Network Security2
Network Security2
▪ Network threats:
▪ Accessing pgms or data at remote host
▪ Modifying pgms or data at remote host
▪ Running a pgm at a remote host
▪ Interception of data in transit
▪ Modifying data in transit
▪ Insertion of data into communication traffic
▪ Incl. replaying previous communication
▪ Blocking selected/all traffic
▪ Impersonation of entities
▪ Attack enablers:
▪ Size / anonymity / ignorance / misunderstanding
▪ Complexity / motivation / programming skills
c. Impact of network architecture/
design & implement. on security (1)
▪ Architecture can improve security by:
1) Segmentation
2) Redundancy
3) Single points of failure
4) Other means
Impact of network architecture/ design & implement. on security (2)
1) Segmentation
▪ Architecture should use segmentation to limit scope of
damage caused by network penetration by:
▪ Reducing number of threats
▪ Limiting amount of damage caused by single exploit
▪ Enforces least privilege and encapsulation
2) Redundancy
▪ Architecture should use redundancy to prevent losing
availability due to exploit/failure of a single network
entity
▪ Example: having a redundant web server (WS) in a
company
2) Firewalls
◼ Designed to do screening that routers can’t do efficiently
◼ Because routers designed for routing (of course!)
◼ Firewalls designed for access filtering
AND auditing
AND examining whole packets (not only source/destination
IP/ MAC addresses—which is what routers do)
h) Intrusion Detection Systems: Alarms & Alerts
◼ Example of 2-layer network protection
◼ Provided by router (Layer 1) AND firewall (Layer 2)
◼ We can add one more layer of protection:
intrusion detection systems (IDS) = device placed within
protected network for monitoring for illegitimate actions in
order to detect attacks in progress (beginning, advanced) or
after they have occurred
◼ E.g.: Can detect reconaissance & alert sysadmin or secadmin,
raise alarm, thus preventing „real” attack
OR
◼ Can detect that attack has already occurred & raise alarm,
starting system recovery actions
◼ IDS is a.k.a. IPS = intrusion protection system
◼ A marketing gimmick?
◼ IDS can be Layer 3 of layered network protection
◼ To be discussed in detail soon
i) Honeypots
◼ Honeypot – system built as a bait attracting attackers
◼ Once attackers take the bait:
◼ They are observed to learn how they behave/operate
◼ New attacks / Prefered targets / ...
◼ They are traced to catch them or scare them off
◼ Or at least trace enough to be able to threaten them with
identifying them if they don’t stop
◼ They are diverted from really valuable attack targets
◼ E.g., diverted to phony credit card database while real credit
card database remains obscure to them
▪ IDS terminology
◼ Anomaly — abnormal behavior
◼ Might either be still legitimate OR illegitimate
◼ Misuse — activity that violates the security policy
(subset of “anomaly” – anomaly that is illegitimate)
◼ Intrusion — misuse by outsiders and insiders
◼ Audit — activity of looking at user/system behavior,
its effects, or collected data
◼ Profiling — looking at users or systems to determine
what they usually do
b. Types of IDSs (1a)
▪ IDS goals
1) Detect all attacks correctly
◼ Avoid false positives (false alarms)
◼ False alarms annoy sysadmins, users, ...
◼ Avoid false negatives (not recognizing attacks)
2) Little overhead / performance impacts
B.3. Secure E-Mail
a. Introduction
▪ E-mail is the most heavily used network-based application
Yet, ordinary email is very public, exposed
It has no C / I (confid./integ)
◼ Unencrypted message contents can be peeked at either in transit or
by privileged users at destination host
Security for e-mail (2)