WIRELESS SECURITY
WLANs allow greater flexibility and portabulity than do tranditional wired local are network (LAN). Unlike a tranditioanl LAN, which requires a wire to connect a user computer to the network, a WLAN connect computer and other components to the network using an access point device.
An access point communicates with devices eqquipped with wireless network adaptrs. it connect to a wired Ethernet LAN via an RJ-45 port. Access point devices typically have coverage areas of up to 300 feet (approximately 100 meter). This coverage area is called a cell or range. Users move freely within the cell with their laptop or other network device. Access point cells can be linked together to allow users to even 'roam' within a building or between buildings.
- IEEE ratified 802.11 in 1997.
~Also known as Wi-Fi.
- Wireless LAN at 1 Mbps & 2 Mbps.
- WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
~Now Wi-Fi Alliance
- 802.11 focuses on Layer 1 & Layer 2 of OSI model.
~Physical layer
~Data link layer
802.11 Components
- Two pieces of equipment defined:
~Wireless station
-A desktop or laptop PC or PDA with a wireless NIC.
~ Access point
- A bridge between wireless and wired networks
- Composed of
- Radio
- Wired network interface (usually 802.3)
- Bridging software
- Aggregates access for multiple wireless stations to wired network
802.11 modes
- Infrastructure mode
- Basic Service Set (BSS)
- One access point
- Extended Service Set
-Two or more BSSs forming a single subnet.
- Most corporate LANs in this mode.
-Ad-hoc mode
-Also called peer-to-peer.
- Independent Basic Service Set
- Set of 802.11 wireless stations that communicate directly without an access point.
- Useful for quick & easy wireless networks.
Infrastructure mode
Ad-hoc mode
802.11 Physical Layer
1. Originally three alternative physical layers
~ Two incompatible spread-spectrum radio in 2.4Ghz ISM band
-Frequency Hopping Spread Spectrum (FHSS)
- 75 channels
- Direct Sequence Spread Spectrum (DSSS)
- 14 channels (11 channels in US)
~ One diffuse infrared layer
~ 802.11 speed
- 1 Mbps or 2 Mbps.
802.11 Data Link Layer
~Layer 2 split into:
~Logical Link Control (LLC).
~Media Access Control (MAC).
~LLC - same 48-bit addresses as 802.3.
~MAC - CSMA/CD not possible.
~Can’t listen for collision while transmitting.
~CSMA/CA – Collision Avoidance.
-Sender waits for clear air, waits random time, then sends data.
-Receiver sends explicit ACK when data arrives intact.
-Also handles interference.
-But adds overhead.
~802.11 always slower than equivalent 802.3
RTS / CTS
1. To handle hidden nodes
2. Sending station sends
- “Request to Send”
3. Access point responds with
- “Clear to Send”
-All other stations hear this and delay any transmissions.
4. Only used for larger pieces of data.
- When retransmission may waste significant time.
802.11b
1. 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
2. DSSS as physical layer.
- 11 channels (3 non-overlapping)
3. Dynamic rate shifting.
- Transparent to higher layers
- Ideally 11 Mbps.
- Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
- Higher ranges.
- Interference.
- Shifts back up when possible.
4. Maximum specified range 100 meters
5. Average throughput of 4Mbps
Joining a BSS
~ When 802.11 client enters range of one or more APs
- APs send beacons.
- AP beacon can include SSID.
- AP chosen on signal strength and observed error rates.
- After AP accepts client.
-Client tunes to AP channel.
~Periodically, all channels surveyed.
-To check for stronger or more reliable APs.
-If found, re-associates with new AP.
Roaming and Channels
~Re-association with APs
-Moving out of range.
-High error rates.
-High network traffic.
-Allows load balancing.
~Each AP has a channel.
-14 partially overlapping channels.
-Only three channels that have no overlap.
-Best for multi cell coverage.
802.11a
~802.11a ratified in 2001
~Supports up to 54Mbps in 5 Ghz range.
-Higher frequency limits the range
-Regulated frequency reduces interference from other devices
~12 non-overlapping channels
~Usable range of 30 metres
~Average throughput of 30 Mbps
~Not backwards compatible
802.11g
• 802.11g ratified in 2002
• Supports up to 54Mbps in 2.4Ghz range.
- Backwards compatible with 802.11b
• 3 non-overlapping channels
• Range similar to 802.11b
• Average throughput of 30 Mbps
• 802.11n due for November 2006
- Aiming for maximum 200Mbps with average 100Mbps
Open System Authentication
• Service Set Identifier (SSID)
• Station must specify SSID to Access Point when requesting association.
• Multiple APs with same SSID form Extended Service Set.
• APs can broadcast their SSID.
• Some clients allow * as SSID.
- Associates with strongest AP regardless of SSID.
MAC ACLs and SSID hiding
• Access points have Access Control Lists (ACL).
• ACL is list of allowed MAC addresses.
- E.g. Allow access to:
~ 00:01:42:0E:12:1F
~ 00:01:42:F1:72:AE
~ 00:01:42:4F:E2:01
• But MAC addresses are sniffable and spoofable.
• AP Beacons without SSID
- Essid_jack
~ sends deauthenticate frames to client
~ SSID then displayed when client sends reauthenticate frames
Interception
• Wireless LAN uses radio signal.
• Not limited to physical building.
• Signal is weakened by:
-Walls
-Floors
-Interference
• Directional antenna allows interception over longer distances.
• Directional antenna provides focused reception.
802.11 Wireless LAN
- Three basic security services defined by IEEE for the WLAN environment
~ Authentication
-provide a security service to verify the identity of communicating client stations
~ntegrity
- to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack
~ Confidentiality
- to provide “privacy achieved by a wired network”
802.11 Authentication
The IEEE 802.11 specification defines two means to validate wireless users attemping to gain access to a wired network, open system authentication and shares key authentication. One means, shared key authentication, is based on cryptography, and the other is not. The open-system authentication technique is not truly authentication, the access point accepts the mobile station without verifying the identity of the station. It should be notes also that the authentication is only one-way; only the mobile station is authentication. The mobile station must trust that it is communicating to a real AP. Taxonom of the tavhniques for 802.11 is depicted in above figure:-
802.11b Security Services
• Two security services provided:
- Authentication
- Shared Key Authentication
- Encryption
- Wired Equivalence Privacy
Wired Equivalence Privacy
• Shared key between
-Stations.
-An Access Point.
• Extended Service Set
-All Access Points will have same shared key.
• No key management
-Shared key entered manually into
-Stations
-Access points
-Key management nightmare in large wireless LANs
RC4
• Ron’s Code number 4
-Symmetric key encryption
-RSA Security Inc.
-Designed in 1987.
-Trade secret until leak in 1994.
• RC4 can use key sizes from 1 bit to 2048 bits.
• RC4 generates a stream of pseudo random bits
-XORed with plaintext to create ciphertext.
WEP – Sending
• Compute Integrity Check Vector (ICV).
-Provides integrity
-32 bit Cyclic Redundancy Check.
-Appended to message to create plaintext.
• Plaintext encrypted via RC4
-Provides confidentiality.
-Plaintext XORed with long key stream of pseudo random bits.
-Key stream is function of
-40-bit secret key
-24 bit initialisation vector
• Ciphertext is transmitted.
WEP – Receiving
• Ciphertext is received.
• Ciphertext decrypted via RC4
-Ciphertext XORed with long key stream of pseudo random bits.
-Key stream is function of
-40-bit secret key
-24 bit initialisation vector (IV)
• Check ICV
-Separate ICV from message.
-Compute ICV for message
-Compare with received ICV
Shared Key Authentication
• When station requests association with Access Point
-AP sends random number to station
-Station encrypts random number
-Uses RC4, 40 bit shared secret key & 24 bit IV
-Encrypted random number sent to AP
-AP decrypts received message
-Uses RC4, 40 bit shared secret key & 24 bit IV
-AP compares decrypted random number to transmitted random number
• If numbers match, station has shared secret key.
Web Safeguards
- Shares secret key required for associating with an access point, sending data and receving data.
- Message are encrypted for confidentiality.
- Message have checksum for integrity.
- Management static still broadcast in clear containing SSID.
Initialization Vector
• IV must be different for every message transmitted.
• 802.11 standard doesn’t specify how IV is calculated.
• Wireless cards use several methods
- Some use a simple ascending counter for each message.
- Some switch between alternate ascending and descending counters.
- Some use a pseudo random IV generator.
802.11 safeguards
• Security Policy & Architecture Design
• Treat as untrusted LAN
• Discover unauthorised use
• Access point audits
• Station protection
• Access point location
• Antenna design
Security Policy & Architecture
• Define use of wireless network
- What is allowed
- What is not allowed
• Holistic architecture and implementation
-Consider all threats.
-Design entire architecture
~To minimize risk.
Wireless as untrusted LAN
• Treat wireless as untrusted.
- Similar to Internet.
• Firewall between WLAN and Backbone.
• Extra authentication required.
• Intrusion Detection
- at WLAN / Backbone junction.
• Vulnerability assessments
Discover unauthorized use
• Search for unauthorised access points, ad-hoc networks or clients.
• Port scanning
- For unknown SNMP agents.
- For unknown web or telnet interfaces.
• Warwalking!
- Sniff 802.11 packets
- Identify IP addresses
- Detect signal strength
- But may sniff your neighbours…
• Wireless Intrusion Detection
- AirMagnet, AirDefense, Trapeze, Aruba.
Access point audits
• Review security of access points.
• Are passwords and community strings secure?
• Use Firewalls & router ACLs
- Limit use of access point administration interfaces.
• Standard access point config:
-SSID
-WEP keys
-Community string & password policy
Thursday, September 24, 2009
Tuesday, September 15, 2009
#7 Security in Application
Electronic Mail (E-mail) Security
Electronic mail is one of the most heavily used network-based applications. With the explosively growing reliance on e-mail,there grows a demand for security e-mail systems. In an e-mail system, there are a sender and a receiver. However, usually the receiver is not on-line. So in an e-mail system, usually there is no massage interchange when the sender sends an e-mail. On the order hand, some e-mail system (a.g SMTP) only can deliver ASCll codes.
Security provided in E-mail
• Confidentiality
• Data origin authentication
• Message integrity
• Non-repudiation of origin.
• Key management
MIME
MIME = Mutlipurpose Internet Mail Extension.
• Extends the capabilities of RFC 822 to allow e-mail to carry non-textual content, non-ASCII character sets, long message.
• Uses extra header fields in RFC 822 e-mail to specify form and content of extensions.
• Supports a variety of content types, but e-mail still ASCII-coded for compatibility.
• Specified in RFCs 2045-2049.
How e-mail transported?
MUA = Mail user agent (mail client)
MTA = Mail transport agent (mail server)
E-mail Security Threats
Two main group:
• Threats to the security of e-mail itself.
• Threats to an organisation that are enable by the use of e-mail.
Loss of confidentially
• Email are sent it clear over open network.
• Email stored on potentially insecure clients and mail servers.
• Ensuring confidentiality may be important for email sent withi an organisation.
Loss of integrity
• No integrity protection on email, body can be altered in transit or on maul server.
Lack of data origin authentication
• Email could also be altered in transit.
• Sharing of email password common.
Lack of non-repudiation
• Can i rely and act on the content?(integrity)
• If so, can the sender later deny having sent it?Who is liable if i have acted?
• Example of stock-trading via email.
Threats enables by email
• Its easier to distribute information by email than it is by paper and snail mail.
• Disclosure may be deliberate (and malicious) or unintentional.
• Disclosure may be internal or external (email crosses LANs as well as the internet)
• Disclosure may be of personal, inappropriate, commercially sensitive or proprietary information.
• Can lead to loss of reputation and ultimately dismissal of staff.
S/MIME
SEcure/Multipurpose Internet Mail Extension (S/MIME) is another enchaced email system. Similar to PGP which uses sidnature scheme, session key and secret key encryption. S/MIME version 3 message specification is given in RFC2633.
It appears likely that S/MIME will emerge as the industry standard for commercial and organization use, while PGP will remain the choice for personal use.
PGP
Pretty good privary or PGP was developed by Phil Zimmermman. PGP uses public key encryption, signature scheme,hash function, secret key enryption, compression fuction and email compatibility. Functionality similar to S/MIME is an encryption for confidentiality and signature for non-repudiation/ authenticity.
One level of processing only, so less flexible than S/MIME. Sign before encrypt, so signature on unencrypted data. PGP processed data is base64 encoded and carried inside RFC822 message body.
Web Security
Web security included 3 parts:
1. Security of server.
2. Security of client
3. Network traffic security between a browser and a server.
Security pf server and security of client are problems of computer security. Network security can considered at different level , for examples network level: use IPSec, Transport level:Use SSL (Secure socket layer) or TLS (Transport layer security) and Application level: Use PGP,S/MIME,SET(Secure Electronic Transaction).
Secure Socket Layer (SSL)
SSL is develop by Netscape. The main part of SSL contains several protocol:SSL Handshake protocol, SSL change cipher spec protocl,SSL alert protocol, and SSL record protocol.
Secure Shell (SSH)
1. Initially designed to replace insecure SSH, telnel utilities.
2. Secure remote administration (mostly of Unix system).
3. Extended to support secure file transfer and email.
4. Latterly, provide a general secure channel for network application.
5. SSH-1 flawed, SSH-2 better secure security (and different architecture).
Secure Electronic Transaction (SET)
SET is an open encryption and security specification designed to protect credit card transaction on the internet . SSL secures communications between a client and a server.
Set secure issues
Two pairs of PKs parentity
1. One pair for signing.
2. One pair for exchanging keys.
How the web Works-HTTP - Hypertext transfer protocol (HTTP)
- Clients request 'document' through URL
- Server Respons with 'document'
- Document are not interpreted by http
- Stateless protocol, request are indepent.
How the Web works: other elements
-Hyper-text markup language (html).
-Other application specific document.
-E.G., MIME, graphics, video/audio, postscript, Java applets, etc.
-Browsers.
-Display html documents and embedded graphics.
-Run Java program.
-Start helper applications.
How to secure the web
~Athentication
1. Basic (username,password)
- Can be used along with cookie.
2. Digest
~ Access control via address
~Multi layered:
1- S-http(secure http), just for http
- Proposed by CommerceNet,pretty much dead.
2. SSL(TLS),generic for TCP
- https;http over SSl
3. IPsec
HTTP Authentication - Client doesnt know which method
- Client attempts access (GET,PUT) normally
- Server returns
~401 unauthorized
~Realm protection space
- Client tries again with
From Basic Authentication to Forms and Cookies
• Not all sites use basic authentication
• Many instead ask the user to type username/password into a HTML form
• Server looks up the user and sends back a cookie
• The browser (client) resends the cookie on subsequent requests
HTTP Access Control - Digest
1. Server sends www-authenticate parameters:
~ Realm
~ Domain
~ Nonce, new for each 401 response
- E.G. H(client-IP:timestamp:server-secret)
~ Algorithm
- E.G., MD5
2. Client sends authorization response:
~ Same nonce
~ H(A1), where a1=user:realm:password, and other information
~ Steal H(A1)
- Only good for realm
HTTPS
• HTTPS = Secure Hypertext Transfer Protocol
• HTTPS is a communications protocol designed to transfer encrypted information between computers over the World Wide Web (WWW)
• Essentially an implementation of HTTP
• Commonly used Internet protocol using an SSL
• Used to enable online purchasing or the exchange of private information and resources over insecure networks
Why HTTPS combines with SSL and How?
• HTTPS combines with SSL to enable secure communication between a client and a server
• Steps:
- Client requests a secure transaction and informs the encryption algorithms and key sizes that it support (by assessing a URL with HTTPS)
- Server sends the requested server certificate (encrypted server’s public key, list of supported ciphers and key sizes in order of priority)
- Client then generates a new secret symmetric session key basedon the priority list sent by the server. Client compares the certificate issued by CA and confirmed that certificate is belongs to the server intended for communication
• Steps:
- If valid and certificate confirmed, client encrypts a copy of the new session key it generated with the server public key obtained from the certificate. Then, client sends the new encrypted key to server
- Server decrypts the new session key with its own private key.
- Upon completed, both client and server have the same secret session key and use to secure communication and data transport.
Secure File Transfer Protocol (S/FTP)
• S/FTP is an interactive file transfer program
• Similar to ftp
• Performs all operations over an encrypted ssh transport
• Use many features of ssh such as public key authentication and compression
• S/FTP connects and logs into the specified host, then enters an interactive command mode
Electronic mail is one of the most heavily used network-based applications. With the explosively growing reliance on e-mail,there grows a demand for security e-mail systems. In an e-mail system, there are a sender and a receiver. However, usually the receiver is not on-line. So in an e-mail system, usually there is no massage interchange when the sender sends an e-mail. On the order hand, some e-mail system (a.g SMTP) only can deliver ASCll codes.
Security provided in E-mail
• Confidentiality
• Data origin authentication
• Message integrity
• Non-repudiation of origin.
• Key management
MIME
MIME = Mutlipurpose Internet Mail Extension.
• Extends the capabilities of RFC 822 to allow e-mail to carry non-textual content, non-ASCII character sets, long message.
• Uses extra header fields in RFC 822 e-mail to specify form and content of extensions.
• Supports a variety of content types, but e-mail still ASCII-coded for compatibility.
• Specified in RFCs 2045-2049.
How e-mail transported?
MUA = Mail user agent (mail client)
MTA = Mail transport agent (mail server)
E-mail Security Threats
Two main group:
• Threats to the security of e-mail itself.
• Threats to an organisation that are enable by the use of e-mail.
Loss of confidentially
• Email are sent it clear over open network.
• Email stored on potentially insecure clients and mail servers.
• Ensuring confidentiality may be important for email sent withi an organisation.
Loss of integrity
• No integrity protection on email, body can be altered in transit or on maul server.
Lack of data origin authentication
• Email could also be altered in transit.
• Sharing of email password common.
Lack of non-repudiation
• Can i rely and act on the content?(integrity)
• If so, can the sender later deny having sent it?Who is liable if i have acted?
• Example of stock-trading via email.
Threats enables by email
• Its easier to distribute information by email than it is by paper and snail mail.
• Disclosure may be deliberate (and malicious) or unintentional.
• Disclosure may be internal or external (email crosses LANs as well as the internet)
• Disclosure may be of personal, inappropriate, commercially sensitive or proprietary information.
• Can lead to loss of reputation and ultimately dismissal of staff.
S/MIME
SEcure/Multipurpose Internet Mail Extension (S/MIME) is another enchaced email system. Similar to PGP which uses sidnature scheme, session key and secret key encryption. S/MIME version 3 message specification is given in RFC2633.
It appears likely that S/MIME will emerge as the industry standard for commercial and organization use, while PGP will remain the choice for personal use.
PGP
Pretty good privary or PGP was developed by Phil Zimmermman. PGP uses public key encryption, signature scheme,hash function, secret key enryption, compression fuction and email compatibility. Functionality similar to S/MIME is an encryption for confidentiality and signature for non-repudiation/ authenticity.
One level of processing only, so less flexible than S/MIME. Sign before encrypt, so signature on unencrypted data. PGP processed data is base64 encoded and carried inside RFC822 message body.
Web Security
Web security included 3 parts:
1. Security of server.
2. Security of client
3. Network traffic security between a browser and a server.
Security pf server and security of client are problems of computer security. Network security can considered at different level , for examples network level: use IPSec, Transport level:Use SSL (Secure socket layer) or TLS (Transport layer security) and Application level: Use PGP,S/MIME,SET(Secure Electronic Transaction).
Secure Socket Layer (SSL)
SSL is develop by Netscape. The main part of SSL contains several protocol:SSL Handshake protocol, SSL change cipher spec protocl,SSL alert protocol, and SSL record protocol.
Secure Shell (SSH)
1. Initially designed to replace insecure SSH, telnel utilities.
2. Secure remote administration (mostly of Unix system).
3. Extended to support secure file transfer and email.
4. Latterly, provide a general secure channel for network application.
5. SSH-1 flawed, SSH-2 better secure security (and different architecture).
Secure Electronic Transaction (SET)
SET is an open encryption and security specification designed to protect credit card transaction on the internet . SSL secures communications between a client and a server.
Set secure issues
Two pairs of PKs parentity
1. One pair for signing.
2. One pair for exchanging keys.
How the web Works-HTTP - Hypertext transfer protocol (HTTP)
- Clients request 'document' through URL
- Server Respons with 'document'
- Document are not interpreted by http
- Stateless protocol, request are indepent.
How the Web works: other elements
-Hyper-text markup language (html).
-Other application specific document.
-E.G., MIME, graphics, video/audio, postscript, Java applets, etc.
-Browsers.
-Display html documents and embedded graphics.
-Run Java program.
-Start helper applications.
How to secure the web
~Athentication
1. Basic (username,password)
- Can be used along with cookie.
2. Digest
~ Access control via address
~Multi layered:
1- S-http(secure http), just for http
- Proposed by CommerceNet,pretty much dead.
2. SSL(TLS),generic for TCP
- https;http over SSl
3. IPsec
HTTP Authentication - Client doesnt know which method
- Client attempts access (GET,PUT) normally
- Server returns
~401 unauthorized
~Realm protection space
- Client tries again with
From Basic Authentication to Forms and Cookies
• Not all sites use basic authentication
• Many instead ask the user to type username/password into a HTML form
• Server looks up the user and sends back a cookie
• The browser (client) resends the cookie on subsequent requests
HTTP Access Control - Digest
1. Server sends www-authenticate parameters:
~ Realm
~ Domain
~ Nonce, new for each 401 response
- E.G. H(client-IP:timestamp:server-secret)
~ Algorithm
- E.G., MD5
2. Client sends authorization response:
~ Same nonce
~ H(A1), where a1=user:realm:password, and other information
~ Steal H(A1)
- Only good for realm
HTTPS
• HTTPS = Secure Hypertext Transfer Protocol
• HTTPS is a communications protocol designed to transfer encrypted information between computers over the World Wide Web (WWW)
• Essentially an implementation of HTTP
• Commonly used Internet protocol using an SSL
• Used to enable online purchasing or the exchange of private information and resources over insecure networks
Why HTTPS combines with SSL and How?
• HTTPS combines with SSL to enable secure communication between a client and a server
• Steps:
- Client requests a secure transaction and informs the encryption algorithms and key sizes that it support (by assessing a URL with HTTPS)
- Server sends the requested server certificate (encrypted server’s public key, list of supported ciphers and key sizes in order of priority)
- Client then generates a new secret symmetric session key basedon the priority list sent by the server. Client compares the certificate issued by CA and confirmed that certificate is belongs to the server intended for communication
• Steps:
- If valid and certificate confirmed, client encrypts a copy of the new session key it generated with the server public key obtained from the certificate. Then, client sends the new encrypted key to server
- Server decrypts the new session key with its own private key.
- Upon completed, both client and server have the same secret session key and use to secure communication and data transport.
Secure File Transfer Protocol (S/FTP)
• S/FTP is an interactive file transfer program
• Similar to ftp
• Performs all operations over an encrypted ssh transport
• Use many features of ssh such as public key authentication and compression
• S/FTP connects and logs into the specified host, then enters an interactive command mode
Sunday, September 6, 2009
#6 NETWORK in SECURITY
Computer Network
A computer network is a system in which computers are connected to share information and resources. The connection can be done as peer-to-peer or client/server. This web site reviews the techniques you can use to set up and possibly manage a network for home or a small business.
What is a network can provide?
Logical interface function:
• sending messages
• receiving messages
• executing program
• obtaining status information
• obtaining status information on other network users and their status
• Node
Single computing system in a network.
• Host
A single computing system's processor.
• Link
A connection between two hosts.
• Topology
The pattern of links in a network.
Network Topology
Bus Topology
Bus networks (not to be confused with the system bus of a computer) use a common backbone to connect all devices. A single cable, the backbone functions as a shared communication medium that devices attach or tap into with an interface connector. A device wanting to communicate with another device on the network sends a broadcast message onto the wire that all other devices see, but only the intended recipient actually accepts and processes the message.
Ethernet bus topologies are relatively easy to install and don't require much cabling compared to the alternatives. 10Base-2 ("ThinNet") and 10Base-5 ("ThickNet") both were popular Ethernet cabling options many years ago for bus topologies. However, bus networks work best with a limited number of devices. If more than a few dozen computers are added to a network bus, performance problems will likely result. In addition, if the backbone cable fails, the entire network effectively becomes unusable.
Ring Topology
In a ring network, every device has exactly two neighbors for communication purposes. All messages travel through a ring in the same direction (either "clockwise" or "counterclockwise"). A failure in any cable or device breaks the loop and can take down the entire network.
To implement a ring network, one typically uses FDDI, SONET, or Token Ring technology. Ring topologies are found in some office buildings or school campuses.
Star Topology
Many home networks use the star topology. A star network features a central connection point called a "hub" that may be a hub, switch or router. Devices typically connect to the hub with Unshielded Twisted Pair (UTP) Ethernet.
Compared to the bus topology, a star network generally requires more cable, but a failure in any star network cable will only take down one computer's network access and not the entire LAN. (If the hub fails, however, the entire network also fails.)
Mesh Topology
Mesh topologies involve the concept of routes. Unlike each of the previous topologies, messages sent on a mesh network can take any of several possible paths from source to destination. (Recall that even in a ring, although two cable paths exist, messages can only travel in one direction.) Some WANs, most notably the Internet, employ mesh routing.
A mesh network in which every device connects to every other is called a full mesh. As shown in the illustration below, partial mesh networks also exist in which some devices connect only indirectly to others.
Open Systems Interconnection (OSI)
• Describes computer network communications.
• Developed by the International Standards Organization (ISO).
• Consists of Seven Layers.
• Model describes peer-to-peer correspondence, relationship between corresponding layers of sender and receiver.
• Each layer represents a different activity performed in the actual transmission of a message.
• Each layer serves a separate function.
• Equivalent layers perform similar functions for sender and receiver.
Who can cause security problem?
1. Hacker
2. Spy
3. Student
4. Businessman
5. Ex-employee
6. Stockbroker
7. Terrorist
Network security problem area:
1. Authentication - hacker want to be an autheriza user, so they am this first.
2. Secrecy - In the midle between sender and receiver.
3. Non- repudiation - deal with digital signature.
4. Integrity - Ensure that only authorize user allow to change the data.
Disadvantages of computing network
1. Sharing.
2. Complexity.
3. Unknown paramenter - alot of point on the network that possible to exploite to capture packet.
4. Ananomity - For a big network,we dont even know who at the other point. eg: some one may hack the DNS server before take over the website.
5. Sequrity exposure - Privacy, data integrity, authenticity, convert channel, impersonaty and evesdropping.
Threaten Network
1. Denial Of Service - DOS, DDOS
2. Packet replay - Capture packet that being sent to the AP that using WEP, but it use a lot of time so we use packet replay to dacoy the AP while sniffing the packet without change that packet's content.
3. Packet notification - capture and change the packet's content.
Firewall
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
Function
A firewall is a dedicated appliance, or software running on a computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.
It is a software or hardware that is normally placed between a protected network and an unprotected network and acts like a gate to protect assets to ensure that nothing private goes out and nothing malicious comes in.
A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).
A firewall's function within a network is similar to physical firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network.
In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.
Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed.
KERBEROS
Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol.
Its designers aimed primarily at a client-server model, and it provides mutual authentication both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.
DRAWBACK
Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.
Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart.
In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.
The administration protocol is not standardized and differs between server implementations. Password changes are described.
Since all authentications is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.
Subscribe to:
Comments (Atom)
