1 / 39

Final Exam Review

Final Exam Review. IT443 – Network Security Administration. Fundamental Tenet of Cryptography. What is it? If lots of smart people have failed to solve a problem, then it probably wont be solved (soon). Network Basics. Network Layers Application layer Transport layer IP layer

leif
Download Presentation

Final Exam Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Final Exam Review IT443 – Network Security Administration

  2. Fundamental Tenet of Cryptography What is it? If lots of smart people have failed to solve a problem, then it probably wont be solved (soon).

  3. Network Basics • Network Layers • Application layer • Transport layer • IP layer • Data link layer • TCP, UDP, IP, SSH, HTTP • IP address, MAC address, TCP address? • Port number

  4. Layer Encapsulation User A User B Get index.html Connection ID Source/Destination Link Address 4

  5. Network Basics • Headers • [ether net header [IP header [TCP header [Payload]]]] • TCP / UDP • TCP is reliable • Acknowledgement, retransmission, discard duplicates, … • TCP 3-way handshake • SYN, ACK, FIN

  6. Establishing a TCP Connection SYN • Three-way handshake to establish connection • Host A sends a SYN (open) to the host B • Host B returns a SYN acknowledgment (SYN ACK) • Host A sends anACK to acknowledge the SYN ACK Each host tells its ISN to the other host. SYN ACK ACK Data Data

  7. Unreliable Message Delivery Service • User Datagram Protocol (UDP) • IP plus port numbers • Optional error checking on the packet contents • Lightweight communication between processes • Avoid overhead and delays of ordered, reliable delivery • For example: VoIP, video conferencing, gaming SRC port DST port checksum length DATA

  8. TCP Header Source port Destination port Sequence number Flags: SYN FIN RST PSH URG ACK Acknowledgment Advertised window HdrLen Flags 0 Checksum Urgent pointer Options (variable) Data

  9. Network Basics • IP layer • Routing (different paths) • IP prefix, e.g., 12.34.158.0/24 • ClassfulAddressing (Class A, B, C) • Classless Inter-Domain Routing (CIDR) • Private networks • 10.0.0.0/8 (255.0.0.0) • 172.16.0.0/12 (255.240.0.0) • 192.168.0.0/16 (255.255.0.0)

  10. IP Packet 4-bit Header Length 8-bit Type of Service (TOS) 4-bit Version 16-bit Total Length (Bytes) 3-bit Flags 16-bit Identification 13-bit Fragment Offset 20-byte header 8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

  11. Network Basics • DNS • Hierarchical name space • Local DNS server / caching • dig / dig -x • Data link layer • MAC address • ARP messages / ARP table

  12. Network Basics • Potential Questions Topics Is 192.168.x.x globally accessible? Which of the following header contain destination information: A. TCP header B. IP header C. Ethernet header Compare and contrast TCP and UDP and briefly describe their similarities and differences.

  13. Recon & Info Gathering • Social Engineering: “the weakest link”, • Physical or automated (e.g., phishing) • Defenses: user awareness • Physical Security • Physical access, theft, dumpster diving • Defenses: locks, policies (access, screen savers, etc.), encrypted file systems, paper shredders http://www.guardian.co.uk/politics/2008/sep/30/terrorism.ebay • Web Searching and Online Recon • Check company website, get contact names, look for comments in html, etc. • Use Search Engines: Google!, Usenet to discover technologies in use, employee names, etc. • Defenses: “Security Through Obscurity”, Policies

  14. Crypto Basics • Encryption/Decryption • Plaintext, ciphertext, key • Secret key/symmetric key crypto • What are some of the symmetric key encryption algorithms? • Public key/asymmetric key crypto • What are some of the asymmetric key encryption algorithms? • Hash function • What are some of the hash algorithms?

  15. Secret Key Cryptography • Stream cipher • Block cipher • Converts one input plaintext block of fixed size k bits to an output ciphertext block of k bits • DES, IDEA, AES, … • AES • Selected from an open competition, organized by NSA • Joan Daemen and Vincent Rijmen (Belgium) • Block size=128 bits, Key Size= 128/192/256 bits

  16. Plaintext M1 M2 M3 M4 46 + padding 128 128 128 Key E E E E 128 128 128 128 Ciphertext C1 C2C3 C4 Electronic Code Book (ECB)

  17. Initialization Vector Key E E E E 128 128 128 128 C1 C2 C3 C4 Cipher Block Chaining (CBC) M1 M2 M3 M4 46 + padding 128 128 128

  18. Public Key Cryptography • Public key crypto • Public/private key pair • Encryption/decryption (different keys) • Sign/verify (digital signature) • Much slower than secret key operations • Algorithms • DSA, RSA

  19. Diffie-Hellman • Predates RSA • Does neither encryption nor signatures • What is it good for then? • How does it work?

  20. Crypto Basics • Hash function • One way transformation • Collision resistance • Applications • Message digest/checksum • File integrity • Password • …

  21. Modern Hash Functions • MD5 (128 bits) • Previous versions (i.e., MD2, MD4) have weaknesses. • Broken; collisions published in August 2004 • Too weak to be used for serious applications • SHA (Secure Hash Algorithm) • Weaknesses were found • SHA-1 (160 bits) • Broken, but not yet cracked • Collisions in 269 hash operations, much less than the brute-force attack of 280 operations • Results were circulated in February 2005, and published in CRYPTO ’05 in August 2005 • SHA-256, SHA-384, …

  22. Crypto Basics • Potential Question Topics In secret key encryption, can the encrypted file’s size be smaller than the original file’s? Are the following desired properties of hash functions? • a. One-way property, that is, it’s easy to reverse the hash computation, but computationally infeasible to compute the hash function itself. • b. Collision free, that is, it’s computationally infeasible to find two messages that have the same hash value. • c. Only authorized parties can perform hash functions.

  23. Authentication • What’s authentication • User authentication • Allow a user to prove his/her identity to another entity (e.g., a system, a device). • Message authentication • Verify that a message has not been altered without proper authorization.

  24. Authentication • Threat • Eavesdropping • Password guessing • Server database reading (compromised)

  25. Authentication • Challenge/response I’m Alice Alice Bob a challenge R H(KAlice-Bob, R) I’m Alice Alice Bob R SigAlice{R}

  26. Eavesdropping & Server Database Reading • If public key crypto is not available, protection against both eavesdropping and server database reading is difficult: • Hash => subject to eavesdropping • Challenge requires Bob to store Alice’s secret in a database I’m Alice, H(KAlice-Bob) Alice Bob I’m Alice Alice Bob A challenge R H(KAlice-Bob, R)

  27. I’m Alice, R2 Trudy Bob R1,f(KAlice-Bob, R2) f(KAlice-Bob, R1) I’m Alice, R1 Trudy Bob R3,f(KAlice-Bob, R1) Mutual Authentication • Reflection Attack

  28. I’m Alice, R2 Alice Bob R1,f(KAlice-Bob, R2) f(KAlice-Bob, R1) Countermeasure I’m Alice Alice Bob R1 f(KAlice-Bob, R1), R2 f(KAlice-Bob, R2) Mutual Authentication • Reflection Attack

  29. Authentication • Key Distribution Center • If node A wants to communicate with node B • A sends a request to the KDC • The KDC securely sends to A: EKA(RAB) and EKB(RAB, A) • Certificate • How do you know the public key of a node? • Certification Authorities (CA) • Everybody needs to know the CA public key • The CA generates certificates: Signed(A, public-key, validity information) [Alice’s public key is 876234]carol [Carol’s public key is 676554]Ted & [Alice’s public key is 876234]carol

  30. Authentication • Password guessing • Online vs. offline • Dictionary attack • Password salt

  31. Authentication • Potential Question Topics Assume Alice and Bob share a secret KAlice-Bob, what is the security flaw when they use the following protocol for Bob to authenticate Alice? I’m Alice, H(KAlice-Bob) Alice Bob

  32. Some Issues for Password Systems • A password should be easy to remember but hard to guess • that’s difficult to achieve! • Some questions • what makes a good password? • where is the password stored, and in what form? • how is knowledge of the password verified?

  33. IPsec • Which layer • Why we need it • IP spoofing • Payload modification • Eavesdropping

  34. SSL • Which layer • Why we need it • Think about https • Main processes • Negotiate cipher suites • Authenticate servers • Verify certificates

  35. Firewall / IDS • What are their roles • Prevent vs. detect • Firewall • Packet filtering (stateless) vs. session filtering (stateful) • iptables

  36. Survive/ Response:Recovery, Forensics Prevent:Firewall, IPsec, SSL Detect:Intrusion Detection Internet Security Mechanisms • Goal: prevent if possible; detect quickly otherwise; and confine the damage

  37. Firewall / IDS • IDS • Accuracy, e.g., false alarm • Misuse detection (signatures) • Anomaly detection • Host-based (e.g., aide) • Network-based (e.g., snort)

  38. Firewall • Potential Question Topics A stateless firewall on a server cannot limit the number of TCP connections per client. Describe the goal of the following firewall rule: iptables -A INPUT -p icmp -j DROP Compose a firewall rule to block access to a SSL connection.

  39. IDS • Questions • Explain the following snort rule and describe how to trigger the alert: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:“Test attack"; content:"test_attack"; … … ) • Compare host-based and network-based IDS, and briefly describe the difference.

More Related