Beruflich Dokumente
Kultur Dokumente
2
3
Network Security
by Atul Kahate
ISBN7-302-099677/TP6855
www.gxmu.edu.cn
List the types of security threats; Explain purpose, pros, and cons of encryption;
www.gxmu.edu.cn
Security
www.gxmu.edu.cn
Hacker HIGH
TOOLS
Seconds
threats Massive LAN worm Days driven Distribute DDoS d denial of LAN Weeks service Damagin Macro LOW Blended g payload viruses 2000 threats 1995 worms 1980 1985 1990 pc Boot
www Flash
Minutes
1980s
Future
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
Masquerading
www.gxmu.edu.cn
www.gxmu.edu.cn
Internet /HTTP
HTTP
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
A mechanism that is designed to protectdetect, Protection Detection reaction, and restore from a security attack.
PDRR MODEL Protection Detection Reaction Restore information Security Protection Detection Restore information Reaction Security Restore Reaction
www.gxmu.edu.cn
attack
Protect
succeed failure
Detect
succeed
React
failure
www.gxmu.edu.cn
www.gxmu.edu.cn
5 Categories
Authentication Access Control Data confidentiality Data Integrity
Availability
Authenticity
Confidentiality Integrality Forbidden deny
Sample
www.gxmu.edu.cn
!@#$~%^~&~*()This is a book
www.gxmu.edu.cn
!@#$~%^~&~*()
!@#$~%^~&~*()-
This is a book
www.gxmu.edu.cn
CAESAR c= m+ 3
Caesar was a great soldier Fdhvdu zdv d juhdw vroglhu
www.gxmu.edu.cn
www.gxmu.edu.cn
plaintext:POLYBIUS cypher:3534315412244543
www.gxmu.edu.cn
Plaintext
Can you understand
D
T
E
A
R
N
Ciphertext
D
codtaueanurnynsd
www.gxmu.edu.cn
It is a simple symmetric encryption scheme in which one plaintext character is replaced by another character. A secure encryption system should mask the frequency with which letters occur and should also mask the word lengths.
www.gxmu.edu.cn
Vigenre
www.gxmu.edu.cn
Features:
A set of related mono alphabetic substitution rules is used A key determines which rule is used for a transformation.
Figure 17-3
A Vigenre square.
www.gxmu.edu.cn
key:
deceptivedeceptivedeceptive
Plaintext:
wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
www.gxmu.edu.cn
* Error:rearrange
o
y
m l
r c
p
r
A
E
s
a p d
u
a s e
t
e e t
S
X E
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
C=P
Figure 17-4 Bit-level encryption using the XOR operation. For simplicity, only a 16-bit substring of text and a 16-bit encryption key are used.
P=C
Figure 17-5
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
64bits
Permuted Choice1 Left Circular Shift Left Circular Shift
Permuted Choice2
www.gxmu.edu.cn
2112
m
DES DES-1 DES
DES-1
DES
DES-1
k1
k2
k1
k1
k2
k1
www.gxmu.edu.cn
Key sharing still represents a weakness in any other symmetric encryption system
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
Scrambler
www.gxmu.edu.cn
Hash
www.gxmu.edu.cn
One-way function
www.gxmu.edu.cn
To sign a message with a digital signature, the sender simply invokes a software routine that builds the signature using a private key known only to him.
www.gxmu.edu.cn
www.gxmu.edu.cn
Public key
Serial Number: 29483756 Not Before: 10/18/99 CAID Not After: 10/18/04 Secure Email Client Authentication Signed: Cg6&^78#@dx
Effective Date
(CA)
www.gxmu.edu.cn
www.gxmu.edu.cn
Private key
Digital certificates used public-key mechanism CA provide the program for the user, have a pair of keys: public key,be stored in CA. private key, l be stored on the user's computer.
www.gxmu.edu.cn
RA
Submit a certificate application
CA
To obtain a certificate
certificate Library
www.gxmu.edu.cn
CA
Internet/Intranet
/Client
/Client
www.gxmu.edu.cn
Original message Application Transport IPSec Internet Data link Transmission medium
www.gxmu.edu.cn
PEM MOSS PGP S/MIME SHTTP SSH Kerberos SNMPv2 TCP SSL UDP
www.gxmu.edu.cn
www.gxmu.edu.cn
ESP
AH
DOI
IKE
SA
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
5. encrypt session key by client's browser `s public-key 7. Encrypt of data transmission by Session key
www.gxmu.edu.cn
The single best thing an organization or user can to protect themselves against viruses is to install antivirus software on its computers.
Program files that have a virus attached are said to be infected.
www.gxmu.edu.cn
Antivirus programs have reduced the overall risk of network security problems in the past few years. F
www.gxmu.edu.cn
Viruses Spread Computer viruses spread much like their biological counterpartby sharing.
www.gxmu.edu.cn
Trojan
A computer virus is similar to the instructions set it in the general parasitic programs, and secretly carry out some of the destructive operation or theft of data.
More
www.gxmu.edu.cn
New question : How to know who is at the terminal If is the person authorized to access data. What operations are user authorized to perform. If is Lines tapped?
www.gxmu.edu.cn
www.gxmu.edu.cn
Not to replace passwords on a regular basis Crack password method: Brute attack
www.gxmu.edu.cn
Attack types
Dictionary attacks Violent attacks Combination of attack
Medium
www.gxmu.edu.cn
Figure 17-7
www.gxmu.edu.cn
Firewall can not be anti-virus. imposes restrictions on network services only authorized traffic is allowed
Firewalls normally log all of the activity so that information about network access and detail is available for later analysis
.
www.gxmu.edu.cn
Firewalls
Packet Filters
Application Gateways
www.gxmu.edu.cn
www.gxmu.edu.cn
Internet
Packet filter
foundation of any firewall system examine each IP packet (no context) and permit or deny according to rules restrict access to services (ports)
www.gxmu.edu.cn
Outgoin g packets
Incoming packets
www.gxmu.edu.cn
178.29.10.89
178.29.10.90
Incoming packet 178.29.10.91
Packet filter
STOP!
www.gxmu.edu.cn
Inside connection
Application gateway
Outside connection
192.168.0.x
202.11.196.16
www.gxmu.edu.cn
www.gxmu.edu.cn
Real-time response
Real-time
analysis
of the invasion
Event Database
www.gxmu.edu.cn
www.gxmu.edu.cn
Next page
www.gxmu.edu.cn
IDS
www.gxmu.edu.cn
www.gxmu.edu.cn
UTM
Anti-Spam
VPN
content filtering
www.gxmu.edu.cn
www.gxmu.edu.cn
Disaster is defined as a long-term outage that cannot be quickly remedied. 5 kinds of network paralysis can be a disaster Fire flood hurricane earthquake terrorism
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
www.gxmu.edu.cn
nearby can passively scan all the data flowing in your wireless network using an antenna, and some widely available hacking software. Bad viewWireless networks are invulnerable to security breaches because they transmit data at ultra high frequencies.
www.gxmu.edu.cn
e.
encrypting transmissions
www.gxmu.edu.cn
www.gxmu.edu.cn
often.
Anti-virus Network access control techniques. etc
www.gxmu.edu.cn
Exercises
1.Managements statement of the importance of and their commitment to network security is called the ( C ).
A network security standard B network security strategy
Exercises
2. A digital signature ( B ).
A has no place in electronic commerce
C must be able to be imitated by someone else D None of the above Redo Next Answer
Exercises
A altering message contents B masquerading C denial of service D None of the above Redo Next Answer
4. A firewall ( D ).
A is usually a combination of hardware and software B enforces a boundary between two or more networks C normally logs all transactions that pass through it
Exercises
5. DES ( B ).
Exercises
C encrypts blocks of 56 bits using a 64-bit key D has been implemented only in software because of its complexity Redo Next Answer
Exercises
Network 6. ___________
management must see that appropriate security measures are implemented. Answer 7. The network security policy needs to describe in general terms ___________ will What Answer be done. private 8. In an asymmetric key system, the ________ key is used for decryption and is kept secret.
Answer
Exercises
9. The primary advantages of an asymmetric key system over a symmetric key system are key management that it solves the problem of _____________ and exchange. Answer 10. To sign a message with a digital signature, the sender simply invokes a software _____ routine that builds the signature using a private _____ key known only to him.
Answer
www.gxmu.edu.cn