
    disabling the network or by overloading it by messages so as to degrade performance.
    Unit VI Security
    Types of attacks

    • Passive attacks: A Passive attack attempts to learn or make use of information from the
    system but does not affect system resources.
    • Passive Attacks are in the nature of eavesdropping on or monitoring of transmission.
    The goal of the opponent is to obtain information that is being transmitted.
    • Types of Passive attacks are as following:
    1. The release of message content –
    Telephonic conversation, an electronic mail message, or a transferred file may contain
    sensitive or confidential information. We would like to prevent an opponent from
    learning the contents of these transmissions.
    Unit VI Security
    Types of attacks

    2. Traffic analysis –
    • Suppose that we had a way of masking (encryption) information, so that the attacker
    even if it captures the message, it cannot extract any information from the message.
    • The opponent could determine the location and identity of communicating host and
    could observe the frequency and length of messages being exchanged.
    • This information might be useful in guessing the nature of the communication that was
    taking place.
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI

    • Defines a systematic way of defining and providing security requirements


    • Need for OSI Security Architecture:
    1. Defining the requirements for security
    2. Characterizing the approaches to satisfying those requirements

    The OSI Security Architecture:


    • Such a systematic approach is defined by ITU-T (The International Telecommunication
    Union- Telecommunication Standardization Sector).
    • It is a United Nation (UN) sponsored agency that develops standards, called
    Recommendations, relating to telecommunication and to Open System Interconnection
    (OSI)) Recommendations X.800, security Architecture for OSI.
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI
    • Benefits:
    1. The OSI security architecture is useful to managers as way of organization the task of
    providing security.
    2. Furthermore, because this architecture was developed as international standards, computer
    and communications vendors have developed security feature for their products and
    services that relate to this structured definition of services and mechanisms.

    • The OSI security architecture focuses on security attack, mechanism, and services. These
    can be defined briefly as follows:
    ▪ Security Attack: Any action that compromises the security of information owned by an
    organization.
    ▪ Security Mechanism: A process that is designed to detect, prevent or recover from a security
    attack. And security mechanism is a method which is used to protect your message from
    unauthorized entity.
    ▪ Security Services: Security Services is the services to implement security policies and
    implemented by security mechanism.
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI
    • X.800 defines a security service, which ensures adequate security of the systems or
    of data transfers
    • X.800 Recommendation divides security services into 5 categories:
    ▪ Authentication
    ▪ Access control
    ▪ Data confidentiality
    ▪ Data integrity
    ▪ Nonrepudiation
    ▪ Availability service
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI

    • The authentication service is concerning with assuring that a communication


    is authentic:
    ▪ The recipient of the message should ensure that the message came from the source
    that it claims to be
    ▪ All communicating parties should ensure that the connection is not interfered by
    unauthorized party.
    • Example: Consider a person, using online banking service. Both the user and
    the bank should be assured in identities of each other
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI
    ACCESS CONTROL
    • The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a
    resource, under what conditions access can occur, and what those accessing the resource are allowed to do).
    • Example: in online banking a user may be allowed to see his balance, but not allowed to make any
    transactions for some of his accounts

    • DATA CONFIDENTIALITY
    • The protection of data from unauthorized disclosure.
    ▪ Connection Confidentiality
    • The protection of all user data on a connection.
    ▪ Connectionless Confidentiality
    • The protection of all user data in a single data block
    ▪ Selective-Field Confidentiality
    • The confidentiality of selected fields within the user data on a connection or in a single data block.
    ▪ Traffic-Flow Confidentiality
    • The protection of the information that might be derived from observation of traffic flows.
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI
    • DATA INTEGRITY
    • The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification,
    insertion, deletion, or replay).
    • Connection Integrity with Recovery
    ▪ Provides for the integrity of all user data on a connection and detects any modification, insertion,
    deletion, or replay of any data within an entire data sequence, with recovery attempted.
    • Connection Integrity without Recovery
    ▪ As above, but provides only detection without recovery.
    • Selective-Field Connection Integrity
    ▪ Provides for the integrity of selected fields within the user data of a data block transferred over a
    connection and takes the form of determination of whether the selected fields have been modified,
    inserted, deleted, or replayed.
    • Connectionless Integrity
    ▪ Provides for the integrity of a single connectionless data block and may take the form of detection
    of data modification. Additionally, a limited form of replay detection may be provided.
    • Selective-Field Connectionless Integrity
    ▪ Provides for the integrity of selected fields within a single connectionless data block; takes the form
    of determination of whether the selected fields have been modified.
    Unit VI Security
    ITU-T X.800 Security Architecture For OSI
    • NONREPUDIATION
    • Provides protection against denial by one of the entities involved in a communication of
    having participated in all or part of the communication.
    • Nonrepudiation, Origin
    • Proof that the message was sent by the specified party.
    • Nonrepudiation, Destination
    • Proof that the message was received by the specified party
    • Example: Imagine a user of online banking who has made a transaction, but later denied
    that. How the bank can protect itself in a such situation?

    • AVAILABILITY SERVICE
    • Protects a system to ensure its availability
    • Particularly, it addresses denial-of-service attacks
    • Depends on other security services: access control, authentication, etc
    Unit VI Security
    Security Policy and Mechanisms

    • A security policy is a statement of what is, and what is not, allowed.


    • Security mechanisms are used to implement security services. They include
    (X.800):
    • Encipherment
    • Digital signature
    • Access Control mechanisms
    • Data Integrity mechanisms
    • Authentication Exchange
    • Traffic Padding/Bit stuffing
    • Routing Control
    • Notarization
    Unit VI Security
    Security Policy and Mechanisms

    • Encipherment
    • The use of mathematical algorithms to transform data into a form that is not readable. The transformation and
    subsequent recovery of the data depend on an algorithm and zero or more encryption keys.
    • Digital Signature
    • Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to
    prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient).
    • Access Control- A variety of mechanisms that enforce access rights to resources.
    • Data Integrity - A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
    • Authentication Exchange - A mechanism intended to ensure the identity of an entity by means of
    information exchange.
    • Traffic Padding- The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
    • Routing Control - Enables selection of particular physically secure routes for certain data and allows routing
    changes, especially when a breach of security is suspected.
    • Notarization - The use of a trusted third party to assure certain properties of a data exchange.
    Unit VI Security
    Operational Model of Network Security
    • A Network Security Model exhibits how the security service has been designed over the network to prevent
    the opponent from causing a threat to the confidentiality or authenticity of the information that is being
    transmitted through the network.

    • The network security model presents the two communicating parties sender and receiver who mutually
    agrees to exchange the information. The sender has information to share with the receiver.

    • But sender cannot send the message on the information channel in the readable form as it will have a threat of
    being attacked by the opponent. So, before sending the message through the information channel, it should
    be transformed into an unreadable format.
    Unit VI Security
    Operational Model of Network Security

    • The general model shows that there are four basic tasks in designing a particular security
    service:
    1. Design an algorithm for performing the security-related transformation. The algorithm should be such
    that an opponent cannot defeat its purpose.
    2. Generate the secret information to be used with the algorithm.
    3. Develop methods for the distribution and sharing of the secret information.
    4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the
    secret information to achieve a particular security service.
    Unit VI Security
    Operational Model of Network Security

    • You are well aware of the attackers who attack your system that is accessible through the
    internet. These attackers fall into two categories:
    1. Hacker: The one who is only interested in penetrating into your system. They do not
    cause any harm to your system they only get satisfied by getting access to your system.
    2. Intruders: These attackers intend to do damage to your system or try to obtain the
    information from the system which can be used to attain financial gain.
    • The attacker can place a logical program on your system through the network which can
    affect the software on your system. This leads to two kinds of risks:
    a. Information threat: This kind of threats modifies data on the user’s behalf to which
    actually user should not access. Like enabling some crucial permission in the system.
    b. Service threat: This kind of threat disables the user from accessing data on the
    system.
    • Well, these kinds of threats can be introduced by launching worms and viruses and may
    more like this on your system. Attack with worms and viruses are the software attack that
    can be introduced to your system through the internet
    Unit VI Security
    Operational Model of Network Security
    • The network security model to secure your system is shown in the figure below:
    • There are two ways to secure your system from attacker of which the first is to introduce
    the gatekeeper function. Introducing gatekeeper function means
    introducing login-id and passwords which would keep away the unwanted access.
    • In case the unwanted user gets access to the system the second way to secure your system is
    introducing internal control which would detect the unwanted user trying to access the system by
    analyzing system activities. This second method we call as antivirus which we install on our system
    to prevent the unwanted user from accessing your computer system through the internet.
    Unit VI Security
    Symmetric and Asymmetric key Cryptography

    • Cryptography is associated with the process of converting ordinary plain text into
    cipher text and vice-versa.
    • It is a method of storing and transmitting data in a particular form so that only those for
    whom it is intended can read and process it.

    • Fig. shows a sender who wants to transfer some sensitive


    data to a receiver in such a way that any party
    intercepting or eavesdropping on the communication
    channel cannot extract the data.
    • The objective of this simple cryptography, is that only the
    sender and the receiver will know the plaintext.
    Unit VI Security
    Symmetric and Asymmetric key Cryptography
    • Components of a Cryptography
    • Plaintext: It is the data to be protected during transmission.
    • Encryption Algorithm: It is a mathematical process that produces a ciphertext for any given
    plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption key
    as input and produces a ciphertext.
    • Ciphertext: It is the scrambled version of the plaintext produced by the encryption algorithm using a
    specific the encryption key. The ciphertext is not guarded. It flows on public channel. It can be
    intercepted or compromised by anyone who has access to the communication channel.
    • Decryption Algorithm: It is a mathematical process, that produces a unique plaintext for any given
    ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a decryption
    key as input, and outputs a plaintext. The decryption algorithm essentially reverses the encryption
    algorithm and is thus closely related to it.
    • Encryption Key: It is a value that is known to the sender. The sender inputs the encryption key into the
    encryption algorithm along with the plaintext in order to compute the ciphertext.
    • Decryption Key: It is a value that is known to the receiver. The decryption key is related to the
    encryption key, but is not always identical to it. The receiver inputs the decryption key into the
    decryption algorithm along with the ciphertext in order to compute the plaintext.
    Unit VI Security
    Symmetric and Asymmetric key Cryptography

    • Symmetric Key Encryption (Private Key):


    Encryption is a process to change the form of any message in order to protect it from
    reading by anyone.
    • In Symmetric-key encryption the message is encrypted by using a key and the same
    key is used to decrypt the message which makes it easy to use but less secure.
    • It also requires a safe method to transfer the key from one party to another.
    • Private key encryption is also referred to as symmetric encryption, where the same
    private key is used for both encryption and decryption
    Unit VI Security
    Symmetric and Asymmetric key Cryptography
    • Asymmetric Key Encryption (Public Key Cryptography):
    Asymmetric Key Encryption is based on public and private
    key encryption technique.
    • It uses two different key to encrypt and decrypt the message.
    • It is more secure than symmetric key encryption technique but
    is much slower.
    • is asymmetric because – those who encrypt messages or
    verify signatures cannot decrypt messages or create signatures
    • A message that is encrypted using a public key can only be
    decrypted using a private key, while also, a message
    encrypted using a private key can be decrypted using a public
    key.
    • Security of the public key is not required because it is publicly
    available and can be passed over the internet.
    • Asymmetric key has a far better power in ensuring the
    security of information transmitted during communication
    Unit VI Security
    Symmetric and Asymmetric key Cryptography-Comparison

    Symmetric Key Encryption Asymmetric Key Encryption

    It only requires a single key for both encryption and decryption. It requires two key one to encrypt and the other one to decrypt.

    The size of cipher text is same or smaller than the original plain text. The size of cipher text is same or larger than the original plain text.

    The encryption process is very fast. The encryption process is slow.

    It is used when a large amount of data is required to transfer. It is used to transfer small amount of data.

    It only provides confidentiality. It provides confidentiality, authenticity and non-repudiation.

    Examples: 3DES, AES, DES and RC4 Examples: Diffie-Hellman, ECC, El Gamal, DSA and RSA

    In symmetric key encryption, resource utilization is low as compared


    In asymmetric key encryption, resource utilization is high.
    to asymmetric key encryption.
    Unit VI Security
    Security in Network

    Security in Network Layer


    • Any scheme that is developed for providing network security needs to be
    implemented at some layer in protocol stack as depicted in the table below −
    Layer Communication Protocols Security Protocols
    Application Layer HTTP, FTP, SMTP PGP, S/MIME, HTTPS
    Transport Layer TCP /UDP SSL, TLS, SSH
    Network Layer IP IPSec
    Unit VI Security
    Security in Network-Introduction of IPSec

    • The popular framework developed for ensuring security at network layer is Internet
    Protocol Security (IPSec).
    • IP Security (IPSec) is a collection of protocols designed by the Internet Engineering Task
    Force (IETF) to provide security for a packet at the network level.
    • IPSec helps create authenticated and confidential packets for the IP layer
    Unit VI Security
    Security in Network-Introduction of IPSec

    • IPSec can protect our traffic with the following features:


    • Confidentiality: by encrypting our data, nobody except the sender and receiver will be
    able to read our data.
    • Integrity: we want to make sure that nobody changes the data in our packets. By
    calculating a hash value, the sender and receiver will be able to check if changes have
    been made to the packet.
    • Authentication: the sender and receiver will authenticate each other to make sure that we
    are really talking with the device we intend to.
    • Anti-replay: even if a packet is encrypted and authenticated, an attacker could try to
    capture these packets and send them again. By using sequence numbers, IPsec will not
    transmit any duplicate packets.
    Unit VI Security
    Security in Network-Introduction of IPSec
    • IPSec operates in one of two different modes: transport mode or tunnel mode.
    • IPSec in the transport mode does not protect the IP header; it only protects the
    information coming from the transport layer
    Unit VI Security
    Security in Network-Introduction of IPSec

    • IPSec in the transport mode does not protect the IP header; it only protects the
    information coming from the transport layer
    Unit VI Security
    Security in Network-Introduction of IPSec

    • IPSec in tunnel mode protects the original IP header.


    • Tunnel mode is normally used between two routers, between a host and a router, or between a
    router and a host, as shown in Figure.
    • The entire original packet is protected from intrusion between the sender and the receiver, as if the
    whole packet goes through an imaginary tunnel.
    Unit VI Security
    Security in Network-Introduction of IPSec

    Comparison
    • In transport mode, the IPSec layer comes between the transport layer and the network layer.
    • In tunnel mode, the flow is from the network layer to the IPSec layer and then back to the network layer again
    • Figure 32.5 compares the two modes
    Unit VI Security
    Security in Transport-SSL

    • Two protocols are dominant today for providing security at the transport layer: the Secure
    Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol.
    Unit VI Security
    Security in Transport-SSL
    • SSL is designed to provide security and compression services to data generated from the application layer.
    • SSL provides security to the data that is transferred between web browser and server.
    • Typically, SSL can receive data from any application-layer protocol, but usually the protocol is HTTP.
    • The data received from the application is compressed (optional), signed, and encrypted. The data is then passed to a
    reliable transport-layer protocol such as TCP.
    • The family includes SSL versions 2 and 3 and TLS protocol. SSLv2 has been now replaced by SSLv3, so we will focus on
    SSL v3 and TLS.
    Services
    • SSL provides several services on data received from the application layer.
    • ❑ Fragmentation. First, SSL divides the data into blocks of 214 bytes or less.
    • ❑ Compression. Each fragment of data is compressed using one of the lossless compression methods negotiated
    between the client and server. This service is optional.
    • ❑ Message Integrity. To preserve the integrity of data, SSL uses a keyed-hash function to create a MAC.
    • ❑ Confidentiality. To provide confidentiality, the original data and the MAC are encrypted using symmetric-key
    cryptography.
    • ❑ Framing. A header is added to the encrypted payload. The payload is then passed to a reliable transport-layer
    protocol.
    Unit VI Security
    Security in Transport-SSL

    Salient Features of SSL


    • SSL provides network connection security through −
    • Confidentiality − Information is exchanged in an encrypted form.
    • Authentication − Communication entities identify each other through the use of
    digital certificates. Web-server authentication is mandatory whereas client
    authentication is kept optional.
    • Reliability − Maintains message integrity checks.
    • SSL is available for all TCP applications.
    • Supported by almost all web browsers.
    • Provides ease in doing business with new online entities.
    • Developed primarily for Web e-commerce.
    Unit VI Security
    Security in Transport-SSL
    Architecture of SSL
    • SSL is specific to TCP and it does not work with UDP. SSL protocol is designed to interwork
    between application and transport layer as shown in the Figure
    • SSL itself is not a single layer protocol as depicted in the image; in fact it is composed of two
    sub-layers.
    • Lower sub-layer comprises of the one component of SSL protocol called as SSL Record Protocol.
    This component provides integrity and confidentiality services.
    • Upper sub-layer comprises of three SSL-related protocol components and an application protocol.
    Application component provides the information transfer service between client/server interactions.
    Technically, it can operate on top of SSL layer as well. Three SSL related protocol components are −
    • SSL Handshake Protocol
    • Change Cipher Spec Protocol
    • Alert Protocol.
    • These three protocols manage all of SSL message exchanges
    Unit VI Security
    Security in Transport-SSL
    Record Protocol
    • The Record Protocol carries messages from the
    upper layer (Handshake Protocol,
    ChangeCipherSpec Protocol, Alert Protocol, or
    application layer).
    • The message is fragmented and optionally
    compressed; a MAC is added to the compressed
    message using the negotiated hash algorithm.
    • The compressed fragment and the MAC are
    encrypted using the negotiated encryption
    algorithm.
    • Finally, the SSL header is added to the encrypted
    message. Figure shows this process at the sender.
    • The process at the receiver is reversed.
    Unit VI Security
    Security in Transport-SSL

    Handshake Protocol
    • The Handshake Protocol uses messages to negotiate the cipher suite, to
    authenticate the server to the client and the client to the server if needed,
    and to exchange information for building the cryptographic secrets.
    • The handshaking is done in four phases
    Phase I: Establishing Security Capabilities
    • In Phase I, the client and the server announce their security capabilities and
    choose those that are convenient for both.
    • In this phase, a session ID is established and the cipher suite is chosen.
    • The parties agree upon a particular compression method.
    • After Phase I, the client and server know the version of SSL, the
    cryptographic algorithms, the compression method, and the two random
    numbers for key generation.
    Phase II: Server Authentication and Key Exchange
    • In Phase II, the server authenticates itself if needed. After Phase II, the
    server is authenticated to the client, and the client knows the public key of
    the server if required.
    Unit VI Security
    Security in Transport-SSL

    Handshake Protocol
    • Phase III: Client Authentication and Key Exchange
    • Phase III is designed to authenticate the client. After Phase III, the client
    is authenticated for the server, and both the client and the server know
    the pre-master secret.

    • Phase IV: Finalizing and Finishing


    • In Phase IV, the client and server send messages to change cipher
    specifications and to
    • finish the Handshake Protocol.
    Unit VI Security
    Security in Transport-SSL
    • ChangeCipherSpec Protocol
    • SSL mandates that the parties cannot use these parameters or secrets until they have sent or
    received a special message “ChangeCipherSpec” message, which is exchanged during the
    Handshake Protocol and defined in the ChangeCipherSpec Protocol.
    • The sender and the receiver has two states. One state, the pending state, keeps track of the
    parameters and secrets other state, the active state, holds parameters and secrets used by the
    Record Protocol to sign/verify or encrypt/decrypt messages.
    • In addition, each state holds two sets of values: read (inbound) and write (outbound).

    • SSL Alert Protocol


    • SSL uses the Alert Protocol for reporting errors and abnormal conditions. It uses only one
    message that describes the problem and its level (warning or fatal).
    Unit VI Security
    Security in Transport-HTTPS

    • HTTPS is an abbreviation of Hypertext Transfer Protocol Secure. It is a secure


    extension or version of HTTP. This protocol is mainly used for providing security to the
    data sent between a website and the web browser. This protocol uses the 443 port number
    for communicating the data.
    • This protocol is also called HTTP over SSL because the HTTPS communication
    protocols are encrypted using the SSL (Secure Socket Layer).
    HTTPS = HTTP + SSL
    • By default, it is supported by various web browsers.
    • Those websites which need login credentials should use the HTTPS protocol for sending
    the data
    Unit VI Security
    Security in Transport-HTTPS

    When is HTTPS Required?


    • When we browse, we normally send and receive information using HTTP protocol. So this
    leads anyone to eavesdrop on the conversation between our computer and the web server.
    Many a times we need to exchange sensitive information which needs to be secured and to
    prevent unauthorized access.
    • Https protocol are used in the following scenarios −
    o Banking Websites
    o Payment Gateway
    o Shopping Websites
    o All Login Pages
    o Email Apps
    Unit VI Security
    Security in Transport-HTTPS
    Basic Working of HTTPS
    • Public key and signed certificates are required for the
    server in HTTPS Protocol.
    • Client requests for the https:// page
    • When using an https connection, the server responds to the
    initial connection by offering a list of encryption methods
    the webserver supports.
    • In response, the client selects a connection method, and the
    client and server exchange certificates to authenticate their
    identities.
    • After this is done, both webserver and client exchange the
    encrypted information after ensuring that both are using the
    same key, and the connection is closed.
    • For hosting https connections, a server must have a public
    key certificate, which embeds key information with a
    verification of the key owner's identity.
    • Almost all certificates are verified by a third party so that
    clients are assured that the key is always secure.
    Unit VI Security
    Security in Transport-HTTPS

    Advantages of HTTPS
    • Following are the advantages or benefits of a Hypertext Transfer Protocol Secure (HTTPS):
    • The main advantage of HTTPS is that it provides high security to users.
    • Data and information are protected. So, it ensures data protection.
    • SSL technology in HTTPS protects the data from third-party or hackers. And this technology builds
    trust for the users who are using it.
    • It helps users by performing banking transactions.

    Disadvantages of HTTPS
    • Following are the disadvantages or limitations of a Hypertext Transfer Protocol Secure (HTTPS):
    • The big disadvantage of HTTPS is that users need to purchase the SSL certificate.
    • The speed of accessing the website is slow because there are various complexities in
    communication.
    • Users need to update all their internal links.
    Unit VI Security
    Review of MIME from Unit V
    • Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of
    email to support:

    1.Text in character sets other than ASCII


    2.Non-text attachments: audio, video, images, application programs etc.
    3.Message bodies with multiple parts
    4.Header information in non-ASCII character sets

    • Virtually all human-written Internet email and a fairly large proportion of automated email is
    transmitted via SMTP in MIME format.

    • Content-Type This header indicates the Internet media type of the message content, consisting of a
    type and subtype

    • MIME-Version The presence of this header indicates the message is MIME-formatted. The value is
    typically "1.0" so this header appears as MIME-Version: 1.0
    Unit V Security
    Review of MIME from Unit V
    • MIME, a specification for formatting non-ASCII messages so that they can be sent over the Internet.
    • Many e-mail clients now support MIME, which enables them to send and receive graphics, audio,
    and video files via the Internet mail system.
    • In addition, MIME supports messages in character sets other than ASCII.
    • There are many predefined MIME types, such as GIF graphics files and PostScript files. It is also
    possible to define your own MIME types.
    • In addition to e-mail applications, Web browsers also support various MIME types. This enables the
    browser to display or output files that are not in HTML format.
    • MIME is an extension of the original Internet e-mail protocol that lets people use the protocol to
    exchange different kinds of data files on the Internet: audio, video, images, application programs, and
    other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport
    Protocol (SMTP).
    Unit VI Security
    Security in Application - S/MIME

    • In e-mail security, the sender of the message needs to include the name or
    identifiers of the algorithms used in the message.
    • It is obvious that some public-key algorithms must be used for e-mail security
    • In e-mail security, the encryption/decryption is done using a symmetric-key
    algorithm, but the secret key to decrypt the message is encrypted with the
    public key of the receiver and is sent with the message.
    Unit VI Security
    Security in Application - S/MIME
    • S/MIME stands for Secure Multipurpose Internet Mail Extension security service designed for
    electronic mail.
    • It is based on an earlier non-secure e-mailing standard called MIME.
    • The protocol is an enhancement of the Multipurpose Internet Mail Extension (MIME) protocol.
    Working of S/MIME
    • S/MIME approach is similar to PGP. It also uses public key cryptography, symmetric key cryptography,
    hash functions, and digital signatures. It provides similar security services as PGP for e-mail
    communication.
    • The most common symmetric ciphers used in S/MIME are RC2 and TripleDES. The usual public key
    method is RSA, and the hashing algorithm is SHA-1 or MD5.
    • The whole MIME entity is encrypted and packed into an object. S/MIME has standardized cryptographic
    message formats (different from PGP). In fact, MIME is extended with some keywords to identify the
    encrypted and/or signed parts in the message.
    • S/MIME relies on X.509 certificates for public key distribution.
    Unit VI Security
    Security in Application - S/MIME
    Benefits of S/MIME
    • No repudiation: The sender cannot deny having sent the email and its contents. A digital signature is proof that
    the email has come from the signer’s email client.
    • Protection from in-transit email corruption: No cybercriminal can insert any sort of malicious software such
    as viruses, spyware, trojan horses, computer worms, rootkit, etc. while the email is in transit.
    • Protection from email spoofing: Digital signature protects the email recipients from email spoofing. No one
    can impersonate the digital signature of the company’s official staff members. So, no one can trick the
    recipients by sending spoofed emails impersonating the business’s authentic emails. (Or if they try, they’ll be
    lacking a signature.)
    • Warns recipients: If someone has tampered with the email or digital signature, it immediately alerts the
    recipients about the risk. So, the recipients know that something is fishy about the email and can protect
    themselves from becoming victims of the cyberattack before it’s too late.
    • Prevents data leaks: An S/MIME certificate protects data from eavesdropping and leakage. The company’s
    confidential communications with internal and external stakeholders remain secured due
    to the encryption functionality.
    Unit VI Security
    Security in Application - S/MIME

    • S/MIME includes two security features:


    • Email Encryption - It encrypts the content of the email sent
    between two S/MIME enabled users to make it unreadable to
    anyone other than the intended recipient.
    • Digital Signature - It digitally signs the emails sent between
    two S/MIME enabled users to eliminate any risk of spoofing.
    Unit VI Security
    Security in Application - S/MIME
    Email Encryption
    How does it work?
    • The process starts with the sender and receiver possessing each other's
    public key. The steps in Email encryption is as follows:
    Encryption process
    1. Once the sender clicks on Send, the original unencrypted message is
    captured.
    2. The recipient's public key is used to encrypt the original message. At
    the end of the process, an encrypted version of the original message is
    produced.
    3. The encryption message replaces the original message.
    4. The email is sent to the recipient.
    Unit VI Security
    Security in Application - S/MIME

    • Decryption process
    1. The recipient receives the email.
    2. The encrypted message is retrieved.
    3. The recipient's private key is used to decrypt the encrypted message.
    4. The original message is obtained and displayed to the recipient.
    Unit VI Security
    Security in Application - S/MIME
    • Digital Signature
    • Why is it needed?
    • S/MIME digitally signs emails in order to validate the sender. Digital Signature provides the following advantages:
    • Sender Validation - Digital signatures are unique to each user. Thus, it allows the recipient to verify if the email is
    actually sent by the person who it appears from. This eliminates the risk of anyone spoofing of your email address.
    • Nonrepudiation - The uniqueness of the digital signature ensures that the author of the email will not be able to deny
    ownership of the emails. Claims of impersonation can easily be refuted.
    • How does it work?
    • The process starts with the sender and receiver possessing each other's public key. Digital signing of an email works as
    follows:
    • Digital signing process
    1. Once the sender clicks on Send, the original message is captured.
    2. The message hash is calculated.
    3. The sender's private key is used to encrypt the hash value.
    4. The encrypted hash value is added to the email.
    5. The email is sent to the recipient.
    Unit VI Security
    Security in Application - S/MIME

    • Signature verification process


    1. The recipient receives the digitally signed email.
    2. The original message is obtained and its hash
    value is calculated.
    3. The encrypted hash is retrieved from the email.
    4. The encrypted hash is decrypted using the
    sender's public key.
    5. The decrypted hash and the hash value
    calculated from the original message obtained
    are compared. If the values match, the signature
    is verified.
    Unit VI Security
    Security in Application - S/MIME

    • Which clients support S/MIME?


    • These are some of the many desktop and mobile email clients
    that support email encryption certificates:
    • Apple Mail
    • Gmail (paid version)
    • iPhone iOS Mail
    • Microsoft Outlook Mozilla Thunderbird
    Unit VI Security
    Overview of IDS

    • An intrusion detection system (IDS) is a device or software application that monitors a network
    for malicious activity or policy violations.
    • Any malicious activity or violation is typically reported or collected centrally using a security
    information and event management system.
    • Some IDS’s are capable of responding to detected intrusion upon discovery. These are classified
    as intrusion prevention systems (IPS).
    • IDS Detection Types
    • There is a wide array of IDS, ranging from antivirus software to tiered monitoring systems that
    follow the traffic of an entire network. The most common classifications are:
    • Network intrusion detection systems (NIDS): A system that analyzes incoming network
    traffic.
    • Host-based intrusion detection systems (HIDS): A system that monitors important operating
    system files.
    Unit VI Security
    Overview of IDS
    • There is also subset of IDS types. The most common variants are based on signature
    detection and anomaly detection.
    • Signature-based: Signature-based IDS detects possible threats by looking for specific
    patterns, such as byte sequences in network traffic, or known malicious instruction
    sequences used by malware. This terminology originates from antivirus software, which
    refers to these detected patterns as signatures. Although signature-based IDS can easily
    detect known attacks, it is impossible to detect new attacks, for which no pattern is
    available.
    • Anomaly-based: a newer technology designed to detect and adapt to unknown attacks,
    primarily due to the explosion of malware. This detection method uses machine learning to
    create a defined model of trustworthy activity, and then compare new behavior against this
    trust model. While this approach enables the detection of previously unknown attacks, it
    can suffer from false positives: previously unknown legitimate activity can accidentally be
    classified as malicious.
    Unit VI Security
    Overview of IDS
    IDS Usage in Networks
    • When placed at a strategic point or places within a network to monitor traffic to and from all devices on the network,
    an IDS will perform an analysis of passing traffic, and passes the information to the library of known attacks. Once an
    attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator.
    • Evasion Techniques- Being aware of the techniques available to cyber criminals who are trying to breach a secure
    network can help IT departments understand how IDS systems can be tricked into not missing actionable threats:
    • Fragmentation: Sending fragmented packets allow the attacker to stay under the radar, bypassing the detection
    system's ability to detect the attack signature.
    • Avoiding defaults: A port utilized by a protocol does not always provide an indication to the protocol that’s
    being transported. If an attacker had reconfigured it to use a different port, the IDS may not be able to detect the
    presence of a trojan.
    • Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers, or even allocating
    various ports or hosts to different attackers. This makes it difficult for the IDS to correlate the captured packets
    and deduce that a network scan is in progress.
    • Address spoofing/proxying: attackers can obscure the source of the attack by using poorly secured or
    incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server, it
    makes it very difficult to detect.
    • Pattern change evasion: IDS rely on pattern matching to detect attacks. By making slight adjust to the attack
    architecture, detection can be avoided.
    Unit VI Security
    Overview of IDS

    Why IDS systems are important?


    • Modern networked business environments require a high level of security
    to ensure safe and trusted communication of information between various
    organizations.
    • An intrusion detection system acts as an adaptable safeguard technology
    for system security after traditional technologies fail.
    • Cyber attacks will only become more sophisticated, so it is important that
    protection technologies adapt along with their threats.
    Unit VI Security
    Overview of Firewall

    • A firewall is a network security device that monitors incoming and


    outgoing network traffic and permits or blocks data packets based on a set
    of security rules.
    • Its purpose is to establish a barrier between your internal network and
    incoming traffic from external sources (such as the internet) to block
    malicious traffic such as viruses and hackers.
    Unit VI Security
    Overview of Firewall
    • How does a firewall work?
    • A firewall system analyzes network traffic based on pre-defined rules. It then filters the
    traffic and prevents any such traffic coming from unreliable or suspicious sources. It only
    allows incoming traffic that is configured to accept.
    • Typically, firewalls intercept network traffic at a computer's entry point, known as a port.
    Firewalls perform this task by allowing or blocking specific data packets (units of
    communication transferred over a digital network) based on pre-defined security rules.
    Incoming traffic is allowed only through trusted IP addresses, or sources.
    Unit VI Security
    Overview of Firewall
    Functions of Firewall
    • As stated above, the firewall works as a gatekeeper. It analyzes every attempt coming to gain access to our
    operating system and prevents traffic from unwanted or non-recognized sources.
    • Since the firewall acts as a barrier or filter between the computer system and other networks (i.e., the public
    Internet), we can consider it as a traffic controller. Therefore, a firewall's primary function is to secure our
    network and information by controlling network traffic, preventing unwanted incoming network traffic, and
    validating access by assessing network traffic for malicious things such as hackers and malware.
    • Generally, most operating systems (for example - Windows OS) and security software come with built-in
    firewall support. Therefore, it is a good idea to ensure that those options are turned on. Additionally, we can
    configure the security settings of the system to be automatically updated whenever available.
    • Firewalls have become so powerful, and include a variety of functions and capabilities with built-in
    features:
    • Network Threat Prevention
    • Application and Identity-Based Control
    • Hybrid Cloud Support
    • Scalable Performance
    • Network Traffic Management and Control
    • Access Validation
    • Record and Report on Events
    Unit VI Security
    Overview of Firewall

    Limitations of Firewalls
    • Firewalls cannot stop users from accessing malicious websites, making it vulnerable to
    internal threats or attacks.
    • Firewalls cannot protect against the transfer of virus-infected files or software.
    • Firewalls cannot prevent misuse of passwords.
    • Firewalls cannot protect if security rules are misconfigured.
    • Firewalls cannot protect against non-technical security risks, such as social engineering.
    • Firewalls cannot stop or prevent attackers with modems from dialing in to or out of the
    internal network.
    • Firewalls cannot secure the system which is already infected.
    Unit VI Security
    Overview of Firewall
    Types of Firewalls
    • Packet Filtering Firewalls
    • A packet filtering firewall is an essential type of firewall. It facilitates a management program that monitors web traffic and
    filters incoming packets based on configured security methods. These firewalls are created to block network traffic IP
    protocols, an IP address, and a port number if a data packet does not connect to the established rule-set.
    • Application Level Gateway Firewall
    • It is also known as Proxy Firewalls. Proxies are mainly used to control or monitor outbound traffic. Some application
    proxies cache the data requested. This lower bandwidth requirement decreases the access time for the following user to
    access the same data. It also gives unquestionable evidence of what was transferred.
    • Circuit-level Gateways
    • Circuit-level gateways are another type of firewall that can easily configure to allow or block traffic without significant
    computing resources. These types of firewalls typically operate at the OSI model’s session-level by verifying TCP
    (Transmission Control Protocol) connections and sessions. Circuit-level gateways are designed to ensure that the regular
    sessions are protected.
    Unit VI Security
    Overview of Firewall
    Types of Firewalls (Contd…)
    • Next-Generation Firewalls (NGFW)
    • These work by filtering traffic, network that is specified by the applications or traffic methods and the ports they are created.
    • Stateful Multi-Layer Inspection (SMLI) Firewalls
    • Stateful multilayer inspection firewalls contain both packet inspection technology and TCP handshake verification. It can
    create SMLI firewalls better than packet-filtering firewalls or circuit-level gateways. These types of firewalls keep track of the
    status of established connections.
    • Network address translation (NAT) Firewalls
    • It allows multiple devices with independent network addresses to connect to the internet using a single IP address, keeping
    individual IP addresses hidden.
    • Threat-focused NGFW
    • Threat-focused NGFW contains all the features of a traditional NGFW. They can also support advanced threat detection and
    remediation. These types of firewalls can react against attacks quickly.
    • Cloud Firewalls
    • Whenever a firewall is created using a cloud solution, it is called a cloud firewall or FaaS (firewall-as-service). Cloud firewalls
    are supported and run on the Internet by third-party vendors.

    You might also like