LANs, WANs, WLANs are known as edge networks
May be contained within businesses or homes
Needs to be protected from the rest of the Internet!
Cannot stop malicious packets from getting into an edge network
Can determine whether an incoming IP packet comes from a trusted user
However, not all host computers have resources to run authentication algorithms
Host computers managed by different users with different skill levels.
Any message written over a fixed set of symbols can be represented as a binary string (a sequence of 0's and 1's)
Binary digits 0 and 1 are called bits
To reduce computation overhead, encryption algorithms should only use operations that are easy to implement
For a binary string X:
The length of X, denoted by |X|, is the number of bits in X
If |X| = l, X is an l-bit binary string
Let a be a binary bit and k a non-negative integer. Denote by ak a binary string consisting of k copies of a
Denote the concatenation of X and Y by XY or...
Often a security tool does exactly what you want, right out of the box. More frequently, you need to customize the tool to fit the needs of your network structure. Network Security Tools shows experienced administrators how to modify, customize, and extend popular open source security tools such as Nikto, Ettercap, and Nessus.
to defend company resources: not only
passively by using firewalls, virtual private
networks (VPNs), encryption techniques, and
whatever other tricks, but also by deploying
proactive tools and devices throughout the
network = IDS.
Intrusion detection is not for the faint at heart. But, if you are a network administrator chances are you're under increasing pressure to ensure that mission-critical systems are safe--in fact impenetrable--from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders.
Threat Discovery Services provides corporatewide traffic threat detection and
analysis capabilities via a threat discovery appliance or any VMware-based system. It
is deployed out of band at the network layer on the core switch, where it can monitor
the stealth techniques being used by modern malware to provide 24 x 7 network
monitoring and detection of hidden malware infections.
The threat discovery technology detects day-zero infections by leveraging Trend
Micro Smart Protection Network and multiple threat analysis engines.
Web now widely used by business, government, individuals
but Internet & Web are vulnerable
have a variety of threats
denial of service
need added security mechanisms
As our society grows ever more reliant on computers, so it also becomes more vulnerable to computer crime. Cyber attacks have been plaguing computer users since the 1980s, and computer security experts are predicting that smart telephones and other mobile devices will also become the targets of cyber security threats in the future.
A rush solution to the security problems of WEP
Based on 802.11i (official version)
Encrypt and authenticate MSDUs: counter mode-CBC MAC protocol with AES-128
Authenticate STAs: 802.1X
Initialization vectors transmitted in plaintext are no longer needed to generate per-frame keys
But most of the existing Wi-Fi WPA cards cannot be upgraded to support 802.11i
Password Selection Strategies
Viruses and Related Threats
The Nature of Viruses
Advanced Antivirus Techniques
Recommended Reading and WEB Sites
In the last lecture we looked at some high-level descriptions of key distribution and agreement schemes.
These protocols cannot be used as they were stated.
In implementation of the actual protocol, there are many situations one should be careful of.
In this lecture, we will look at some common protocol failures that arise when trying to implement security protocols
We will then look at some specific examples of security protocols
Advanced Encryption Standard competition began in 1997
Rijndael was selected to be the new AES in 2001
AES basic structures:
block cipher, but not Feistel cipher
encryption and decryption are similar, but not symmetrical
basic unit: byte, not bit
block size: 16-bytes (128 bits)
three different key lengths: 128, 192, 256 bits
AES-128, AES-192, AES-256
each 16-byte block is represented as a 4 x 4 square matrix, called the state matrix
the number of rounds depends on key lengths
4 simple operations on the state matrix every round (except the last round)
To use data encryption algorithms in network communications, all parities must first agree on using the same secret keys
Rely on couriers
Set up a meeting to determine a secret key
Use postal service, email service, phone service
However, these conventional methods are inflexible for network communication applications
Public-key cryptography (PKC)
Invented in the 1970’s
Without the need of sharing prior secrets to distribute secret keys securely
Can also be used for authentication
Encryption and authentication algorithms are building blocks of secure network protocols
Deploying cryptographic algorithms at different layers have different security effects
Where should we put the security protocol in the network architecture?
Radio based communication, open air
The attacker, having a radio transmitter and receiver with the same radio frequency of the underlying wireless network, can easily:
Intercept wireless data
Connect his computing devices to a nearby wireless network
Inject new packets to an existing wireless network
Jam a particular wireless channel using a jamming device
Implement encryption algorithms, authentication algorithms, and integrity-check algorithms at the data-link layer
Provide network access with wired equivalent privacy
Higher-layer protocols and applications can be used ...
have a range of application specific security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that cut across protocol layers
would like security implemented by the network for all applications
In CERTs 2001 annual report it listed 52,000 security incidents
the most serious involving:
intruders creating packets with false address then taking advantages of OS exploits
eavesdropping and sniffing
attackers listen for userids and passwords and then just walk into target systems
as a result the IAB included authentication and encryption in the next generation IP (IPv6)