Network Security

Introduction
It's very important to understand that in security, one simply cannot say ``what's the best method?'' There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn't terribly useful in this state. A machine with absolute access is extremely convenient to use: it's simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn't terribly practical, either. We constantly make decisions about what risks we're willing to accept. Every organization needs to decide for itself where between the two extremes of total security and total access they need to be.

Authenticating Users

The Authentication Process

The act of identifying users and providing network services to them based on their identity Forms

Basic authentication Centralized authentication service (often uses two-factor authentication)

(Basic Authentication)

Firewalls

How Firewalls Implement the Authentication Process

1. Client makes request to access a resource 2. Firewall intercepts the request and prompts the user for name and password 3. User submits information to firewall 4. User is authenticated 5. Request is checked against firewalls rule base 6. If request matches existing allow rule, user is granted access 7. User accesses desired resources

How Firewalls Implement the Authentication Process

Types of Authentication with Firewalls

User authentication Client authentication

User Authentication
Basic authentication; user supplies username and password to access networked resources Users who need to legitimately access your internal servers must be added to your Access Control Lists (ACLs)

User Authentication

Client Authentication
Same as user authentication but with additional time limit or usage limit restrictions.

Client Authentication

Centralized Authentication
Centralized server maintains all authorizations for users regardless of where user is located and how user connects to network. Most common method

Kerberos

Process of Centralized Authentication

Kerberos

Kerberos Authentication
Provides authentication and encryption between

clients and servers. Authentication mediated by a trusted 3rd party on the network:

Key Distribution Center (KDC) User must identify itself once at the beginning of a workstation session (login session).

Kerberos Authentication

Kerberos with TGS

Ticket Granting Service (TGS):

A Kerberos authenticated service, that allows user to obtain tickets for other services Co-located at the KDC Ticket used to access the TGS and obtain service tickets

Ticket Granting Ticket (TGT):

Limited-lifetime session key: TGS sessionkey

Shared by user and the TGS

18

Advantages
Password is only typed to the local workstation

It never travels over the network It is never transmitted to a remote server

Password guessing more difficult. Single Sign-on

More convenient: only one password, entered once Users may be less likely to store passwords Need authenticator as well, which cant be reused

Stolen tickets hard to reuse

Much easier to effectively secure a small set of limited

access machines (the KDCs).

Intrusion Detection

Introduction
An intrusion is a unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. OR Intrusions are the activities that violate the security policy of system.

Intrusion Detection System

Intrusion Detection system is a pattern discover and pattern recognition system. The Pattern (Rule) is the most important part in the Intrusion Detection System.

Types of Intrusion Detection System

Based on the sources of the audit information used by each IDS, the IDSs may be classified into

Host-base IDSs Distributed IDSs Network-based IDSs

Types of Intrusion Detection System

Host-based IDSs

Get audit data from host audit trails. Detect attacks against a single host Gather audit data from multiple host and possibly the network that connects the hosts Detect attacks involving multiple hosts Use network traffic as the audit data source Detect attacks from network.

Distributed IDSs

Network-Based IDSs

Intrusion Detection Techniques

Misuse detection

Catch the intrusions in terms of the characteristics of known attacks or system vulnerabilities. Detect any action that significantly deviates from the normal behavior.

Anomaly detection

Misuse Detection
Based on known attack actions. Feature extract from known intrusions The rules are pre-defined Disadvantage:

Cannot detect novel or unknown attacks

Anomaly Detection
Based on the normal behavior of a subject. Any action that significantly deviates from the normal behavior is considered intrusion.

E.g flooding a host with lots of packet.

Disadvantage: -These generate many false alarms and hence compromise the effectiveness of the IDS.

Misuse Detection vs. Anomaly Detection

Advantage Disadvantage

Misuse Detection Anomaly Detection

Accurately and generate much fewer false alarm Is able to detect unknown attacks based on audit

Cannot detect novel or unknown attacks High false-alarm and limited by training data.

The Frame for Intrusion Detection

Intrusion Detection Approaches

1. Define and extract the features of behavior

in system 2. Define and extract the Rules of Intrusion 3. Apply the rules to detect the intrusion
Audit Data 3 1 Training Audit Data Features 2 Rules 3 Pattern matching or Classification

Future of IDS
To integrate the network and host based IDS for better detection. Developing IDS schemes for detecting novel attacks rather than individual instantiations.

Thank You..