3. Objectives
The student should be able to:
Define attacks: script kiddy, social engineering, logic bomb, Trojan horse,
phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL
injection, virus, worm, root kit, dictionary attack, brute force attack, DOS, DDOS,
botnet, spoofing, packet reply.
Describe defenses: defense in depth, bastion host, content filter, packet filter,
stateful inspection, circuit-level firewall, application-level firewall, de-militarized
zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signature-based IDS,
statistical-based IDS, neural network, VPN, network access server
(RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption, public key
encryption, digital signature, PKI, vulnerability assessment
Identify techniques (what they do): SHA1/SHA2, MD2/MD4/MD5, DES, AES,
RSA, ECC.
Describe and define security goals: confidentiality, authenticity, integrity, non-
repudiation
Define service’s & server’s data in the correct sensitivity class and roles with
access
Define services that can enter and leave a network
Draw network Diagram with proper zones and security equipment
4. The Problem of Network Security
The Internet allows an
attacker to attack from
anywhere in the world
from their home desk.
They just need to find one
vulnerability: a security
analyst need to close
every vulnerability.
5. Hacking Networks
Phase 1: Reconnaissance
Physical Break-In
Dumpster Diving
Google, Newsgroups,
Web sites
Social Engineering
Phishing: fake email
Pharming: fake web pages
WhoIs Database &
arin.net
Domain Name Server
Interrogations
Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator, Domain domains@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN msnhst@microsoft.com
One Microsoft Way
Redmond, WA 98052 US
+1.4258828080
Registration Service Provider:
DBMS VeriSign, dbms-support@verisign.com
800-579-2848 x4
Please contact DBMS VeriSign for domain updates,
DNS/Nameserver
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2006.
Record expires on 03-May-2014.
Record created on 02-May-1991.
Domain servers in listed order:
NS3.MSFT.NET 213.199.144.151
NS1.MSFT.NET 207.68.160.190
NS4.MSFT.NET 207.46.66.126
NS2.MSFT.NET 65.54.240.126
NS5.MSFT.NET 65.55.238.126
6. Hacking Networks
Phase 2: Scanning
War Driving: Can I find a wireless network?
War Dialing: Can I find a modem to connect to?
Network Mapping: What IP addresses exist, and what
ports are open on them?
Vulnerability-Scanning Tools: What versions of software
are implemented on devices?
7. Passive Attacks
Eavesdropping: Listen to
packets from other
parties = Sniffing
Traffic Analysis: Learn
about network from
observing traffic patterns
Footprinting: Test to
determine software
installed on system =
Network Mapping
B
PacketA
C
Bob
JennieCarl
8. Hacking Networks:
Phase 3: Gaining Access
Network Attacks:
Sniffing
(Eavesdropping)
IP Address Spoofing
Session Hijacking
System Attacks:
Buffer Overflow
Password Cracking
SQL Injection
Web Protocol Abuse
Denial of Service
Trap Door
Virus, Worm, Trojan
horse,Login: Ginger Password: Snap
9. Some Active Attacks
Denial of Service: Message
did not make it; or service
could not run
Masquerading or Spoofing:
The actual sender is not
the claimed sender
Message Modification: The
message was modified in
transmission
Packet Replay: A past packet
is transmitted again in
order to gain access or
otherwise cause damage
Denial of Service
Joe
Ann
Bill Spoofing
Joe (Actually Bill)
Ann
Bill
Message
Modification
Joe
Ann
Packet Replay
Joe
Ann
Bill
Bill
11. SQL Injection
Java Original: “SELECT * FROM
users_table WHERE username=” + “’” +
username + “’” + “ AND password = “ + “’” +
password + “’”;
Inserted Password: Aa’ OR ‘’=’
Java Result: “SELECT * FROM
users_table WHERE username=’anyname’
AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Inserted Password: foo’;DELETE FROM
users_table WHERE username LIKE ‘%
Java Result: “SELECT * FROM
users_table WHERE username=’anyname’
AND password = ‘foo’; DELETE FROM
users_table WHERE username LIKE ‘%’
Inserted entry: ‘|shell(“cmd /c echo “ &
char(124) & “format c:”)|’
Login:
Password:
Welcome to My System
12. NIST SP 800-118 Draft
Password Cracking:
Dictionary Attack & Brute Force
Pattern Calculation Result Time to Guess
(2.6x1018
/month)
Personal Info: interests, relatives 20 Manual 5 minutes
Social Engineering 1 Manual 2 minutes
American Dictionary 80,000 < 1 second
4 chars: lower case alpha 264
5x105
8 chars: lower case alpha 268
2x1011
8 chars: alpha 528
5x1013
8 chars: alphanumeric 628
2x1014
3.4 min.
8 chars alphanumeric +10 728
7x1014
12 min.
8 chars: all keyboard 958
7x1015
2 hours
12 chars: alphanumeric 6212
3x1021
96 years
12 chars: alphanumeric + 10 7212
2x1022
500 years
12 chars: all keyboard 9512
5x1023
16 chars: alphanumeric 6216
5x1028
13. Hacking Networks:
Phase 4: Exploit/Maintain Access
Backdoor
Trojan Horse
Spyware/AdwareBots
User-Level Rootkit
Kernel-Level Rootkit
Replaces system
executables: e.g.
Login, ls, du
Replaces OS kernel:
e.g. process or file
control to hide
Control system:
system commands,
log keystrokes, pswd
Useful utility actually
creates a backdoor.
Slave forwards/performs
commands; spreads,
list email addrs, DOS
attacks
Spyware: Collect info:
keystroke logger,
collect credit card #s,
AdWare: insert ads,
filter search results
15. Distributed Denial of Service
Zombies
VictimAttacker Handler
Can barrage a victim
server with requests,
causing the network
to fail to respond to anyone
Russia Bulgaria United
States
Zombies
16. Question
An attack where multiple computers send
connection packets to a server simultaneously
to slow the firewall is known as:
1. Spoofing
2. DDOS
3. Worm
4. Rootkit
17. Question
A man in the middle attack is
implementing which additional type of
attack:
1. Spoofing
2. DoS
3. Phishing
4. Pharming
21. Attacking the Network
What ways do you see of getting in?
The Internet
De-Militarized
Zone
Private Network
Border Router/Firewall
Commercial Network
Private Network
WLAN
22. Filters
Route Filter: Verifies sources and destination of IP
addresses
Packet Filter: Scans headers of packets and discards if
ruleset failed (e.g., Firewall or router)
Content Filter: Scans contents of packets and discards if
ruleset failed (e.g., Intrusion Prevention System or
firewall)
The good, the bad &
the ugly…
Filter
The bad &
the ugly
The Good
23. Packet Filter Firewall
Web Request
Ping Request
FTP request
Email Connect Request
Web Response
Telnet Request
Email Response
SSH Connect Request
DNS Request
Email Response
Web
Response
Illegal Source IP Address
Illegal Dest IP Address
Microsoft NetBIOS Name Service
24. Firewall
Configurations
A A
terminal
firewall
host
Router Packet Filtering:
Packet header is inspected
Single packet attacks caught
Very little overhead in firewall: very quick
High volume filter
A A
terminal
firewall
host
A
Stateful Inspection
State retained in firewall memory
Most multi-packet attacks caught
More fields in packet header inspected
Little overhead in firewall: quick
25. Firewall
Configurations
A B
terminal
firewall
host
Circuit-Level Firewall:
Packet session terminated and recreated
via a Proxy Server
All multi-packet attacks caught
Packet header completely inspected
High overhead in firewall: slow
A B
terminal
firewall
host
A
Application-Level Firewall
Packet session terminated and recreated
via a Proxy Server
Packet header completely inspected
Most or all of application inspected
Highest overhead: slow & low volume
A B
B
28. Services and Servers
Workbook
Service Sensitivity Roles Server
Grades Confidential For Graduates: Transcripts
For Current Students:
Advising, Students,
Faculty
StudentScholastic
Billing Confidential, For Current Students:
Registration, Accounting,
Advising
Payment: Students
StudentBilling
Web Pages Public Students, Employees,
Public
Web services
29. Path of Logical Access
How would access control be improved?
The Internet
De-Militarized
Zone
Private Network
Border Router/
Firewall
Router/Firewall
WLAN
30. Protecting the Network
The Internet
De-Militarized
Zone
Private Network
Border Router: Packet Filter
Bastion Hosts
Proxy server firewall
WLAN
31. Serviced Applications
Workbook
Applicatio
ns
Sources of
Entry
Servers Required Controls (e.g.,
Encryption)
Grades -
Graduates
University
Registration
Graduate
Scholastic
Confidentiality, Integrity,
Authentication
Grades –
Current
Students
United States Student
Scholastic
Confidentiality, Integrity,
Authentication
Billing Payment:
International
Reports: Univ.
Student
Scholastic
Confidentiality,
Authentication, Integrity,
Non-repudiation
Web Pages International DMZ:
PublicFace
33. Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
Network IDS=NIDS
Examines packets for attacks
Can find worms, viruses, org-
defined attacks
Warns administrator of attack
IPS=Packets are routed
through IPS
Host IDS=HIDS
Examines actions or resources
for attacks
Recognize unusual or
inappropriate behavior
E.g., Detect modification or
deletion of special files
Router
Firewall
IDS
34. IDS Intelligence Systems
Signature-Based:
Specific patterns are recognized
as attacks
Statistical-Based:
The expected behavior of the
system is understood
If variations occur, they may be
attacks (or maybe not)
Neural Networks:
Statistical-Based with self-learning
(or artificial intelligence)
Recognizes patterns
Attacks:
NastyVirus
BlastWorm
NastyVirus
NIDS:
ALARM!!!
0
10
20
30
40
50
60
70
80
90
Mon. Tues. Wed. Thurs.
Sales
Personnel
Factory
Normal
35. Honeypot & Honeynet
Honeypot: A system with a special software application
which appears easy to break into
Honeynet: A network which appears easy to break into
Purpose: Catch attackers
All traffic going to honeypot/net is suspicious
If successfully penetrated, can launch further attacks
Must be carefully monitored
External
DNS
IDS Web
Server
E-Commerce VPN
Server
Firewall
Honey
Pot
36. Data Privacy
Confidentiality: Unauthorized
parties cannot access
information (->Secret Key
Encryption
Authenticity: Ensuring that
the actual sender is the
claimed sender. (->Public Key
Encryption)
Integrity: Ensuring that the
message was not modified in
transmission. (->Hashing)
Nonrepudiation: Ensuring
that sender cannot deny
sending a message at a later
time. (->Digital Signature)
Confidentiality
Joe
Ann
Bill Authenticity
Joe (Actually Bill)
Ann
Bill
Integrity
Joe
Ann
Non-Repudiation
Joe
Ann
Bill
37. Encryption – Secret Key
Examples: DES, AES
Encrypt
Ksecret
Decrypt
Ksecret
plaintext
ciphertext
plaintext
P = D(Ksecret, E(Ksecret,P))
NIST Recommended: 3DES w. CBC
AES 128 Bit
38. Public Key Encryption
Examples: RSA, ECC, Quantum
Encrypt
Kpublic
Decrypt
Kprivate
Key ownerJoe
Encryption
(e.g., RCS)
Decrypt
Kpublic
Encrypt
Kprivate
Message,
private key
Digital
Signature
Key
owner
Authentication,
Non-repudiation
Joe
P = D(kPRIV, E(kPUB,P))
P = D(kPUB, E(kPRIV,P))
NIST Recommended:
RSA 1024 bit
2011: RSA 2048 bit
39. Remote Access Security
Virtual Private Network (VPN) often implemented with
IPSec
Can authenticate and encrypt data through Internet (red line)
Easy to use and inexpensive
Difficult to troubleshoot, less reliable than dedicated lines
Susceptible to malicious software and unauthorized actions
Often router or firewall is the VPN endpoint
The Internet
Firewall
VPN
Concentrator
40. Secure Hash Functions
Examples: SHA1, SHA2, MD2, MD4, MD5
Message
H H E
Message H
Message H
D
H
H
H
Compare
Message Authentication Code
Message
H
Message Message
H
H H H
H
Compare
One Way Hash
K K
K K
Ensures the message was not modified during transmission
NIST Recommended: SHA-1, SHA-2
2011: SHA-2
42. Public Key Infrastructure (PKI)
Digital
Certificate
User: Sue
Public Key:
2456
1. Sue registers with
CA through RA
Certificate Authority
(CA)
Register(Owner, Public Key) 2. Registration Authority
(RA) verifies owners
3. Send approved
Digital Certificates
5. Tom requests Sue’s DC
6. CA sends Sue’s DC
Sue
Tom
4. Sue sends
Tom message
signed with
Digital Signature
7. Tom confirms
Sue’s DS
43. Network Access Server
NAS: Network Access Server
Handles user authentication, access control and accounting
Calls back to pre-stored number based on user ID
Prone to hackers, DOS, misconfigured or insecure devices
RADIUS: Remote Access Dial-in User Service
TACACS: Terminal Access Control Access
1. Dial up and authenticate
2. Call back
RADIUS or
TACACS
3. Connect
44. Web Page Security
SQL Filtering: Filtering of web input for SQL
Injection
Encryption/Authentication: Ensuring
Confidentiality, Integrity, Authenticity, Non-
repudiation
Web Protocol Protection: Protection of
State
45. Vulnerability Assessment
Scan servers, work stations, and control
devices for vulnerabilities
Open services, patching, configuration
weaknesses
Testing controls for effectiveness
Adherence to policy & standards
Penetration testing
46. Serviced Applications
Workbook
Applicatio
ns
Sources of
Entry
Servers Required Controls (e.g.,
Encryption)
Grades –
Current
Students
United States Student
Scholastic
Confidentiality: Encryption
Integrity: Hashing, IDS
Authentication: VPN/IPsec, secure
passwords
Billing Payment:
International
Reports: Univ.
Student
Scholastic
Confidentiality: Encryption,
HTTPs
Authentication: VPN/IPsec
Integrity, Hashing, IDS
Non-repudiation: Digital
Signature
47. Summary of Network Controls
Network Security Techniques
Encryption: Public and Private
key, Wireless WPA2
Virtual Private Network (VPN):
Secure communications tunnel
Secure Hashing
Digital Signature
Bastion Host Configuration
Certificate Authority: PKI
Network Protection Devices
Firewall: Packet, Stateful,
Circuit, Application-Level
Proxy server
Demilitarized Zone (DMZ)
Intrusion Detection System
Intrusion Prevention System
Network access server
(RADIUS or TACACS)
Honeypot, honeynet
Secure Protocols
SSL: Secure web
SSH: Secure telnet/rlogin or
file transfer
S/MIME: Secure email
Secure Information Mgmt: Log
mgmt
48. Question
A map of the network that shows where service
requests enter and are processed
1. Is called the Path of Physical Access
2. Is primarily used in developing security policies
3. Can be used to determine whether sufficient
Defense in Depth is implemented
4. Helps to determine where antivirus software
should be installed
49. Question
The filter with the most extensive filtering
capability is the
1. Packet filter
2. Application-level firewall
3. Circuit-level firewall
4. State Inspection
50. Question
The technique which implements non-
repudiation is:
1. Hash
2. Secret Key Encryption
3. Digital Signature
4. IDS
51. Question
Anti-virus software typically implements
which type of defensive software:
1. Neural Network
2. Statistical-based
3. Signature-based
4. Packet filter
52. Question
MD5 is an example of what type of
software:
1. Public Key Encryption
2. Secret Key Encryption
3. Message Authentication
4. PKI
53. Question
A personal firewall implemented as part
of the OS or antivirus software qualifies
as a:
1. Dual-homed firewall
2. Packet filter
3. Screened host
4. Bastion host
54. HEALTH FIRST CASE STUDY
Designing Network Security
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Licensed
Practicing Nurse
Pat
Software Consultant
55. Define Services & Servers
Which data can be grouped together by
role and sensitivity/criticality?
Service
Name
Sensitivity
Class.
Roles with
Access
Server Name
Confidential –
Management
Public –
Web Pages
Privileged –
Contracts
56. Defining Services which can
Enter and Leave the Network
Service Source
(e.g., home,
world, local
computer)
Destination
(local server,
home, world,
etc.)
57. Defining Zones and Controls
Compartmentalization:
Zone = Region (E.g., DMZ, wireless,
internet)
Servers can be physical or virtual
Zone Service Server Required Controls
(Conf., Integrity, Auth., Nonrepud.,
with tools: e.g., Encryption/VPN)
Text on the right is an example of a ‘whois’ query. It is not a good idea to name the administrative contact.
News/web sites are useful for learning about different subsidiaries, staff names or positions, new merges (potentially with less security). Dumpster diving can sometimes produce internal documentation – use a shredder.
After the cracker knows something about the company, often the second stage would be to learn the network and computer configurations.
War Driving: Listening with a high-powered receiver for wireless LAN signals. Tools indicate the power level, encryption type, and protocol details.
War Dialing: Dials numbers within a range looking for a modem to answer.
Network Mapping: Polls computers for which services they support
Vulnerability Scanning Tools: Polls computers to learn services, service versions, configurations
Network Mapping = Footprinting, same as on previous page.
Traffic Analysis: Does a lot of traffic go between Point A and Point B, or Point C? Is it encrypted? This might be a concern if you are the military.
Once a cracker knows the configuration of the network, it is possible to launch an attack to get in.
The dog is ‘sniffing’ the login and password identification.
These attacks will be defined on further slides. Note that they are of two varieties: attacks to the network, and attacks to the system.
Denial of service (DOS): Prevent service. E.g. flood a network with traffic so legitimate traffic can’t get through
Spoofing: cracker alters the ‘from’ address in the packet header to look like a trusted entity
Packet replay: common method of gaining unauthorized access – e.g. sniffer observes a remote logon, repeats it
Message Modification: Bill changes Joe’s original message, which was intended for Ann.
10.1.1.1 (2/3) are IP addresses
The red computer here is pretending to be 10.1.1.1, and forward confidential information to 10.1.1.1.
This example shows that people can fool your generated programmed SQL statement by inserting unexpected logins and passwords. This may be done by adding conditions, additional SQL statements, or by accessing the OS command line.
Always sanitize your input.
Calculation = &lt;number of possible characters&gt; to the &lt;password length&gt; power
Result is maximum number of guesses needed to find the right password.
This is taken from NIST, and assumes many computers are used in parallel to crack a password. Think criminal effort potentially using bots.
Once the cracker has entered, they can expand their access and hide their break-in.
A RootKit hides itself in the OS. For example, when you list processes, the malware is not listed. The RootKit may delete specific logs, or open a backdoor, to enable the attacker to enter easily.
A Trojan Horse is software that is useful, but hides its malware intentions. For example, a game may be passed all around the internet, but may include spyware or adware (or other malware) within it.
Bots are computers that have been taken over, and are now being used by the attacker for whatever purpose they would like.
Because these networks span the world, it is very difficult for law enforcement to backtrack, find and prosecute the attacker. Multiple layers and countries can help to hide the attacker. In fact, laws vary in different countries, and law enforcement often has different priorities.
The terms ‘bot’ and ‘zombie’ are apparently interchangeable. A ‘botnet’ is a large number of bots (or zombies) used for DDOS attacks.
2 = Distributed Denial of Service
1
Defense in depth is like layers of an onion – to get in you must go through multiple defenses. Think of the effectiveness of multiple layers of defense years ago with the castle shown. Then consider the defenses shown for a computer on the right.
A bastion host is just a computer, server or system that is locked down against intruders. It is configured to have maximized security (strict firewall rules, well-patched) and minimized potential avenues of attack (minimal applications).
What is the easiest way to get into this network? It may not be through the firewalls. It may be through the dial-up access, CDs or DVD drives, or WLANs.
Also notice that a good network will be divided into sections. The De-Militarized Zone here is for public access. The Private Network is for internal access, and requires going through 2 firewalls, each with filtering.
(From CISM)
The Packet Filter may scan for source or destination IP addresses (computer IDs) and port addresses (service IDs).
A Packet Filter firewall looks at the incoming packets. Some of them may be requests for connections, or responses to our connections. Normally PCs only initiate connections, such as web or email. Therefore, web and email requests we would expect to travel in the other direction (from PC to Internet). Most of these requests are illegal. Most likely a cracker is attempting to break into a server, or a PC which is willing to act as one.
Other attacks include uses of invalid IP addresses, such as an IP address representing the internal network (pretending to originate from the inside of the network).
In this case, the only packets that should make it through are replies to our web requests and email requests to a mail server.
Here the red is the packet header being inspected, and the green is the part of the packet which is not inspected.
When an A is displayed in the firewall, this means that the firewall has state information about each connection and can detect more anomalies. For example, connection-oriented protocols require you to connect before sending data. If data is received before the connection is established, then obviously the data is bad. In the Stateful Inspection, the state of Disconnected, Connected is maintained. In some cases, many states are possible.
Here the firewalls create separate connections with the two endpoints, thus maintaining extensive state information about each. Notice that the amount of the packet inspected (red) is a larger portion of the packet than with previous firewalls.
Obviously, the best firewall would inspect all of the packet. However, the more it inspects, the more processing power the filtering requires. Thus, very good firewalls handle smaller packet volumes.
A screened host means a firewall with a border router that screens obvious attacks, such as network mapping.
Multi-homed means that it has multiple zones to filter for. In this case there are 3 zones: Internet, DMZ and internal network.
Notice the color scheme:
Black/Brown: network security servers
Green: Public services
Yellow/orange: More security
Red: Most secure – confidential information
‘Rules’ means the settings on your defenses; what will the firewall allow past, what will cause the intrusion detection system (IDS) to react, etc. Rules are going to depend on the capabilities of your equipment and the goals and/or risk appetite of the organization, as reflected in policy.
This shows 3 services provided by a university, as well as the sensitivity and roles that normally access this information. We would not want to put the public web pages in the same network zone with Grades, for example.
The Path of Logical Access shows where requests enter and are processed.
Two paths of logical access are shown, via brown arrows through WLAN and to server, and red arrows through laptop and server.
Visitors from the internet must get through a firewall, then either the logical access controls (LAC) in the database servers in the demilitarized zone (DMZ), or through a second firewall and the LAC in the internal network’s servers. Entering via the wireless LAN bypasses all that (except for the internal LAC), as does using a disk or flash drive. The latter (wireless/portable media access) shows that this organization depends on physical controls and internal access control mechanisms (including employee trustworthiness) to prevent unauthorized use by those means. This leaves the private network server and the printer vulnerable.
Here the WLAN and dial-up interface must go through a firewall before accessing the private network – good idea!!!
Here are 4 services. The Required Contols are not fully specified yet, but will be towards the end of the presentation. Currently only security services are shown.
Notice the color coding and the zones.:
Green: Public
Yellow: Some confidentiality concern. Often located on a separate server from other colors and other functions. Internal rating.
Orange: More security required. Private.
Red: Most security required. Confidential.
Sometimes two processes with different roles may have separate servers or VMwares, to minimize break-into both servers, if break-in into one occurs.
The difference between and IDS and IPS is that the IDS reports on something but does not filter it. The IPS filters and prevents attacks. An IDS may react to an attack by sending disconnect packets for a connection. While IPS definitely sounds better, the implementation may be difficult. Not all things that look like attacks are attacks – therefore, optimizing an IDS/IPS is necessary to get rid of false positives and false negatives – or normal events looking like attacks and vice versa.
A HIDS is always on one computer, scanning that one computer. The NIDS monitors traffic in a network.
Anti-virus software is an example of Signature-based Software.
Above you can see that for the graph, on Wed, we had some unusual traffic that needs looking into.
A Honeypot or Honeynet has no useful purpose other than to catch attackers. It may be used as a form of an IDS. While it sounds fun and interesting, they need to be maintained and monitored: if an attacker does gain entry, they now can attack from within the network.
The tools in parenthesis provide the features specified.
Symmetric encryption: each participant uses the same (shared secret) key.
In the equation, P=Plaintext, E=Encryption, D=Decryption
NIST = National Institute for Standards and Technology, an American department of recommendations.
Asymmetric encryption: each user has a public key and a private key. They are not easily mathematically related; that is, having the public key will not enable someone to calculate the private key. However a message encrypted with one can be decrypted with the other. The private key can also be used as a digital signature (next slide).
This encryption technique can be used to send encrypted information or to authenticate a packet as originating from the sender, as shown above in the top and bottom examples, respectively.
Public key encryption is a wonderful technique. However, it is processor-intensive, and not useful for longterm data communications sessions. Therefore, it is often used to provide a Secret key between two endpoints, and then the Secret key is used thereafter.
A VPN creates an encrypted point-to-point path between two computers. Here the line in red is encrypted.
Often it uses Public Key Encryption to communicate a Secret Key, then uses Secret Key encryption to encrypt the session data.
Hashes implement Integrity.
A message is hashed and the hash (H) is sent along with the message. When received, the message is hashed again and the two hashes are compared. Small changes to a message will result in large changes to the hash, so if the message was altered this method will detect it, although it won’t identify what those changes were.
In the first case (MAC), the Hash is calculated using an associated secret key (K). In the second case (One-way hash), a standard-calculated hash is encrypted (E) using a secret key (K)
Note that the message itself is not encrypted – it only gets a sophisticated checksum.
MD = Message Digest SHA = Secure Hash Algorithm
A Digital Signature is used for authentication, integrity, and non-repudiation.
It serves the same purpose as signing a contract with ink – but digitally.
The private key is used in creating a hash of the message, which provides both integrity and nonrepudiation.
3rd party authentication is used for authentication and non-repudiation.
Steps 1-3 establish the Digital Certificate (DC).
Steps 4-7 send a message which is verified using the Digital Certificate
CA=Certificate Authority
RA=Registration Authority
Someone dials up and wants to access our network. Should we trust him/her? No! Let’s call back to the location he/she lives and allow them access only from there.
RADIUS and TACACS are well-known NAS products.
Network Access Server implements an authentication security service.
HTML is stateless. That is, information about the connection and data transactions have to be held by the endpoint computers. This can be exploited by a skilled hacker. Cookies and client-side scripts are two examples.
In some cases, servers do not retain state but instead send information in a request which can be manipulated by the client before being returned. This is another form of attack.
Penetration testing can test from outside the network to determine what vulnerabilities remain.
Here the different security services have been translated into specific tools for the red services.
3 is correct.
1: It is actually called the Path of Logical Access
2 – Application-level firewall
3 – Digital Signature
3 – Signature-based
3 - Messag
Bastion host would have other requirements: up-to-date patches, applications turned off.
A dual-homed firewall requires access to two networks.
A screened host refers to a firewall with an external router screening it.
The Firewall will let certain locations and services enter and leave the network
Notice the color coding and the zones.:
Green: Public
Yellow: Some confidentiality concern. Often located on a separate server from other colors and other functions. Internal rating.
Orange: More security required. Private.
Red: Most security required. Confidential.
Sometimes two processes with different roles may have separate servers or VMwares, to minimize break-into both servers, if break-in into one occurs.