1

5/3/2012 ms

SEMINAR
ON NETWORK SECURITY

Sachin padiyar 07-538 Hemant jain 07-522

Harshad kamble 07-527

5/3/2012 ms

Presentation Content

3

Introduction What is Internet? What do we need to protect? Threat Motivation Attack Types Security Objectives Security mechanisms
5/3/2012 ms

INTRODUCTION
Network Security refers to any activities designed to protect your network. Specifically, these activities protect : Usability Reliability Integrity Safety of your network and data.

5/3/2012 ms

What is Internet?
The Internet is a worldwide IP network, that links collection of different networks from various sources, governmental, educational and commercial.

5/3/2012 ms

What do we need to protect

Data Resources Reputation

5/3/2012 ms

Threat Motivation
Spy Joyride Ignorance Revenge Greed Terrorist

5/3/2012 ms

TYPES OF NETWORK SECURITY

CLIENT-SERVER SECURITY

DATA & TRANSACTION SECURITY

5/3/2012 ms

TYPES OF NETWORK SECURITY

CLIENT-SERVER SECURITY
Uses various authorization method to make sure that only valid users and programs have access to information resources.

DATA & TRANSACTION SECURITY

It ensure privacy and confidentiality in electronic messages & data packets including the authentication of remote users in network transaction .

9 5/3/2012 ms

PROBLEMS OF CLIENTSERVER SECURITY NETWORK

PHYSICAL SECURITY HOLES SOFTWARE SECURITY HOLES INCONSISTENT SECURITY HOLES

10

5/3/2012 ms

ITS PROTECTION METHODS

TRUST BASED SECURITY PASSWORD SCHEMES
BIOMETRIC SYSTEMS

11

5/3/2012 ms

EMERGING CLIENT-SERVER THREATS

SOFTWARE AGENTS MALICIOUS CODE

&

VIRUSES
HORSES

TROJAN WORMS hackers

12

5/3/2012 ms

Types of hackers

Passive
Active

13

5/3/2012 ms

PASSIVE hackers
A passive intruders attempts to learn or make use of information from the system but doesn't effect system resources

ACTIVE hackers
An

active intruders attempts to change system resources which can have effect on their operation.
14 5/3/2012 ms

Security Objectives
Identification Authentication Authorization Access Control Data Integrity Confidentiality Non-repudiation

15

5/3/2012 ms

16

5/3/2012 ms

Identification
Something which uniquely identifies a user and is called UserID. Sometime users can select their ID as long as it is given too another user. UserID can be one or combination of the following:
User Name User Student Number

17

5/3/2012 ms

Authentication
The process of verifying the identity of a user Typically based on
Something user knows
Password

Something user have

Key, smart card, disk, or other device

Something user is
fingerprint, voice, or retinal scans

18

5/3/2012 ms

 Authentication procedure
Two-Party Authentication
One-Way Authentication Two-Way Authentication

Third-Party Authentication
Kerberos X.509

Single Sign ON
User can access several network resources by logging on once to a security system.
19 5/3/2012 ms

Client

Server

UserID & Password

One-way Authentication Authenticated

ServerID & Password

Two-way Authentication

Authenticated

Two-Party Authentications

20

5/3/2012 ms

Security Server

Se

or

er rv

as sw

,P ID

nt ic at ed

ID ,P

sw as

e th Au

Cl ie

nt

Au th e

d or

ed at ic nt

Exchange Keys Client Exchange Data Server

Third-Party Authentications

21

5/3/2012 ms

Authorization
The process of assigning access right to user

22

5/3/2012 ms

Access Control
The process of enforcing access right and is based on following three entities
Subject
is entity that can access an object

Object
is entity to which access can be controlled

Access Right
defines the ways in which a subject can access an object.

23

5/3/2012 ms

 Access Control is divided into two

Discretionary Access Control (DAC)
The owner of the object is responsible for setting the access right.

Mandatory Access Control (MAC)

The system defines access right based on how the subject and object are classified.

24

5/3/2012 ms

Data Integrity.
Assurance that the data that arrives is the same as when it was sent.

25

5/3/2012 ms

Confidentiality
Assurance that sensitive information is not visible to an eavesdropper. This is usually achieved using encryption.

26

5/3/2012 ms

Non-repudiation
Assurance that any transaction that takes place can subsequently be proved to have taken place. Both the sender and the receiver agree that the exchange took place.

27

5/3/2012 ms

28

5/3/2012 ms

Security Mechanisms
Web Security Cryptographic techniques Digital Signature Internet Firewalls

29

5/3/2012 ms

Web Security
Basic Authentication Secure Socket Layer (SSL)

30

5/3/2012 ms

Basic Authentication
A simple user ID and password-based authentication scheme, and provides the following:
To identify which user is accessing the server To limit users to accessing specific pages (identified as Universal Resource Locators, URLs

31

5/3/2012 ms

Secure Socket Layer (SSL)

Netscape Inc. originally created the SSL protocol, but now it is implemented in World Wide Web browsers and servers from many vendors. SSL provides the following
- Confidentiality through an encrypted connection based on symmetric keys - Authentication using public key identification and verification - Connection reliability through integrity checking

There are two parts to SSL standard, as follows:

The SSL Handshake is a protocol for initial authentication and transfer of encryption keys. The SSL Record protocol is a protocol for transferring encrypted data

32

5/3/2012 ms

CRYPTOGRAPHY
Cryptography refers to the science and art of transforming messages to make them secure and immune to attacks.

33

5/3/2012 ms

Digital Signature
Digital Signatures is cryptographic mechanisms that perform a similar function to a written signature. It is used to verify the originator and contents of the message .

34

5/3/2012 ms

Internet Firewall
A firewall is to control traffic flow between networks. Firewall uses the following techniques:
Packet Filters Application Proxy Secure Tunnel Screened Subnet Architecture

35

5/3/2012 ms

Packet Filtering
Most commonly used firewall technique Operates at IP level Checks each IP packet against the filter rules before passing (or not passing) it on to its destination. Very fast than other firewall techniques Hard to configure

36

5/3/2012 ms

Non-Secure Network

Packet Filtering Server

Secure Network

37

5/3/2012 ms

Application Proxy
Application Level Gateway The communication steps are as follows
User connects to proxy server From proxy server, user connects to destination server

Proxy server can provide

Content Screening Logging Authentication

38

5/3/2012 ms

Non-Secure Network

Telnetd Telnet Telnetd

Telnet

Secure Network

Porxy Server

39

5/3/2012 ms

Secure IP Tunnel
A secure channel between the secure network and an external trusted server through a nonsecure network (e.g., Internet) Encrypts the data between the Firewall and the external trusted host Also identifies of the session partners and the messages authenticity

40

5/3/2012 ms

Screened Subnet Architecture

The DMZ (perimeter network) is set up between the secure and non-secure networks It is accessible from both networks and contains machines that act as gateways for specific applications

41

5/3/2012 ms

Firewall Conclusion
Not the complete answer
The fox is inside the henhouse Host security + User education

Cannot control back door traffic

any dial-in access Management problems

Cannot fully protect against new viruses

Antivirus on each host Machine

Needs to be correctly configured The security policy must be enforced

42

5/3/2012 ms

43

5/3/2012 ms