Dr Vicky Liu
v. .au
Network Security
Part 2
1
Outline
Network Security Overview and Policies
Security controls
Authentication/authorization/auditing (AAA)
Encryption
Virtual private network (VPN)
Firewall
Intrusion Detection system and Intrusion Prevention system (IDS/IPS)
Network Security Overview and Policies
Security policies provide direction on which a control framework can be built to secure the organization’s data/assets against external and internal threats.
A company that can demonstrate its information systems are secure is more likely to attract customers, partners, and investors
3
Network Security Policy
Network security policy
A document that describes the rules governing access to a company’s information resources, enforcement of these rules, and steps taken if rules are breached.
4
The CIA Triad
Confidentiality
Ensuring that the protection of information assets and networks from unauthorized users
Integrity
Ensuring that the modification of information assets is managed in an authorized manner
Availability
Ensuring continuous access to information assets and networks by authorized users
5
Determining Elements of a Network Security Policy
(1 of 2)
Access control policy
Specifies how and when users are allowed to access network resources
Privacy policy
Describes what staff, customers, and business partners can expect for monitoring and reporting network use
Acceptable use policy
what purposes network resources can be used
what constitutes proper or improper use of network resources
6
Determining Elements of a Network Security Policy
(2 of 2)
Access control policy
Specifies how and when users are allowed to access network resources
Auditing policy
Explains the manner in which security compliance or violations can be verified and the consequences for violations
To learn more about security policies and see a list of templates for different types of policies,
refer to the System Administration, Networking, and Security (SANS) Institute Website
https://www.sans.org/information-security-policy/
7
Types of Security Control
Administrative control
It refers to policies/procedures/guidelines that define personnel or business practices based on the organization’s security goals.
Physical control
It relates to any tangible that is used to prevent/detect unauthorised access to physical areas/systems/assets
Technical control
It includes HW/SW mechanisms used to protect assets
8
Outline
Network Security Overview and Policies
Security mechanisms
Authentication/authorization/auditing (AAA)
Encryption
Virtual private network (VPN)
Firewall
Intrusion Detection system and Intrusion Prevention system (IDS/IPS)
Authentication
Authentication is a process that verifies that someone is who they claim they are
Multifactor authentication requires a user to supply two or more types of authentication drawn from these credential categories:
Knowledge: what the user knows
e.g. username/password
Possession: what the user has
e.g. smart card or key
Inherence: what the user is
e.g. fingerprint, retina scan, or voice pattern
10
Authorisation
Authorization is to delegate what users can do after they are logged on to the system
Access Control = Authentication and Authorisation
Access control‖ refers to a set of rules that specify which users can access what resources with which types of access restrictions.
Operating systems, network control systems, and database management systems (DBMS) can employ a choice of access control mechanisms to allow a user/process to access the protected resources.
11
Auditing
Auditing consists of logging security-related events.
Auditing maintains evidence of attempts to compromise the security controls
Auditing can be used to determine abnormal behaviour and potentially detect system or network intrusion attacks
12
Outline
Network Security Overview and Policies
Network Security controls
Authentication/authorization/auditing (AAA)
Encryption
Virtual private network (VPN)
Firewall
Intrusion Detection system and Intrusion Prevention system (IDS/IPS)
Encryption
Encryption is commonly used to protect data in transit and data at rest.
Encryption is the process of encoding and decoding data
Encryption mechanisms can be used to achieve data confidentiality and integrity against
Forgery
Repudiation
Eavesdropping
14
Basic Encryption/Decryption Techniques
Cryptography
study of creating and using encryption and decryption techniques
Plaintext
data before any encryption has been performed
Ciphertext
data after encryption has been performed
Key
The unique piece of information that is used to create ciphertext and decrypt the ciphertext back into plaintext
15
Securing Data with Encryption
Encryption
Prevents eavesdropping
Digital signature
Digital signature is based the use of public key cryptography for authenticity and data integrity
16
Cryptography
Symmetric cryptography
Use the same key to encrypt and decrypt the message
Confidentiality
Asymmetric (public key) cryptography
The private key is kept confidential
The public key is published in a public directory.
Infeasible to deduce from one key to the other
Confidentiality, authentication, integrity and non-repudiation
17
Public Key Encryption/Decryption
To achieve confidentiality, the sender encrypts the messages with the receiver’s public key and then the receiver decrypts the received message with its own private key
Ciphertext
Plaintext
Receiver’s Public Key
(Everybody knows)
Receiver’s Private Key
(only the Receiver knows)
Encryption Algorithm
Decryption Algorithm
Plaintext
18
Digital Signatures
A digital signature is can be used to verify the authenticity and integrity of a message.
A digital signature is achieved by using public key cryptography techniques with cryptographic hash functions.
A hash function is an algorithm that computes a fixed-size bit string value from an input message/file.
A hash output is called a digital fingerprint or message authentication code (MAC).
19
Digital signature generation
A document (Doc) is placed to a hash function to generate a MAC (M).
The MAC (M) is encoded with the signer’s private key to become a digital signature.
The document, the digital signature and signer’s pubic key certificate are sent to the recipient (verifier).
20
Digital signature verification
Upon the reception of the document, digital signature and signer’s public key certificate
The verifier uses the same hash function to generate the MAC (M’) from the received document
The verifier decodes the digital signature with signer’s public key (M)
If M=M’, then the received document has not been altered in transit and that it is from the signer.
21
Generate/Verify Digital Signature
Signer Private Key
(Only the signer knows)
Signed Document
Signing Algorithm
(Hash Function)
Verifying Algorithm
(Hash Function)
Signer
Verifier
Signer Public Key
(Everybody knows)
Compare
Output
Signer Private and Public keys
{Hash(Document)}sign_pri_signer +
document +
Signer’s public_key_certificate
Use the signer’s public to verify the received signature and document
If Hash(received_Document)} = Hash(Document),
the message has not been altered in transit and that it is from the signer
Public Key
Certificate
22
Necessity of a PKI
The victim, Alice, sends a signed to the recipient, Bob.
The attacker, Carol, substitutes her public key for Alice’s public key after intercepting the transmission.
Carol also altered the contents of the document and signed the document with her own private key before sending the signed document to Bob.
When Bob receives the signed document, he uses what he thinks is Alice’s public key to verify Alice’s digital signature.
An independent trusted third party (CA) is needed to attest that each individual public key is associated with a particular party.
23
Signature Stripping attack
24
Public Key Infrastructure (PKI)
PKI
The total of the organizations, systems (hardware and software), personnel, processes, policies, and agreements that enable secure, efficient discovery of public keys.
Certification authority (CA)
To issue a digital certificate to attest to the binding between a particular entity and its public key
To digitally sign the certificate with its own private key.
25
PKI (continued)
A digital certificate
binds a public key with key owner’s identity by the issuing CA
contains
key owner’s identity and public key
information affixed by the CA, such as
issuer, validity, serial number
CA’s signature
26
Certificate Example
27
Outline
Network Security Overview and Policies
Network Security mechanisms
Authentication/authorization/auditing (AAA)
Encryption
Virtual private network (VPN)
Firewall
Intrusion Detection system and Intrusion Prevention system (IDS/IPS)
Securing Communication with VPNs
A VPN uses the Internet to give users or branch offices secure access to a company’s network resources
VPNs use encryption technology to provide confidentiality and integrity over the Intermet
A “tunnel” is created between the VPN client and VPN server to provide network security, i.e. IP-in-IP
VPN can be configured on a dedicated device to handle VPN connections.
Common VPNs:
IPSec → Network Layer
Transport Layer Security (TLS)/Secure Sockets Layer (SSL) → Transport Layer
29
VPN communication model
Site-to-site mode
A VPN connection is established between sites with VPN devices
Client-to-site mode
Establishes a VPN connection between a client computer and a VPN device
Client-to-client mode
Provides end-to-end network security when two hosts need to exchange sensitive information over Internet
30
IPSec VPN
IPSec can be implemented in:
Transport mode
Host-to-host communications
Only the IP payload is authenticated and protected
Tunnel mode
To protect the entire contents of the IP packet
IP-in-IP, a new IP header is generated
31
Tunnelling IP-in-IP Encapsulation
IP Header
outer datagram data area
encrypted inner datagram
Entire datagram including header is encrypted.
Outsiders cannot decode contents because they do not have encryption key.
Even identity of original source and destination are hidden.
New IP header
IP header
Payload
IP-in-IP
Encapsulation and decapsulation
R1
R2
Internet
Site 1
Site 2
VPN Benefits
Enable mobile users to connect with corporate networks securely wherever an Internet connection is available
Allow multiple sites to maintain permanent secure connections via the Internet instead of using expensive leased lines
Reduce costs by using the ISP’s support services instead of paying for more expensive leased line support
34
Outline
Network Security Overview and Policies
Network Security mechanisms
Authentication/authorization/auditing (AAA)
Encryption
Virtual private network (VPN)
Firewall
Intrusion Detection system and Intrusion Prevention system (IDS/IPS)
Firewall
A network security device
to monitor and control incoming and outgoing network traffic
to allow or block specific traffic based on a defined set of security rules.
36
Firewall Categories
Hardware vs. software
Network-based and host-based
Stateful vs. stateless
Application-layer
37
Hardware vs. Software Firewalls
A firewall is a hardware device, software or a combination of both
Hardware firewall
A dedicated device
With two or more network interfaces
Placed between a corporate LAN and the WAN connection
Software firewall
On individual device running on the OS
A host-based firewall or personal firewall
38
Network-based vs. Host-based firewalls
Network-based firewall
Protect an entire private network
Typically a dedicated hardware device
Can be integrated in routers, switches and other network devices
Host-based firewalls
Included in modern operating system
Only protect an individual device
e.g. Microsoft Windows Defender
Host-based firewall
Network-based firewall
39
Stateless Packet filtering
Also known as packet filtering
Filtered by the information in the IP header
Source and destination addresses
Protocol type, e.g. TCP, UDP, ICMP, IP tunnel
Source and destination port numbers
Each packet is examined individually regardless of other packets that are part of the same session connection.
E.g. TCP 3-way handshake, FTP connections
40
Stateful packet filtering
Operates at the transport layer
Monitors specific network protocol session messages across the network.
A TCP session
The port is open to allow all other packets belonging to that session to pass
The port is closed when the session is terminated.
41
Application-based firewall
Operates at the Application Layer
Inspects the context and content of packets against a set of rules
Learns application behaviours by observing how an application behave and creates a baseline of normal behaviours
an alarm can be raised, if the application deviates from the baseline
Performance issue
42
Application Proxy Firewall
Also known as application-layer gateway or application proxy
The connection is established through the proxy firewall
An external host sends a request to the proxy firewall,
if benign, the proxy firewall forwards it to the internal host.
An internal host requests access to an external site, the proxy forwards the request on behalf of the internal host.
Performance issue
43
Next generation firewall
Gartner defines a next generation firewall as:
Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
NGFWs
Perform deep packet inspection to examine packet payloads and matching signatures for harmful activities
44
Outline
Network Security Overview and Policies
Network Security mechanisms
Authentication/authorization/auditing (AAA)
Encryption
Virtual private network (VPN)
Firewall
Intrusion Detection system and Intrusion Prevention system (IDS/IPS)
Intrusion Detection Systems (IDS)
Monitors network traffic for malicious packets or traffic patterns
Reports identified security breaches
Network-based IDS (NIDS)
Protects an entire network
Is placed on the network perimeter
Host-based IDS (HIDS)
Software-based application
Protects a single device
46
Intrusion Prevention Systems (IPS)
IPS can take countermeasures if an attack is in progress
Countermeasures:
Reconfiguring the firewall
Resetting the connection
Disabling the link between internal/external N/Ws
47
Security solutions
Preventative
To block unauthorised network activity from occurring
E.g. Antivirus software, firewalls, IPSs
Detective
To detect unauthorised activity in progress or after it has occurred.
E.g. Honeypots, IDSs
Corrective
To repair damage or restore resources
E.g. Patching a vulnerable system, quarantining a virus, terminating a process or rebooting a system
48
Summary
A network security policy is a document that describes the rules governing access to a company’s information resources
Authentication and authorization enable administrators to control who has access to the network and what users can do on the network
Securing access to data includes authentication and authorization, encryption, VPNs, security devices like firewall, IDS/IPS
To protect against threats from external networks with firewalls, IDSs/IPSs implemented on the network perimeter
49
References
Greg Tomsho, Guide to Networking Essentials
Ch9: Introduction to Network Security
Security policies
https://www.sans.org/information-security-policy/
VPN enabled host
VPN enabled host
VPN enabled
router
VPN enabled
router
VPN enabled
router
VPN enabled host
Remote user
.MsftOfcThm_Text1_Stroke_v2 {
stroke:#000000;
}
.MsftOfcResponsive_Stroke_c00000 {
stroke:#C00000;
}
/docProps/thumbnail.jpeg