Add to collection(s) Add to saved
  1. Business

Security Service

advertisement 
Network Security
Marco Carli
Roadmap
„
Introduction
„
Security services
X.800
„ RFC 2828
„
„
Players
„
Conclusions
Marco Carli
2
Once ..
„
„
„
Centralized information
Centralized processing
Remote terminal access
Marco Carli
3
… now:
Distributed information
„ Distributed processing
„ Remote smart systems access
„
Marco Carli
4
Network security
„
Network are composed of
interconnected hosts
„
Hosts provide services and store
information
„
Users access services and
exchange/store information
Marco Carli
5
Network security
„
It is important to assure in a distributed
setting:
„
privacy/confidentially
„
Integrity/consistency
„
Availability
„
etc.
Marco Carli
6
Roadmap
„
Introduction
„
Security services
X.800
„ RFC 2828
„
„
Players
„
Conclusions
Marco Carli
7
Security Service
Definition:
„
It enhances the security of the data
processing systems and the information
transfers of an organization;
„
intended to counter security attacks;
„
make use of one or more security
mechanisms to provide the service
Marco Carli
8
Security Service - 2
„
replicate functions normally associated with
physical documents
„
„
„
„
„
eg. have signatures, dates;
need protection from disclosure, tampering, or
destruction;
be notarized or witnessed;
be recorded or licensed;
…
Marco Carli
9
Security Services
(X.800 and RFC 2828)
„
ITU-T Recommendation X.800 (Security
Architecture for OSI)
„
„
„
defines a systematic way of defining and
providing security requirements
a useful abstract overview of security concepts
X.800 defines Security Service as:
„
a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
Marco Carli
transfers
10
Security Services
(X.800 and RFC 2828)
„
IETF RFC 2828 (Internet Security
Glossary) defines Security Service as:
„
a processing or communication service
provided by a system to give a specific
kind of protection to system resources;
„
security services implement security
policies, and are implemented by security
mechanisms.
Marco Carli
11
Roadmap
„
Introduction
„
Security services
X.800
„ RFC 2828
„
„
Players
„
Conclusions
Marco Carli
12
Security Services (X.800)
1.
Authentication - the communicating entity is the
one claimed
2.
Access Control - prevention of the unauthorized
use of a resource
3.
Data Confidentiality –protection of data from
unauthorized disclosure
4.
Data Integrity - assurance that data received is as
sent by an authorized entity
5.
Non-Repudiation - protection against denial by
one of the parties in a communication
Marco Carli
13
Authentication - simple
Hi, I am Jane
Prove it
Marco Carli
Mary
14
Authentication - mutual
Hi, I am Jane.
Is Trust there?
Hi Jane.
Trust is
speaking!
PROOF
Speaking!
Is Linda there?
Trust Company
Marco Carli
Jane
15
Authentication - mutual
Hi, I am Jane
Prove it
Marco Carli
Mary
16
authorization
Give me Alice’s Car
Did she authorize
you?
Marco Carli
Mary
17
Integrity
„
Data has not been changed, destroyed, or
lost in an unauthorized or accidental manner
„
Maintaining demonstrable data integrity is
one of the cardinal aims of data security
Marco Carli
18
Privacy, secrecy
„
'Privacy' and 'secrecy' are easily confused.
„
„
Secrecy is something you might seek.
Privacy is something you should have.
„
„
You might, for example, wish to keep some communications
secret.
You should have the right to expect that the communications
remain private.
„
However, neither is easily attainable in the modern
world.
„
Strong encryption can render data communications
secret and private - but only depending on where
Marco Carli
you live in the world.
19
Non repudiation
„
Attribute of communications that seeks to
prevent future false denial of involvement by
either party.
„
„
„
with proof of origin provides the recipient of data
with evidence that proves the origin of the data.
with proof of receipt provides the originator of
data with evidence that proves the data was
received as addressed.
Non-repudiation is consequently an essential
element of trust in e-business.
Marco Carli
20
Non repudiation
Problems:
„ The signature is a forgery;
„ The signature is not a forgery, but was
obtained via:
Unconscionable conduct by a party to a
transaction;
„ Fraud instigated by a third party;
„ Undue influence exerted by a third party.
„
When did you sign it?
„ Where did you sign it?
„
Marco Carli
21
Security parameters RFC 2828
„ Access
control
„ Audit
„ Data
origin authentication
„ Peer entity authentication
„ Availability
„ Data confidentiality
„ Data integrity
„ System integrity
„ Non-repudiation
Marco Carli
22
Roadmap
„
Introduction
„
Security services
X.800
„ RFC 2828
„
„
Players
„
Conclusions
Marco Carli
23
Security Services (RFC 2828)
„
Access control service
„
„
protection of system resources against
unauthorized access
Audit service
„
records information needed to establish
accountability for system events and for
the actions of system entities that cause
Marco Carli
them
24
Security Services (RFC 2828)
„
Authentication service:
„
a security service that verifies an identity
claimed by or for an entity
„
in a network, there are two general forms
of authentication service:
i) data origin authentication service,
ii) peer entity authentication service
Marco Carli
25
Security Services (RFC 2828)
(i) data origin authentication service:
„
verifies the identity of an entity that is
claimed to be the original source of
received data
„
provided to any entity that receives or
holds the data
Marco Carli
26
Security Services (RFC 2828)
(ii) peer entity authentication service:
„
verifies an identity claimed by or for a system
entity in an association.
„
used to confirm the identity of one entity to
another, thus protecting against a masquerade by
the first entity.
„
this service requires an association to exist
between the two entities
Marco Carli
27
Security Services (RFC 2828)
„
availability service
protects a system to ensure its availability
„ denial-of-service attacks
„
„
data confidentiality service
information is not made available or
disclosed to unauthorized individuals,
entities, or processes (i.e., to any
unauthorized system entity)
„ protects data against unauthorized
disclosure Marco Carli
„
28
Security Services (RFC 2828)
„
data integrity service:
„
data has not been changed, destroyed, or lost in
an unauthorized or accidental manner.
„
deals with constancy of and confidence in data
values, not with the information that the values
represent.
„
protects against unauthorized changes to data,
(intentional or not), by ensuring that changes to
data are detectable.
Marco Carli
29
Security Services (RFC 2828)
„
can only detect a change and report it to an
appropriate system entity; changes cannot be
prevented unless the system is perfect (error-free)
and no malicious user has access
„
however, a system that offers data integrity
service might also attempt to correct and recover
from changes
„
although data integrity service is defined
separately from data origin authentication service
and peer entity authentication service, it is closely
related to them
Marco Carli
30
Security Services (RFC 2828)
„
system integrity service:
„
the system integrity is the quality that a
system has when it can perform its
intended function
„
protects system resources in a verifiable
manner against unauthorized or accidental
change, loss, or destruction
Marco Carli
31
Security Services (RFC 2828)
„
non-repudiation service:
„
a security service that provide protection
against false denial of involvement in a
communication;
„
does not prevent an entity from
repudiation; it provides evidence that can
be stored and later presented to a third
party
Marco Carli
32
Security Services (RFC 2828)
„
there are two basic kinds of nonrepudiation service:
1.
”non-repudiation with proof of origin" - this
service can be viewed as a stronger version
of an data origin authentication service, in
that it proves authenticity to a third party
2.
”non-repudiation with proof of receipt" protects the originator against an attempt by
the recipient to falsely deny receiving the
data
Marco Carli
33
Security Mechanisms (X.800)
„
specific security mechanisms (can be included in
appropriate communication layer):
„
„
„
„
„
„
„
„
encipherment
digital signatures
access controls
data integrity
authentication exchange
traffic padding
routing control
notarization (third-party authentication)
Marco Carli
34
Security Mechanisms (X.800)
„
pervasive security mechanisms (general):
trusted functionality
„ security labels
„ event detection
„ security audit trails
„ security recovery
„
Marco Carli
35
Relationship Between Security
Services and Mechanisms
Marco Carli
36
Roadmap
„
Introduction
„
Security services
X.800
„ RFC 2828
„
„
Players
„
Conclusions
Marco Carli
The enemy
37
Imagine..
Marco Carli
39
Where is the enemy?
„
Outside the boundary
„
„
Inside …
„
„
Protect the LAN/Intranet
Among the partners
„
„
Defend it! Firewall
Protect the Extranet (VPN)
Everywhere
„
Protect the applications
Marco Carli
40
From…
„
internal system (33%)
„
remote dial-up (12%)
„
Internet (74%)
Computer Security Institue/FBI 2002 report
Marco Carli
41
Effects
„
Denial of service (40%)
„
Virus (85%)
„
Non authorized access (40%)
„
Secrecy steeling (20%)
„
Fraudes (12%)
„
Sabotages (8%)
„
Unauthorized network use (78%)
Marco Carli
42
2002 CSI/FBI Computer Crime &
Security Survey
„
89% is protected by firewall
„
60% uses IDS (Intrusion Detection System)
„
„
40% of intrusions comes from outside!
90% is protected by antivirus software
„
85% affected by viruses, worm, trojan, etc,...
Marco Carli
43
Attackers
Script download malicious software
(from hacker web sites)
„ Hackers’ game to prove to their peers
that they can compromise a specific
system
„ Insiders access data that they have no
rights to access
„ Organizational level attackers use the
full resources of the organization to
attack
„
Marco Carli
44
Roadmap
„
Introduction
„
Security services
X.800
„ RFC 2828
„
„
Players
„
Conclusions
Marco Carli
45
System insecurity
„
“Attack technology is developing in a
open source environment and is evolving
rapidly”
„
“Thousands - perhaps millions - of
system with weak security are connected
to the Internet”
Marco Carli
46
System insecurity
„
“The explosion in use of the Internet is
straining our poor technical talent. The
average level of system administrators …
has decreased dramatically in the last 5
years”
„
“Increasingly complex sw is being written
by programmers who have no training in
writing secure code”
Marco Carli
47
System insecurity
„
“Attacks and attack tools transcend
geography and national boundaries”
„
“The difficulty of criminal
investigation of cybercrime coupled
with the complexity of international
law means that … prosecution of
computer crime is unlikely”
Marco Carli
48
Problems
„
Networks have been created with a
different purpose. No encryption
„
„
User authentication: weak! Pw
No mutual authentication
„
LAN: broadcast
„
MAN:
„
„
„
„
Shared networks.
Third part equipments
Software bugs.
Viruses…
Marco Carli
49
Problems
„
Networks uncertain boundaries (wlan,
tunneling, mobility, UMTS,..)
„
More bandwidth, more services (UMTS!!)
„
Increasing complexity
„
„
Internet
Operating systems
„
„
„
Windows 3.1 ~ 3 milions code
Windows 95 ~ 15 milions
Windows 2000 ~ 60 milions
Marco Carli
50
Security
„
The protection of resources (including
data and programs) from accidental or
malicious modification, destruction, or
disclosure
Marco Carli
51
References
W. Stallings, "Cryptography and Network Security:
Principles and Practice" 3th Edition, Prentice Hall
C. Kaufman, R. Perlman, M. Speciner, "Network
Security: Private Communication in a Public
World" 2nd Edition, Prentice Hall
Marco Carli
52
Related documents
Monday 2 March 2015 h. 17-20 Sala Consiglio LUISS Guido Carli
Monday 2 March 2015 h. 17-20 Sala Consiglio LUISS Guido Carli
Asia Trivia Game
Asia Trivia Game
Parliaments and Foreign Law: Comparison, Tactic or
Parliaments and Foreign Law: Comparison, Tactic or
A View from the Bridge powerpoint Laona, Chloe
A View from the Bridge powerpoint Laona, Chloe
HydrogenphETLab
HydrogenphETLab
Industrial Facilities
Industrial Facilities
Homework 7 Instructions
Homework 7 Instructions
Download
advertisement