Professional Documents
Culture Documents
Dr Diane Gan
Overview
What is network security?
Passwords
Firewalls
IDSs
What is network security?
Confidentiality: protect data content/access
• only sender and intended receiver should “understand”
message contents
sender encrypts message
receiver decrypts message
Authentication: sender and receiver want to confirm identity of
each other
Message integrity: sender and receiver want to ensure message
not altered (in transit, or afterwards) without detection
Access and availability: services must be accessible and available
to users
First line of defence - Passwords
Weakest link
front line defence against intruders
1 123456 123456
2 123456789 password
3 qwerty 12345678 Morris worm
4 12345678 qwerty gained entry via
weak passwords
5 111111 12345
6 1234567890 123456789
7 1234567 football
8 password 1234 Default passwords
9 123123 1234567 can be found on
Shodan
10 987654321 baseball
11 qwertyuiop welcome
22 1q2w3e4r5t
https://www.youtube.com/watch?v=opRMrEfAIiI
Hacked French network exposed its own passwords during TV interview
SALT PASSWORD
Apply BASE64 encoding and store the digest
Could also use hexadecimal strings
Store the hash + salt
Value of the salt
Identical passwords will have different hashes
Hides small passwords – all are the same length
A large salt value prevents precomputation attacks,
including rainbow tables,
older Unix passwords used a 12-bit salt
SHA2-crypt and bcrypt methods – salt = 128 bits
used in Linux, BSD Unixes and Solaris
What if it is stolen!
Your password can be easily changed
Apple's Touch ID system was found vulnerable within one
day
Hackers photographed a print and broke in with it
Second line of defence - Firewalls
system or group of systems that enforces an access
control policy between two networks
two mechanisms:
one that blocks traffic
one which permits traffic
Public
FTP
server
Firewalls have the following design goals:-
Transport Layer
Internet
No incoming TCP connections, except Drop all incoming TCP SYN packets to any IP
those for the institution’s public Web except 130.207.244.203 and port 80
server only.
Prevent Web-radios from eating up the Drop all incoming UDP packets - except DNS and
available bandwidth. router broadcasts.
Prevent your network from being used Drop all ICMP packets going to a “broadcast”
for a Smurf DoS attack. address (eg 130.207.255.255).
Prevent your network from being Drop all outgoing ICMP TTL expired traffic
tracerouted
Stateful packet filtering
stateless packet filter: heavy handed tool
Allows packets that “make no sense,” e.g., dest port = 80, ACK
bit set, even though no TCP connection established:
80
SYN ACK
anything
Xelse
Policy rules
stateful inspection
Use with any protocol that runs over IP
generally packet filtering firewalls can handle more
traffic
do not have the overhead of setting up extra
connections
Problem
if an attack is launched against a server on an open
service that is allowed by the firewall policy rule, then
the firewall will permit it
internal addresses are not hidden
Packet filtering firewalls
Usually hardware based
Advantages
simple – fast – transparent to users
Weaknesses
limited information avail to the firewall when logging
does not support user authentication
generally vulnerable to attacks that exploit problems within
TCP/IP protocol stack
Common attacks
IP spoofing, source routing attacks, tiny fragment attacks
A Bastion host - a critical strong point
Firewall Configurations
Simple configuration – single firewall
mail server
Internet
packet-filtering
router
Web server
Internet
packet-filtering
router
information
server
packet-level and application-level filtering
Screened subnet firewall
creates an isolated
subnetwork
Bastion
host
private
network
Internet
outside inside
router router
information
server
False
True
Positive
Positive Alert was
Alert was
generated
generated
False
True
Negative
Negative
Internet
Web
Network server
DNS
IDS server Host IDS
sensors FTP sensors
server
Demilitarized zone
IDS vs IPS
IDS
Some latency involved when malicious packet is
detected
Needs real time detection
Works on preconfigured rules