FIT1047
FIT1047 – Week 11
Part 1
Security Protocols + exam information
Introduction to computer systems, networks and security
Abdul Malik Khan
W. Stallings. (2016). Network Security Essentials: Applications and Standards. Global Edition (6e) Pearson International. Ross Anderson. Security Engineering. Second edition, 2008. Wiley. This book is also available for free online: http://www.cl.cam.ac.uk/~rja14/book.html
FIT1047
Overview of todays Lecture: Security Protocols
• Transport Level Security (TLS)
• Diffie- Hellman key exchange
• Authentication with certificates
• VPN – Virtual Private Network
• Internet Protocol Security (IPSec)
FITl047 Week11 Part 1 FITl047 Week
11
FIT1047
FITl047 Week11 Part 1 FITl047 Week
Network Stack with HTTP
HTTP
Transport Layer (TCP)
Internet Layer (IP)
Data Link (Ethernet)
Physical
11
FIT1047
Security above Transport Layer – TLS
HTTPS
SSL/TLS -Transport Layer Security
Transport Layer (TCP)
FITl047 Week11 Part 1 FITl047 Week
Internet Layer (IP)
Data Link (Ethernet)
Physical
HTTP
11
FIT1047
Security above Transport Layer – TLS
Others
TLS – Transport Layer Security
Mall
HTTPS
Transport Layer (TCP)
Internet Layer (IP)
Data Link (Ethernet)
HTTP
Physical
FIT1047
SSL/TLS
• Originally developed by Netscape as Secure Socket Layer SSL
• SSL Version 2.0 in 1995 was quickly replaced by SSL 3.0 in 1996
• IETF (Internet Engineering Taskforce) published successor Transport Layer Security 1.0 as RFC5246 in 1999
• The first version of TLS is essentially SSLv3.1
• Current version is TSL 1.2 as IETF RFC 5246
• All previous versions should be disabled due to security problems.
FIT1047
SSL Services
The following services are provided by SSL:
Server authentication: server’s identity is confirmed to the client, by demonstrating valid certificate or public key
Specially important for financial transaction
Client authentication: user’s identity is confirmed to the server
Important in internet banking/general contracting when the server needs to be sure about client identity
Confidentiality: data items transferred in the session are encrypted to protect against eavesdropping
Integrity: MAC is attached to the message
FIT1047
SSL/TLS
• Main goal is to establish a shared key to protect messages (confidentiality and integrity/authenticity)
• Main sub-protocols are TLS handshake to negotiate parameters, optional authentication, establish shared key
• and SSL/TSL record, which is the actual secure transport protocol
• Uses Diffie- Hellman key exchange to create the shared secret
FITl047 Week11 Part 1 FITl047 Week
11
FIT1047
Diffie- Hellman key exchange
FITl047 Week11 Part 1 FITl047 Week
11
FIT1047
Diffie-Hellman key exchange
1. Alice and Bob agree on values a and q (these values are exchanged in secure way)
2. Alice generates random Private Key XA and Public Key
3. Bob generates a random Private Key XB and Public Key
4. They both exchange the public keys.
5. Then Alice will calculate the Secret key
6. Also Bob will calculate the Secret Key
Part 1 – Carsten Rudolph
FIT1047
Why does this work?
1. Alice Private Key XA are secret values
2. Bob Private Key XB are secret values
3. To get Alice & Bob’s Public Keys XA & XB the attacker would need to compute: XA from
XB from
4. This Computation is Discrete Logarithm problem & difficult to compute..
FITl047 Weekl1 Part 1 FITl047 Week 11 Part 1 – Carsten Rudolph
FIT1047
1. SSL/TLS Handshake
Can authenticate server and client. In HTTPS mostly only the server is authenticated. Results in a shared key and session ID or session ticket.
2. TLS Record
After the exchange of ChangeCipherSpec messages, all subsequent traffic is encrypted.
TLS Phases
3. TLSAlert
Immediately closes a session
Part 1 – Carsten Rudolph
FIT1047
A closer look at TLS Handshake
Source : Microsoft
FIT1047
Authentication with certificates
The digital certificate enables entities to share their public key in a way that can be authenticated. Digital certificates are used in public key cryptography functions; they are most commonly used for initializing secure SSL/TLS connections between web browsers and web servers.
• A certificate provides additional information for a public key. • Owner of the matching private key
• Validity (expiration date and time)
• Subject name
• Issuer name
• other parameters
FIT1047
Trusted certificates
• A certificate authority (CA) is a trusted entity that issues digital trusted certificates, which are data files used to cryptographically link an entity(user, browser, process, device etc..) with a public key.
• The digital trusted certificate can then be authenticated (for example, by a web browser) using the certificate authority’s public key.
• A trusted certificate is digitally singed by a known certification authority.
• Browsers (Chrome, Firefox, IE, Safari, etc.) come with a List of these authorities.
FIT1047
Certificates have problems
• Certificate revocation
• Relation between name and the principal
• Users are used to accepting certificates with errors (an issue for secure communication)
• New policies are stricter (which sometimes is annoying)
FIT1047
VPN – Virtual Private Network
• A VPN logically & securely connects a client (or a network) to a network via an encrypted channel.
• And a Secure VPN tunnel connects a Network-to-Network via a secure encrypted tunnel
(Source:Microsoft)
FIT1047
VPN – Virtual Private Network
• A VPN routes packet between different networks.
• Tunnel can be established by TLS, IPSec
• Security only between tunnel endpoints, e.g. VPN client and VPN gateway. Traffic in
an internal network is still in clear!
(Source:Microsoft)
FIT1047
IPSec: IP Security
A protocol suite on the level of IP packets (Network Layer):
• IPSec is a set of protocols to provide high quality, interoperable, and cryptology-based security for IP packets
• IPSec Provides
authentication
confidentiality
key management
• IPSec applicable to use over LANs, across public & private WANs, & for the Internet
• Can authenticate and encrypt data for each IP packet of a communication
Transport mode: Payload in IP packets is encrypted, integrity of header is protected. used forexample for end-to-end communication between two devices.
Tunnel mode: Complete IP packets are encrypted and contained in a new IP packet with a new header. Used for VPNs and host-to-host / host-to-network & network-to-network communication.
FIT1047
FIT1047 – Week 11 Part 2
Security Protocols
Introduction to computer systems, networks and security
Abdul Malik Khan
W. Stallings. (2016). Network Security Essentials: Applications and Standards. Global Edition (6e) Pearson International. Ross Anderson. Security Engineering. Second edition, 2008. Wiley. This book is also available for free online: http://www.cl.cam.ac.uk/~rja14/book.html
FIT1047
Overview of 2nd Part of week-11 Lecture:
• Firewalls
• DMZ demilitarized zone
• Proxies and NAT
• Network view on Firewalls – Perimeter
Protection
• Next generation Firewalls
• IDS & IPS
• Virus Scanner
FIT1047
What is a Firewall?
EXTERNAL NETWORK (PUBLIC DOMAN)
INTERNAL NETWORK (PRIVATE NETWORK)
Firewall: It is a set of hardware – software related program located at a network gateway that protects the resources of a private internal network from external harmful networks and users on the internet (public network)
FIT1047
Firewall
• A firewall is some kind of SECURE barrier
• In computer networks it is a barrier between some (more secure) INTERNAL network and a (Less secure) EXTERNAL network (i.e. the Internet)
• A firewall FILTERS traffic
• SECURITY RULES define what can get through and what is blocked (in both directions in and out)
FIT1047
Packet filter firewall
• Operates on Network Layer (and above)
• Filters based on source and destination IP Addresses, transport layer protocols, ports, current stage of a connection
• Static filtering rule set
• Standard security mechanisms and cost effective
FIT1047
How does Packet filter firewall work?
Packet filter Firewall software inspects the Packets passing through the firewall.
• The first few bytes contain The IP header &
The TCP or UDP headers in an Packet
• Finds application protocol and port
(e.g. HTTP with port 80 or SMTP with port 25)
• Often, traffic from inside-to-out is allowed (except when explicitly blocked)
• Another e.g. One would block network management traffic from inside-to-out (SNMP on UDP ports 161, 162)
• Traffic from outside-to-in should be blocked if not explicitly permitted
FIT1047
Which traffic should be permitted?
Packet filter Firewall software inspects the Packets passing through the firewall, we can define rules to permit in coming traffic & out going traffic!
• Different rules for existing connections and new connections
• Depends on applications/services running behind the firewall
• On needs to define:
Source IP address (or range)
Destination IP address (or range) Source port (or range)
Destination port (or range)
FIT1047
•
•
Which traffic should be permitted?
Source IP addresses:
Any address should be able to connect to a web server.
Management access should be restricted to specific IP
addresses.
Destination IP addresses:
IP address of the server running a service that should be accessed.
Destination address needs to be defined.
Never allow any IP address
Destination port:
Specifies the service accessed via a particular port.
Example: A Webserver needs incoming connections on
port 80 (http) and port 443 (https).
Never allow any port
•
FIT1047
•
•
•
PC or Host based Firewalls:
Firewall software on PCs is essential, but not sufficient In a home network, the ISP provided Modem / router
usually also acts as a firewall
For mid-size to large networks:
Proper placement of firewall in a company network is important
For small size networks:
Even a very simple company network has resources to be protected:
an internal network with PCs, servers, printers, etc. mail server, webserver, VPN gateway, etc.
The internal network should not be directly accessible. Web server or mail server need to be accessible.
Where to place a firewall?
FIT1047
DMZ – demilitarized zone
Create a zone that is considered to be less secure than the internal network, but still protected from direct access from external networks.
FIT1047
DMZ with two firewalls
(Wikimedia Commons)
FIT1047
Filtering outgoing traffic
Some examples:
• Prevent malicious software to send out data (outgoing connections)
• Block IP spoofing
• Block outbound traffic from critical network areas or computers
• Only allow outbound http traffic through a proxies
• Logging of denied outbound traffic can help to detect infections
FIT1047
Proxies and NAT
Firewalls also provide
• Network and port-address translation (NAT). Internal network uses internal IP addresses not visible to the outside
• Proxies (e.g. forHTTP) can hide individual devices in the internal network
• No direct access to secure functionalities, but hide some information from outside attackers.
FIT1047
Why firewalls are not enough
As more and more applications are getting connected from internal networks to the Internet, security requirements needs to evolve.
• Social networks
• Remote access (TeamViewer, RDP, etc.)
• Unified messaging (Skype, WeChat, etc.)
• Collaboration tools (Google Docs, OneNote, OneDrive, iCloud, etc.)
More difficulties
Gets even more difficult with these propositions.
• Port hopping: Applications change their ports during a session
• Hiding in TLS encryption: TLS can mask application traffic (e.g. via TCP port 443)
• Don’t use standard ports
• Tunnel in other services: Example is peer-to-peer file-sharing or messengers running over HTTP
FIT1047
Perimeter security has obvious constraints
• • •
Firewalls don’t help against internal attackers
Once an attack was successful, firewalls cannot help Internet of things, mobile networks, etc.
Cannot control applications
FIT1047
IDS and IPS
IDS – Intrusion Detection System
• Monitors network and/or system activities.
• Alert when potentially malicious activity is found.
• Logs information about activities.
IPS – Intrusion Prevention System
• IDS with additional active functionality.
• Attempts to block or stop malicious activities.
FIT1047
Monitoring actions (examples)
• Detect port scans
• Detect OS fingerprinting attempts
• Look for specific attacks (e.g. buffer overflow)
• Find and block known malware
• Detect server massage block (5MB) probes
• Find abnormalities
Reactions (examples)
• Drop malicious packets and send alarm • Block traffic from some IP addresses
• Correct fragmentation in packet streams Raise alerts
Might trigger human intervention by incident response teams.
IDS and IPS
IDS / IPS should use anomaly-based detection as well as signature-based detection.
• Signature-based is fast, generates Less false positives and does not need a Learning phase.
• Abnormal-based can detect unknown attacks
FIT1047
Next-generation firewalls (NGF)
• Promise an integrated security approach
• Proxy for all traffic (even encrypted)
• Might become very powerful security tools
• Look at applications, logical segments, roles, services, users, etc.
Potential NGF problems
• Policy rules get too complex
• Proxy for TLS etc. breaks end-to-end security
• Encapsulated encryption still possible
• Privacy issues
• Single point of attack with full access to decrypted data
FIT1047
There are many ways to attack systems
Nicely shows that not all security issues are technical…
FIT1047
• • •
Virus Scanner – Anti Virus Software
Anti-Virus software can efficiently prevent infections with known malware. It is the first thing to be manipulated by malware (malicious software). Unable to detect new malware.
FIT1047
Final Exam – 8 June 2021
Final Exam Link: https://eassessment.monash.edu/my/
FIT1047
Final Exam:
THIS EXAM IS FOR STUDENTS STUDYING AT: CLAYTON & MALAYSIA CAMPUSES
This exam is marked out of 100 marks.
It is an close book exam. (Permitted to one blank worksheet for rough calculations).
No hand written notes or printed material allowed. No online/electronic access.
There are a total of 1 Matching Question, 42 MCQ’s worth 45 Marks and 12 Theory & Concepts
Short Answer Questions worth 55 Marks.
Students have 130 minutes to complete the exam.
Students must attempt ALL questions.
Scientific calculator is permitted / Use of PC Operating System based calculator is permitted.
There is no requirement for uploading of responses in this exam. All responses can be entered onto the platform.
More details of the final exam in week-12, including the Mock/Sample exam in eAssessment platform
FITl047 Week11 Part 1 FITl047 Week 11
FIT1047
Sample Exam:
FITl047 Week11 Part 1 FITl047 Week 11
FIT1047
Practice Quizzes Weeks1-6 & Weeks7-12:
FITl047 Week11 Part 1 FITl047 Week 11