CSE543 Comp. Security: Lecture 16 - Network Security w/ Prof. Jaeger (Fall 2006), Study notes of Computer Science

A portion of the lecture notes from a computer and network security course (cse543) taught by professor jaeger at penn state university in the fall of 2006. The notes cover the topic of network security, including various threats, filtering techniques, and firewalls. The document also includes information about midterm exams, project meetings, and practical issues related to network security.

Typology: Study notes

Pre 2010

Uploaded on 09/24/2009

koofers-user-coh
koofers-user-coh 🇺🇸

8 documents

1 / 26

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger
CSE 543 - Computer Security
(Fall 2006)
Lecture 16 - Network Security
October 31, 2006
URL: http://www.cse.psu.edu/~tjaeger/cse543-f06
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a

Partial preview of the text

Download CSE543 Comp. Security: Lecture 16 - Network Security w/ Prof. Jaeger (Fall 2006) and more Study notes Computer Science in PDF only on Docsity!

CSE 543 - Computer Security

(Fall 2006)

Lecture 16 - Network Security

October 31, 2006

URL: http://www.cse.psu.edu/~tjaeger/cse543-f

Midterm

Grades

85-100 -- A (4)

76-81 -- B+/A- (8)

66-73 -- B+/B (14)

59-63 -- B/B- (4)

53-56 -- C (2)

45-50 -- D (5)

Impact

15% of grade (less than presentations and homeworks)

Much less than project; much less than final

Need over 50% on one test to get B-

Question 20

Given a trusted authority, use public key crypto to

send a key to another party

Just what X needs to send

X is sender; Y is receiver; M is authority

Y needs X’s public key: X+, X, {H(X+, X)}M-

X needs to ensure authenticity, secrecy, and integrity of key

{K, X, {H(K, X)}X-}Y+

How about with a secret group key

Need authenticity, secrecy, and integrity

{K, X}Kg, HMAC(Kg, {K, X})

Project Meetings

Meet with groups

Discuss experiment

Try to propose experiment

Th, Fr, M

Will send an email to schedule

Project slides are not due until 11/

Network security: the high bits

The network is …

… a collection of interconnected computers

… with resources that must be protected

… from unwanted inspection or modification

… while maintaining adequate quality of service.

Another way of seeing network security is

Securing the network infrastructure such that the integrity,

confidentiality, and availability of the resources is

maintained.

Q: How do we do this?

The network …

Internet

LAN

(perimeter)

(hosts/desktops)

(edge)

(server) (remote hosts/servers)

Network security – the tools …

Filtering

Firewalls

Communication Security and Services

DNSsec, IPsec, SSH, ...

Isolation

VPNs, VLANs

Detection and mitigation

intrusion detection

DDOS tools

Filtering: the threats

  • Adversary 1: some external

network entity attempting to gain access to

internal resources

  • Adversary 2: some internal, but malicious entity

(or software) trying to expose sensitive data

  • Adversary 3: some internal or external entity that

is preventing access to internal resource (DOS)

Firewall Policy

Specifies what traffic is (not) allowed

Maps attributes to address and ports

Example: HTTP should be allowed to any external host, but inbound

only to web-server

xListing

  • Blacklisting - specifying specific connectivity that is

explicitly disallowed

E.g., prevent connections from badguys.com

  • Whitelisting - specifying specific connectivity that

explicitly allowed

E.g., allow connections from goodguys.com

These is useful for IP filtering, SPAM mitigation, …

Q: What access control policies do these represent?

DMZ (De-militarized Zone)

(servers)

LAN

Internet

LAN

Practical Issues and Limitations

Network layer firewalls are dominant

DMZs allow multi-tiered fire-walling

Tools are widely available and mature

Personal firewalls gaining popularity

Issues

Network perimeters not quite as clear as before

E.g., telecommuters, VPNs, wireless, …

Every access point must be protected

E.g., this is why war-dialing is effective

Hard to debug, maintain consistency and correctness

Often seen by non-security personnel as impediment

E.g., Just open port X so I can use my wonder widget …

SOAP - why is this protocol an issue?

Interesting tid-bits from the Wool study

12 error classes

No default policy, automatic broad tools

NetBIOS (the very use of the Win protocol deemed error)

Portmapper protocols

Use of “any wildcards”

Lack of egress rules

Interesting questions:

Is the violation of Wool’s errors really a problem?

“DNS attack” comment?

Why do you think more expensive firewalls had a higher

occurrence of errors?

Take away: configurations are bad

Worms