Contenu connexe
Similaire à E gov security_tut_session_12
Similaire à E gov security_tut_session_12 (20)
Plus de Mustafa Jarrar (20)
E gov security_tut_session_12
- 1. أكاديمية الحكومة اإللكترونية الفلسطينية
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Sessions 12
PalGov © 2011 1
- 2. About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
Project Consortium:
Birzeit University, Palestine
University of Trento, Italy
(Coordinator )
Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium
Palestine Technical University, Palestine
Université de Savoie, France
Ministry of Telecom and IT, Palestine
University of Namur, Belgium
Ministry of Interior, Palestine
TrueTrust, UK
Ministry of Local Government, Palestine
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011
2
- 3. © Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
PalGov © 2011 3
- 4. Tutorial 5:
Information Security
Session 12: Auditing and Wireless
Security
Session 12 Outline:
• Security Auditing
• Break
• Wireless Security Protocols
PalGov © 2011 4
- 5. Tutorial 5:
Session 12: Auditing
This session will contribute to the following
ILOs:
• A: Knowledge and Understanding
a2: Defines security standards and policies.
• B: Intellectual Skills
b3: Design end-to-end secure and available systems.
• D: General and Transferable Skills
d2: Systems configurations.
d3: Analysis and identification skills.
PalGov © 2011 5
- 6. Security Audit
• Auditing used on the security of an organization’s
information system (IS) assets.
• Definition
– “An independent review and examination of a system's records and
activities to determine the adequacy of system controls, ensure
compliance with established security policy and procedures, detect
breaches in security services, and recommend any changes that
are indicated for countermeasures. The basic audit objective is to
establish accountability for system entities that initiate or participate
in security-relevant events and actions. Thus, means are needed to
generate and record a security audit trail and to review and analyze
the audit trail to discover and investigate attacks and security
compromises.” [from RFC2828.]
PalGov © 2011 6
- 7. Security Audit Trail
• Definition
– “A chronological record of system activities that
is sufficient to enable the reconstruction and
examination of the sequence of environments
and activities surrounding or leading to an
operation, procedure, or event in a security-
relevant transaction from inception to final
results” [from RFC2828].
PalGov © 2011 7
- 11. Definition of Events
• Must define what are auditable events
• Common criteria suggests:
– Introduction of objects
– Deletion of objects
– Distribution or revocation of access rights or capabilities
– Changes to subject or object security attributes
– Policy checks performed by the security software
– Use of access rights to bypass a policy check
– Use of identification and authentication functions;
– Security-related actions taken by an operator/user
– Import/export of data from/to removable media
PalGov © 2011 11
- 12. Implementation Requirements
• Decide requirements management
• Scope of checks to be agreed and controlled
• Checks limited to read-only access to s/w &
data
• Identified resources for performing the checks
• Identify special requirements
• Monitor /Log all access
• Use DOCUMENT procedures,
PalGov © 2011 12
- 13. Collected Information
• Decide on amount of generated data
– Size vs quality
• Data items captured may include:
– Operating system access (system calls)
– Use of system security mechanisms
– Auditing software use
– Remote access
– Events from IDS and firewall systems
– System management / operation events
– Access to selected applications
– Others…
PalGov © 2011 13
- 14. Audit Trails on System Level
• Useful to categorize audit trails
• System-level audit trails
– See MS System event viewer.
PalGov © 2011 14
- 15. Application-Level Audit Trails
• to detect security violations within an
application
• to detect flaws in application's system
interaction
• for critical / sensitive applications, e.g. email,
DB
– See MS Application event viewer.
PalGov © 2011 15
- 16. User-Level Audit Trails
• Trace activity of individual users over time
– To hold user accountable for actions taken
– As input to an analysis program that attempts
to define normal versus anomalous behavior
– See ms system and security event viewers.
PalGov © 2011 16
- 17. Physical-Level Audit Trails
• Generated by physical access controls
– E.G. Card-key systems, alarm systems
• Sent to central host for analysis /
storage
• Used in many ministries and
organizations in Palestine
PalGov © 2011 17
- 18. Example 1: Windows Event Log
• Each event an entity that describes some
interesting occurrence and
– Each event record contains:
• Numeric id, set of attributes, optional user data
– Presented as XML or binary data
• Have three types of event logs:
– System - system related apps & drivers
– Application - user-level apps
– Security - windows LSA
PalGov © 2011 18
- 19. Windows Event Categories
• Account logon events
• Account management
• Directory service access
• Logon events
• Object access
• Policy changes
• Privilege use
• Process tracking
• System events
PalGov © 2011 19
- 21. Example 2: UNIX Syslog
• UNIX's general-purpose logging mechanism
– found on all UNIX / Linux variants
– but with variants in facility and log format
PalGov © 2011 21
- 22. Syslog Service
• Basic service provides:
– A means of capturing relevant events
– A storage facility
– A protocol for transmitting syslog messages
from other hosts to a central syslog server
• Extra add-on features may include:
– Robust filtering, log analysis, event response,
alternative message formats, log file
encryption, database storage, rate limiting
PalGov © 2011 22
- 23. Syslog Protocol
• A transport allowing hosts to send IP event
notification messages to syslog servers
– Provides a very general message format
– Allowing processes / apps to use suitable
conventions for their logged events
– Can be plain or encrypted
PalGov © 2011 23
- 24. Unix Syslog Examples
Mar 1 06:25:43 server1 sshd[23170]: Accepted
publickey for server2 from 172.30.128.115 port
21011 ssh2
Mar 1 07:16:42 server1 sshd[9326]: Accepted password
for murugiah from 10.20.30.108 port 1070 ssh2
Mar 1 07:16:53 server1 sshd[22938]: reverse mapping
checking getaddrinfo for ip10.165.nist.gov failed
- POSSIBLE BREAKIN ATTEMPT!
Mar 1 07:26:28 server1 sshd[22572]: Accepted
publickey for server2 from 172.30.128.115 port
30606 ssh2
Mar 1 07:28:33 server1 su: BAD SU kPPU to root on
/dev/ttyp2
Mar 1 07:28:41 server1 su: kPPU to root on
/dev/ttyp2
PalGov © 2011 24
- 25. Logging at Application Level
• privileged applications have security issues
– which system/user-level audit data may not see
– a large percentage of reported vulnerabilities
– e.g. failure to adequately check input data, application
logic errors
• hence need to capture detailed behavior
• applications can be written to create audit data
PalGov © 2011 25
- 26. Tutorial 5:
Information Security
Session 12: Auditing and Wireless
Security
Session 12 Outline:
• Security Auditing
• Break
• Wireless Security Protocols
PalGov © 2011 26
- 27. Introduction to Wireless Security Protocols.
• Introduction Wireless and Wireless
Standards
• Authentication and Association
• WEP and WPA Security Protocols
• Other Wireless Network Security Issues
PalGov © 2011 27
- 28. Différent Wireless Standards
• Used radio frequencies:
– 2.4GHZ (b, g, n)
– 5GHZ (a, n)
• Wi-fi , wireless LAN and IEEE802.11
– Wi-fi:
• Industry standard proposed by the wi-fi alliance which
implements the (drafts of, slightly modified) IEEE802.11
standards
– Wireless LAN:
• A general term used for wireless short range, high-
speed radio networks
– IEEE802.11:
• A standard defining a type of wireless connection
PalGov © 2011 28
- 29. Wireless LAN Standards
• IEEE 802.11 • IEEE 802.11a
– Original wireless LAN – Up to 54Mbps in the
standard 5GHz band
– Up to 2Mbps in the 2.4GHz – Security: WEP & WPA
band – "Wi-Fi Certified"
– Security: WEP & WPA
• IEEE 802.11b • IEEE 802.11g
– Up to 11Mbps in the 2.4GHz – Up to 54Mbps in the
band 2.4GHz band
– Security: WEP & WPA – Security: WEP & WPA
– "Wi-Fi Certified" – "Wi-Fi Certified"
PalGov © 2011 29
- 30. Service Set Identifier
• SSID
– 2-32 byte alphanumeric sequence of
characters
– Uniquely names a WLAN,
– Case sensitive and is
– Encoded in plain text.
PalGov © 2011 30
- 31. Beacons
• Beacons
– Information frame sent by an AP.
– Approximately 50-bytes:
• Timestamp
• Beacon interval
• Capability info
• Service set identifier
PalGov © 2011 31
- 32. Wireless Authentication and Association
• Wireless authentication
– A means to establish or prove identity to wireless
access points
– Verifying eligibility of users, devices, or
applications.
– Only authorized clients are allowed to gain access
to the wireless network.
• Wireless Association
– The binding of a wireless network client to an
access point before starting data transfer.
PalGov © 2011 32
- 33. Wireless Connection Steps and States
• Connection Process
– First: Authentication Phase
• Open System Authentication
• Shared Key Authentication
– Second: Association Phase
• The Connection Process has 3 States:
– Authenticated and Associated
– Authenticated and Unassociated
– Unauthenticated and Unassociated
PalGov © 2011 33
- 34. System Authentication
• Open System Authentication
– Default
– Authentications based on sending empty / null
string SSID
– Receiving station, (AP) sends acknowledgment
• Closed System
– Authentications based only on SSID
– Receiving station, (AP) sends acknowledgment
PalGov © 2011 34
- 35. Shared Key Authentication
• Shared Key
– IEEE 802.11 Wireless Equivalent Privacy,
(WEP).
– Authentications based on Text and WEP Keys.
– Challenge – Response Scheme
PalGov © 2011 35
- 36. 802.1x and EAP
• 802.1x :
– a port-level access control protocol,
– provides a security framework for IEEE
networks,
– including Ethernet and wireless networks.
• EAP - Extensible Authentication Protocol,
– sits inside of PPP's authentication protocol
– provides a framework for many authentication
methods.
PalGov © 2011 36
- 37. Wired Equivalent Privacy (WEP)
• 802.11b standard.
• A secret key is shared between stations and
an access point.
• The secret key is used to encrypt data packets
• Uses Integrity check
• Logical service is located within the MAC layer.
• Provided are :
– Confidentiality;
– Authentication;
– Access control in conjunction with layer management.
PalGov © 2011 37
- 38. WEP Properties
• Reasonably strong (RC4) !!!! (breakable?)
• Self-synchronizing, Efficient and May be
exportable
• Optional
PalGov © 2011 38
- 39. WEP IV and Secret Keys
• 802.11b
– 64-bit shared RC4 Key. 24-bit IV plus a 40-bit
Secret Key.
IV Secret Key
24 - bits 40 - bits
PRNG Seed
– 128-bit shared RC4 Key. 24/104
– 152-bit shared RC4 Key. 24/128
PalGov © 2011 39
- 40. WEP Key Servers
• Advantages of Key
Servers
– Centralized key
generation
– Centralized key
distribution
– Ongoing key rotation
– Reduced key
management overhead.
PalGov © 2011 40
- 41. WEP Key Weaknesses
• Small key size (40 bit)
• Simple Key management
• Too small IV vectors.
24-bit = 16,777,216 different cipher streams.
• Weak ICV algorithm (CRC-32)
• Authentication messages can be easily faked.
PalGov © 2011 41
- 42. IEEE 802.11i and WPA
• Overview
• IEEE 802.11 task group I:
• Specification for robust security
– Robust security network (RSN):
– Implements only the new mechanisms proposed by
the 802.11i
– Transitional security network (TSN):
– Allows RSN and WEP to cooperate
– Generally 802.11i is used to designate both of them
• WI-FI
– Wireless protected access (WPA)
– Adopts a subset of 802.11i specifications
– Extensions added
PalGov © 2011 42
- 43. IEEE 802.11i Features
• Separation of security services
– Avoids that a security services relies on each
other.
– Uses different mechanisms
• Use of session keys
– Master key is never used for encryption
• Use of existing standards
– Already tested, more robust
PalGov © 2011 43
- 44. Key usage for IEEE 802.11i
• Use of master and temporal keys
• WPA Master keys are generated while
authentication.
• Temporal keys are generated using the
master key once the STA is authenticated
• Temporal keys are short life keys
PalGov © 2011 44
- 45. IEEE 802.11i: Security Services
A. Authentication: mutual authentication between the
STA and the network
– Personal: pre-shared keys (WPA-PSK , passwords)
– Enterprise: IEEE802.1X (EAP, RADIUS)
B. Confidentiality and Data Integrity
– Key distribution using EAPOL, 802.1X
– TKIP: Temporal Key Integrity Protocol
– CCMP: Counter-Mode CBC-MAC Protocol
C. Access Control: ensures that only legitimate
users access the network
– Entirely based on the authentication result
– Implemented at the AP
» This slide is taken from “Hani Ragab Hassen Lecture Notes,
Kent University.”
PalGov © 2011 45
- 46. Enterprise Authentication
• The WPA-PSK is not efficient
• Enterprise suite:
– 802.1x: allows limiting the access to the network to EAP
traffic until the authentication is done
– EAP: carries authentication exchanges
• EAPOL-Key packets are used to distribute the session keys
after successful authentication
• Originally designed for dial-up connections
– Runs over 802.1x inside a LAN
– Runs over RADIUS outside the LAN
– RADIUS: the RADIUS server holds the users’
credentials
» This slide is taken from “Hani Ragab Hassen Lecture Notes,
Kent University.”
PalGov © 2011 46
- 47. IEEE802.1X, EAP and RADIUS
Supplicant Auth Serve
This slide is taken from “Hani Ragab Hassen Lecture Notes, Kent University.”
PalGov © 2011 47
- 48. Extensible Authentication Protocol (EAP)
• Extensible Authentication Protocol (RFC2284)
• Used between the authentication server (AS) and the
supplicant, the authenticator forwards EAP messages
• Middle messages are defined for each authentication
method
– Transport Layer Security (TLS)
– Tunneled TLS (TTLS)
– Kerberos
• Mutual Authentication is possible
PalGov © 2011 48
- 49. IEEE802.1X for IEEE802.11
• Three involved entities:
1.Supplicant: the STA which needs to have
access, initiates the authentication
2.Authenticator: gate controller (AP)
3.Authentication Server (AS): decides whether
to grant the supplicant the access or not
according to the information transmitted by the
authenticator
PalGov © 2011 49
- 50. EAP and 802.1X
• EAP was designed originally for dial-up
authentication
– Not adapted for LAN
• The 802.1X defines EAP over LAN (EAPOL)
– EAPOL-Packet: encapsulates EAP packets
– EAPOL-Start: allows local authenticators discovering
– EAPOL-Key: transports keys after successful
authentication
– EAPOL-Logoff: sent by the supplicant to disconnect
PalGov © 2011 50
- 51. RADIUS: Why?
• EAPOL can not transport EAP packets over an IP
network
• A secure channel should be used
• EAP over RADIUS (RFC2869:EAP Extensions)
• Remote Access Dial-In User Service (RFC2865)
• A central authentication server + local
authenticators
– As in IEEE802.11
– Designed firstly to be used by Internet Service Providers
(ISP)
PalGov © 2011 51
- 54. 802.11 Security Protocols
802.11 WPA WPA2
Security WEP 802.11i
Perso Enterprise Personal Enterprise
Protocols nal
802.1X/ 802.1X/ 802.1X/
Authenticatio PSK EAP/ PSK EAP/ PSK EAP
n Radius Radius Radius (O)
Data TKIP TKIP CCMP/ CCMP/ WEP CCMP/
Encryption TKIP(O) TKIP(O) TKIP
PalGov © 2011 54
- 55. Wireless Packet / Data Filtering
• Blocking unwanted traffic.
• Three basic types of filtering:
– SSID Filtering
– MAC Address Filtering
– Protocol Filtering
PalGov © 2011 55
- 56. Attacks on WLANs
• Some attack methods:
– Passive Attacks (Eavesdropping)
– Active Attacks
• Jamming Attacks
• Man-in-the-middle Attacks
PalGov © 2011 56
- 57. Emerging Security Solutions
• WEP Key Management
• Wireless VPNs
• TKIP
• AES
• Wireless Gateways
• 802.1X and EAP
• Policies
• Etc…
PalGov © 2011 57
- 58. Wireless VPN
• VPN
– Virtual private network.
– Private network link carried on a public
network
– Uses tunnelling
– Utilizes encryption techniques
PalGov © 2011 58
- 59. Roaming
• Roaming
– ability for a user to function when the serving
network is different from their home network.
– The process of a client moving from one area
or AP to another while maintaining a data link.
• Mobile IP
– allows users with mobile devices whose IP
addresses are associated with one network to
stay connected when moving to another
network with a different IP.
PalGov © 2011 59
- 61. VPN Use in Roaming
• Wireless VPN implemented by two
methods:
– A centralized VPN server (Hardware/ software)
– A distributed set of VPN servers
• Can be located in the AP with RADIUS support
PalGov © 2011 61
- 62. Corporate Security Policy
• Develop a wireless security policy
– define what is and what is not allowed with
wireless technology.
• Measure the basic field coverage of the
wireless network.
• Know the technologies and the users that
use the network.
• Physical Security
PalGov © 2011 62
- 63. Corporate Security Policy
• Set base lines and perform
audits/monitoring of the network.
• Harden AP’s, servers, and gateways.
• Determine level of security protocols
and standards.
• Consider using switches, DMZ, RADIUS
servers, and VPN.
• Update firmware and software.
PalGov © 2011 63
- 64. Securing WLAN Policies
• If possible, put the wireless network behind its own
routed interface so you can shut it off if necessary.
• Pick a random SSID that gives nothing about your
network.
• Set your AP to 'Closed Network'.
• Set the authentication method to 'Open'.
• Have your broadcast keys rotate every few minutes.
• Use 802.1X for key management and authentication
– Look over the available EAP protocols and decide which
is right for your environment.
– Set the session to time out every few minutes.
PalGov © 2011 64
- 65. References
1. Computer Security: Principles and
Practice, by William Stallings and
Lawrie Brown. Published by
Pearson/Prentice Hall, © 2008. ISBN:
0-13-600424-5.
2. Cisco CWNA Course
3. Dr. Hani Ragab Hassen Lecture
Notes, Kent University.
PalGov © 2011 65
- 66. Summary
• In this session we discussed the following:
– Introduced need for security auditing
– Audit model, functions, requirements
– Security audit trails
– Implementing logging and analysis.
– Overview of wireless networking and
standards
– Wireless security protocols and policies
PalGov © 2011 66
- 67. Thanks
Radwan Tahboub
PalGov © 2011 67