Everyone wants to be on the Internet and to interconnect networks.
Has persistent security concerns and can’t easily secure a system.
Typically uses Firewalls and IDS to provide perimeter defence as part of comprehensive security strategy.
A hardware or software solution which restricts access between your network and an outside network.
Firewalls restrict access to services you don’t want to make available to the outside.
Firewalls scale well and centralize management.
It can not protect against everything!!!
A choke point of control and monitoring.
Interconnects networks with differing trust.
Imposes restrictions on network services.
Only authorized traffic is allowed.
Auditing and controlling access.
Can implement alarms for abnormal behavior.
Provide NAT & usage monitoring.
Implement VPNs using IPSec.
Cannot protect from attacks bypassing it.
E.g., sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH).
Cannot protect against internal threats.
E.g. disgruntled or colluding employees.
Cannot protect against transfer of all virus infected programs or files.
Because of huge range of O/S & file types.
Cannot protect from natural disasters.
Cannot protect from yourself.
Traditional packet filters: filters often combined with router, creating a firewall.
Simplest, fastest firewall component.
Foundation of any firewall system.
Examine each IP packet (no context) and permit or deny according to rules.
Hence restrict access to services (ports).
Possible default policies:
Analyzes each datagram going through it; makes drop decision based on:
IP address spoofing:
Source routing attacks:
Tiny fragment attacks:
Traditional packet filters do not examine higher layer context: i.e., matching return packets with outgoing flow.
Stateful packet filters address this need.
They examine each IP packet in context:
Stateful filter: Adds more intelligence to the filter decision-making process.
Stateful = remember past packets.
They are better able to detect bogus packets out of context.
Log each TCP connection initiated through firewall: SYN segment.
Timeout entries which see no activity for, say, 60 seconds.
If rule table indicates that stateful table must be checked: check to see if there is already a connection in stateful table.
Stateful filters can also remember outgoing UDP segments.
Have application specific gateway / proxy.
Has full access to protocol:
Need separate proxies for each service:
Some examples at other layers:
Internet e-mail encryption scheme, de-facto standard.
Uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.
Provides secrecy, sender authentication, integrity.
Inventor, Phil Zimmerman.
PGP combines the best available cryptographic algorithms to achieve secure e-mail communication.
It is assumed that all users are using public key cryptography (with RSA digital signatures) and have generated a private/public key pair.
All users also use a symmetric key system such as triple DES.
This is a digital signature scheme with hashing.
Bob is sure that the message is correct and that is does come from Alice. Furthermore Alice cannot later deny sending the message since only Alice has access to her private key Ad which works in conjunction with the public key Ae.
Public and symmetric key cryptosystems are combined in this way to provide security for key exchange and then efficiency for encryption. The session key k is used only to encrypt message m and is not stored for any length of time.
The schemes for authentication and confidentiality can be combined so that Alice can sign a confidential message which is encrypted before transmission. The steps required are as follows:
Transport layer security to any TCP-based app using SSL services.
Used between Web browsers, servers for e-commerce (https).
Check your browser’s security menu to see its trusted CAs.
Encrypted SSL session
Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server.
Using private key, server decrypts session key.
Browser, server know session key: All data sent into TCP socket (by client or server) encrypted with session key.
SSL: basis of IETF Transport Layer Security (TLS).
SSL can be used for non-Web applications, e.g., IMAP.
Client authentication can be done with client certificates.
1. Course Introduction: Security basic concepts
2. Access Control models: Authentication and authorization mechanisms
6. Role Based Access Control standard (v3)
7. XACML: extensible Access Control Markup Language
8. Authentication Protocols in distributed system
10. Java Authentication and Authorization Service (JAAS)
11. Network security
12. Network security, security protocols: PGP, SSL
13. Intrusion detection system (IDS)