T318 Applied Network Security: Dr. Mahmoud Attalah
T318 Applied Network Security: Dr. Mahmoud Attalah
T318 Applied Network Security: Dr. Mahmoud Attalah
T318
APPLIED NETWORK SECURITY
Chapter 1
Introduction to Security
1
Cryptographic algorithms and protocols
❖ Cryptographic algorithms and protocols can be grouped
into four main areas:
Symmetric encryption
Asymmetric encryption
Authentication protocols
2
What Is Security?
❖ Computer Security
▪ The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity,
availability, and confidentiality of information system resources [NIST
Computer Security Handbook].
3
Computer Security
1. Confidentiality
5
Computer Security Objectives(cont.)
2. Integrity
▪ Data integrity: Assures that information and programs are
changed only in a specified and authorized manner
3. Availability
▪ Assures that systems work promptly and service is not denied
to authorized users
6
Computer Security Objectives(cont.)
Others: Authenticity, Accountability
7
Breach of Security Levels of Impact
8
Impact of Security Breaches
▪ Financial loss
▪ Damage to assets
▪ Harm to individuals
9
Computer Security Challenges
10
Computer Security Challenges(cont.)
11
OSI Security Architecture
❖ Security attack
▪ Any action that compromises the security of information owned by an
organization
❖ Security mechanism
▪ A process (or a device incorporating such a process) that is designed to
detect, prevent, or recover from a security attack
❖ Security service
▪ A processing or communication service that enhances the security of the
data processing systems and the information transfers of an organization
▪ Intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service
12
Threats and Attacks (RFC 4949)
13
Types of Attacks
❖ Passive Attack
▪ Make use of information, but not affect system resources, e.g.
• Release message contents
• Traffic analysis
▪ Relatively hard to detect, but easier to prevent
❖ Active Attack
▪ Alter system resources or operation, e.g.
• Masquerade.
• Replay.
• Modification.
• Denial of service(DOS).
▪ Relatively hard to prevent, but easier to detect
14
Types of Attacks
Attacks
Active Passive
15
Types of Attacks(Cont.)
❖ Passive Attack
▪ Make use of information, but not affect system resources, e.g.
• Release message contents
• Traffic analysis
▪ Relatively hard to detect, but easier to prevent
16
Passive Attacks
17
Types of Attacks(Cont.)
❖ Active Attack
▪ Alter system resources or
operation, e.g.
• Masquerade.
• Replay.
• Modification.
• Denial of
service(DOS).
▪ Relatively hard to
prevent, but easier to
detect
18
Active Attacks
19
Release Message Contents
20
Traffic Analysis
21
Masquerade Attack
22
Masquerade Attack
23
Replay Attack
24
Modification Attack
25
Denial of Service Attack
26
Defining a Security Service
27
Table 1.2
Security
Services
(X.800)
28
Defining a Security Service(Cont.)
❖ Authentication
▪ Concerned with assuring that a communication is authentic
▪ In the case of a single message, assures the recipient that the
message is from the source that it claims to be from
▪ In the case of ongoing interaction, assures the two entities are
authentic and that the connection is not interfered with in such a
way that a third party can masquerade as one of the two legitimate
parties
29
Defining a Security Service(Cont.)
❖ Access Control
▪ The ability to limit and control the access to host systems
and applications via communications links
30
Defining a Security Service(Cont.)
❖ Data Confidentiality
▪ The protection of transmitted data from passive attack
• Broadest service protects all user data transmitted between two
users over a period of time
31
Defining a Security Service(Cont.)
❖ Data Integrity
▪ Can apply to a stream of messages, a single message, or selected
fields within a message
▪ Connection-oriented integrity service, one that deals with a
stream of messages, assures that messages are received as sent
with no duplication, insertion, modification, reordering, or
replays
▪ A connectionless integrity service, one that deals with individual
messages without regard to any larger context, generally
provides protection against message modification only
32
Defining a Security Service(Cont.)
❖ Nonrepudiation
▪ Prevents either sender or receiver from denying a transmitted
message
▪ When a message is sent, the receiver can prove that the alleged
sender in fact sent the message
33
Defining a Security Service(Cont.)
❖ Availability Service
▪ Protects a system to ensure its availability
34
Security Mechanisms
35
Security Mechanisms (X.800)
Security
Mechanisms
(X.800)
37
Fundamental Security Design Principles
❖ Least astonishment
38
Fundamental Security Design Principles
40
Fundamental Security Design Principles
42
Fundamental Security Design Principles
Isolation Encapsulation
❖ Applies in three
contexts: ❖ Can be viewed as a specific form of
▪ Public access systems
isolation based on object-oriented
should be isolated functionality
from critical resources ❖ Protection is provided by
to prevent disclosure encapsulating a collection of
or tampering procedures and data objects in a
▪ Processes and files of domain of its own so that the
individual users should internal structure of a data object
be isolated from one is accessible only to the
another except where
it is explicitly desired procedures of the protected
▪ Security mechanisms subsystem, and the procedures may
should be isolated in be called only at designated
the sense of preventing domain entry points
access to those
mechanisms
43
Fundamental Security Design Principles
Modularity Layering
❖ Refers both to the
❖ Refers to the use of multiple,
development of security
overlapping protection approaches
functions as separate,
addressing the people, technology,
protected modules and
and operational aspects of
to the use of a modular
information systems
architecture for
❖ The failure or circumvention of any
mechanism design and
individual protection approach will
implementation
not leave the system unprotected
44
Fundamental Security Design Principles
❖Least astonishment
▪ Means that a program or user interface
should always respond in the way that is least
likely to astonish the user
▪ The mechanism for authorization should be
transparent enough to a user that the user
has a good intuitive understanding of how the
security goals map to the provided security
mechanism
45
Attack Surfaces
47
Defense in Depth and Attack Surface
49
LOGO
51
Network Access Security Model
52
Unwanted Access
❖ Placement in a computer system of logic that
exploits vulnerabilities in the system and that
can affect application programs as well as utility
programs such as editors and compilers
53
Standards
Internet Society
•ISOC is a professional membership society with world-wide organizational and individual
membership
•Provides leadership in addressing issues that confront the future of the Internet and is the
organization home for the groups responsible for Internet infrastructure standards
ITU-T
•The International Telecommunication Union (ITU) is an international organization within the United
Nations System in which governments and the private sector coordinate global telecom networks
and services
•The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU
and whose mission is the development of technical standards covering all fields of
telecommunications
ISO
•The International Organization for Standardization is a world-wide federation of national standards
bodies from more than 140 countries
•ISO is a nongovernmental organization that promotes the development of standardization and
related activities with a view to facilitating the international exchange of goods and services and to
developing cooperation in the spheres of intellectual, scientific, technological, and economic activity
54
Security Services and Mechanisms
55
Summary
❖ Computer security ❖ Security services
concepts ▪ Authentication
▪ Definition ▪ Access control
▪ Examples ▪ Data confidentiality
▪ Challenges ▪ Data integrity
❖ The OSI security ▪ Nonrepudiation
architecture ▪ Availability service
❖ Security attacks ❖ Security mechanisms
▪ Passive attacks
❖ Fundamental
▪ Active attacks security design
principles
▪ Attack surfaces and attack trees
❖ Network security
model
❖ Standards