Chapter 37

Network Security

(Access Control, Encryption, Firewalls)

2

Secure NetworksSecure Networks

Secure network is not an absolute termNeed to define security policy for

organizationNetwork security policy cannot be separated

from security policy for attached computersCosts and benefits of security policies must

be assessed

3

Network Security PolicyNetwork Security Policy

Devising a network security policy can be complex because a rational policy requires an organization to assess the value of information. The policy must apply to information stored in computers as well as to information traversing a network.

4

Aspects of SecurityAspects of Security

Data integrityData availabilityData confidentialityPrivacy

5

Responsibility and ControlResponsibility and Control

Accountability: how an audit trail is keptAuthorization: who is responsible for each

item and how is responsibility delegated to others

6

Integrity MechanismsIntegrity Mechanisms

Techniques to ensure integrityParity bitsChecksumsCRCs

These cannot guarantee data integrity (e.g., against intentional change

Use of message authentication code (MAC) that cannot be broken or forged

7

Access Control and Passwords

Access Control and Passwords

Passwords used to control accessOver a network, passwords susceptible to

snooping

8

Encryption and ConfidentialityEncryption and Confidentiality

To ensure confidentiality of a transmitted message, use encryption

Secret key or public key schemes

encryption decryptionmessage m message m

Secret key S

Secret key S

9

Public Key Cryptosystem Public Key Cryptosystem Each processor has private key S and public key P S is kept secret, and cannot be deduced from P P is made available to all processors Encryption and decryption with S and P are inverse

functions: P(S(m)) = m and S(P(m)) = m

encryption

private key S public key P

message m message mdecryption

encryption

private key Spublic key P

message m message mdecryption

10

Message Digest Message DigestDigest function maps arbitrary length message m to

fixed length digest d(m)One-way function: given d(m), can't find mCollision-free: infeasible to generate m and m' such

that d(m) = d(m')

message

digest

11

Digital Signature Digital Signature

To sign message m, sender computes digest d(m)

Sender computes S(d(m)) and sends along with m

Receiver computes P(S(d(m))) = d(m) Receiver computes digest of m and

compares with result above; if match, signature is verified

12

Digital Signature Digital Signature

signature

Sender: Alice

Alice's Private Key Alice's Public Key

verifysignature

computesignature

computedigest

computedigest

Receiver: Bob

13

Internet FirewallInternet Firewall

Protect an organization’s computers from internet problems (firewall between two structures to prevent spread of fire)

14

Internet FirewallInternet Firewall

All traffic entering the organization passes through the firewall

All traffic leaving the organization passes through the firewall

The firewall implements the security policy and rejects any traffic that doesn’t adhere

The firewall must be immune to security attacks

15

Packet FilteringPacket Filtering

Packet filter is embedded in routerSpecify which packets can pass through and

which should be blocked

16

Using Packet Filters to Create a Firewall

Using Packet Filters to Create a Firewall

Three components in a firewallPacket filter for incoming packetsPacket filter for outgoing packetsSecure computer system to run application-layer

gateways or proxies

17

Virtual Private NetworksVirtual Private NetworksTwo approaches to building corporate intranet

for an organization with multiple sites:Private network connections (confidential)Public internet connections (low cost)

Virtual Private NetworkAchieve both confidentiality and low costImplemented in software

18

Virtual Private NetworkVirtual Private Network

VPN software in router at each site gives appearance of a private network

19

Virtual Private NetworkVirtual Private Network

Obtain internet connection for each siteChoose router at each site to run VPN softwareConfigure VPN software in each router to know

about the VPN routers at other sitesVPN software acts as a packet filter; next hop

for outgoing datagram is another VPN routerEach outgoing datagram is encrypted

20

TunnelingTunneling

Desire to encrypt entire datagram so source and destination addresses are not visible on Internet

How can internet routers do proper forwarding?Solution: VPN software encrypts entire

datagram and places inside another for transmission

Called IP-in-IP tunneling (encapsulation)

21

TunnelingTunneling

Datagram from computer x at site 1 to computer y at site 2Router R1 on site 1 encrypts, encapsulates in new datagram

for transmission to router R2 on site 2

22

SummarySummary

Security is desirable but must be defined by an organization

Assess value of information and define a security policy

Aspects to consider include privacy and data integrity, availability, and confidentiality

23

Summary (continued)Summary (continued)Mechanisms to provide aspects of security

Encryption: secret and public key cryptosystemsFirewalls: packet filtering

Virtual private networks Use Internet to transfer data among

organization’s sites but ensure that data cannot be read by others