UNIT 5 Password Management Firewall Design Principles NETWORK
- Slides: 52
UNIT -5 Password Management Firewall Design Principles.
NETWORK SECURITY By: Homera Durani PASSWORD MANAGEMENT 2
PASSWORD PROTECTION User ID and password: User authorized to gain access to the system Privileges accorded to the user Discretionary access control NETWORK SECURITY By: Homera Durani 3
PASSWORD PROTECTION Unix system (user ID, cipher text password, plain text salt) � � password 8 printable characters - 56 -bit value (7 -bit ASCII) encryption routine (crypt(3)) based on DES modified DES algorithm with 12 -bit salt value (related to time of password assignment) 25 encryptions with 64 -bit block of zeros input 64 -bit - 11 character sequence NETWORK SECURITY By: Homera Durani � 4
LOADING A NEW PASSWORD NETWORK SECURITY By: Homera Durani 5
PASSWORD PROTECTION Purposes of salt: Prevents duplicate passwords from being visible Effectively increases password length without the user needing to remember additional 2 characters (possible passwords increased by 4096) Prevent use of hardware DES implementation for a brute-force guessing attack NETWORK SECURITY By: Homera Durani 6
OBSERVED PASSWORD LENGTHS IN A PURDUE STUDY NETWORK SECURITY By: Homera Durani 7
PASSWORDS CRACKED FROM A SAMPLE SET NETWORK SECURITY By: Homera Durani easy pickin’s 8
ACCESS CONTROL NETWORK SECURITY By: Homera Durani One Method: Deny access to password file Systems susceptible to unanticipated break-ins An accident in protection may render the password file readable compromising all accounts Users have accounts in other protection domains using the same passwords 9
ACCESS CONTROL Answer: Force users to select passwords that are difficult to guess Goal: Eliminate guessable passwords while allowing the user to select a password that is memorable NETWORK SECURITY By: Homera Durani 10
PASSWORD SELECTION STRATEGIES (BASIC TECHNIQUES) User education � Users may ignore the guidelines Computer-generated passwords � Poor acceptance by users � Difficult to remember passwords NETWORK SECURITY By: Homera Durani 11
PASSWORD SELECTION STRATEGIES Reactive password checking � System Proactive password checking � Password NETWORK SECURITY By: Homera Durani runs its own password cracker � Resource intensive � Existing passwords remain vulnerable until reactive checker finds them selection is guided by the system � Strike a balance between user accessibility and strength � May provide guidance to password crackers (what not to try) � Dictionary of bad passwords (space and time problem) 12
PROACTIVE PASSWORD CHECKER � � Markov Model – search for guessable password Bloom Filter – search in password dictionary NETWORK SECURITY By: Homera Durani There are two techniques currently in use: 13
MARKOV MODEL Probability that b follows a M = {states, alphabet, prob, order} NETWORK SECURITY By: Homera Durani 14
MARKOV MODEL “Is this a bad password? ”…same as… “Was this password generated by this Markov model? ” Passwords that are likely to be generated by the model are rejected Good results for a second-order model NETWORK SECURITY By: Homera Durani 15
BLOOM FILTER NETWORK SECURITY By: Homera Durani A probabilistic algorithm to quickly test membership in a large set using multiple hash functions into a single array of bits Developed in 1970 but not used for about 25 years Used to find words in a dictionary also used for web caching Small probability of false positives which can be reduced for different values of k, # hash funcs 16
BLOOM FILTER A vector v of N bits k independent hash functions. Range 0 to N-1 For each element x, compute hash functions H 1(x), H 2(x)…Hk(x) Set corresponding bits to 1 Note: A bit in the resulting vector may be set to 1 multiple times Bit Vector: v Element: x H 1(x)=P 1 H 2(x)=P 2 H 3(x)=P 3 H 4(x)=P 4 NETWORK SECURITY By: Homera Durani 1 1 17 N bits
BLOOM FILTER NETWORK SECURITY By: Homera Durani To query for existence of an entry x, compute H 1(x), H 2(x)…Hk(x) and check if the bits at the corresponding locations are 1 If not, x is definitely not a member Otherwise there may be a false positive (passwords not in the dictionary but that produce a match in the hash table). The probability of a false positive can be reduced by choosing k and N 18
PERFORMANCE OF BLOOM FILTER We need a hash table of 9. 6 X 106 bits NETWORK SECURITY By: Homera Durani Dictionary of 1 million words with 0. 01 probability of rejecting a password 19
20 NETWORK SECURITY By: Homera Durani FIREWALL
OUTLINE Firewall Design Principles � Firewall NETWORK SECURITY By: Homera Durani Characteristics � Types of Firewalls � Firewall Configurations 21
FIREWALLS NETWORK SECURITY By: Homera Durani Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet 22
FIREWALL DESIGN PRINCIPLES Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) Strong security features for all workstations and servers not established NETWORK SECURITY By: Homera Durani 23
FIREWALL DESIGN PRINCIPLES The firewall is inserted between the premises network and the Internet Aims: a controlled link � Protect the premises network from Internet-based attacks � Provide a single choke point NETWORK SECURITY By: Homera Durani � Establish 24
FIREWALL CHARACTERISTICS Design goals: � All NETWORK SECURITY By: Homera Durani traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) � Only authorized traffic (defined by the local security police) will be allowed to pass 25
FIREWALL CHARACTERISTICS Design goals: � The NETWORK SECURITY By: Homera Durani firewall itself is immune to penetration (use of trusted system with a secure operating system) 26
FIREWALL CHARACTERISTICS Four general techniques: Service control the types of Internet services that can be accessed, inbound or outbound Direction control � Determines the direction in which particular service requests are allowed to flow NETWORK SECURITY By: Homera Durani � Determines 27
FIREWALL CHARACTERISTICS User control � Controls Behavior control � Controls e-mail) how particular services are used (e. g. filter NETWORK SECURITY By: Homera Durani access to a service according to which user is attempting to access it 28
TYPES OF FIREWALLS Three common types of Firewalls: � Packet-filtering NETWORK SECURITY By: Homera Durani routers � Application-level gateways � Circuit-level gateways � (Bastion host) 29
TYPES OF FIREWALLS Packet-filtering Router NETWORK SECURITY By: Homera Durani 30
TYPES OF FIREWALLS Packet-filtering Router � Applies NETWORK SECURITY By: Homera Durani a set of rules to each incoming IP packet and then forwards or discards the packet � Filter packets going in both directions � The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header � Two default policies (discard or forward) 31
TYPES OF FIREWALLS Advantages: � Simplicity � High speed Disadvantages: � Difficulty to users of setting up packet filter rules � Lack of Authentication NETWORK SECURITY By: Homera Durani � Transparency 32
TYPES OF FIREWALLS Possible attacks and appropriate countermeasures address spoofing � Source routing attacks � Tiny fragment attacks NETWORK SECURITY By: Homera Durani � IP 33
TYPES OF FIREWALLS Application-level Gateway NETWORK SECURITY By: Homera Durani 34
TYPES OF FIREWALLS Application-level Gateway � Also NETWORK SECURITY By: Homera Durani called proxy server � Acts as a relay of application-level traffic 35
TYPES OF FIREWALLS Advantages: � Higher Disadvantages: � Additional processing overhead on each connection (gateway as splice point) NETWORK SECURITY By: Homera Durani security than packet filters � Only need to scrutinize a few allowable applications � Easy to log and audit all incoming traffic 36
TYPES OF FIREWALLS Circuit-level Gateway NETWORK SECURITY By: Homera Durani 37
TYPES OF FIREWALLS Circuit-level Gateway � Stand-alone NETWORK SECURITY By: Homera Durani system or � Specialized function performed by an Applicationlevel Gateway � Sets up two TCP connections � The gateway typically relays TCP segments from one connection to the other without examining the contents 38
TYPES OF FIREWALLS Circuit-level Gateway � The NETWORK SECURITY By: Homera Durani security function consists of determining which connections will be allowed � Typically use is a situation in which the system administrator trusts the internal users � An example is the SOCKS package 39
TYPES OF FIREWALLS Bastion Host �A NETWORK SECURITY By: Homera Durani system identified by the firewall administrator as a critical strong point in the network´s security � The bastion host serves as a platform for an application-level or circuit-level gateway 40
FIREWALL CONFIGURATIONS In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations NETWORK SECURITY By: Homera Durani 41
FIREWALL CONFIGURATIONS Screened host firewall system (single-homed bastion host) NETWORK SECURITY By: Homera Durani 42
FIREWALL CONFIGURATIONS Screened host firewall, single-homed bastion configuration Firewall consists of two systems: packet-filtering router � A bastion host NETWORK SECURITY By: Homera Durani �A 43
FIREWALL CONFIGURATIONS Configuration for the packet-filtering router: � Only The bastion host performs authentication and proxy functions NETWORK SECURITY By: Homera Durani packets from and to the bastion host are allowed to pass through the router 44
FIREWALL CONFIGURATIONS Greater security than single configurations because of two reasons: configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) � An intruder must generally penetrate two separate systems NETWORK SECURITY By: Homera Durani � This 45
FIREWALL CONFIGURATIONS NETWORK SECURITY By: Homera Durani This configuration also affords flexibility in providing direct Internet access (public information server, e. g. Web server) 46
FIREWALL CONFIGURATIONS Screened host firewall system (dual-homed bastion host) NETWORK SECURITY By: Homera Durani 47
FIREWALL CONFIGURATIONS Screened host firewall, dual-homed bastion configuration packet-filtering router is not completely compromised � Traffic between the Internet and other hosts on the private network has to flow through the bastion host NETWORK SECURITY By: Homera Durani � The 48
FIREWALL CONFIGURATIONS Screened-subnet firewall system NETWORK SECURITY By: Homera Durani 49
FIREWALL CONFIGURATIONS Screened subnet firewall configuration � Most NETWORK SECURITY By: Homera Durani secure configuration of the three � Two packet-filtering routers are used � Creation of an isolated sub-network 50
FIREWALL CONFIGURATIONS Advantages: � Three NETWORK SECURITY By: Homera Durani levels of defense to thwart intruders � The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) 51
FIREWALL CONFIGURATIONS Advantages: � The NETWORK SECURITY By: Homera Durani inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) 52
Firewall design principles
Mac layer firewalls
What is personal firewall and distributed firewall.
Different firewall design principles
Firewall design principles
What is firewall design
Firewall design principles
Aws network firewall multi az
Firewall in cryptography and network security
At&t network based firewall
Cisco rv220w network security firewall price
Ece 526
Network design principles
Network management principles
Telecommunication network management lecture notes
Network management principles and practice
Principles of design in interior design ppt
Microsoft identity management self service password reset
Unit 6: principles of management powerpoint
Principles of performance evaluation
Unit 6 review questions
Network design and management
Supply chain management network design
Network performance management functions
Network accounting management
Managing entity network management
Network management definition
Principles of project cost management
Difference between virtual circuit and datagram
What is topology in computer
Features of peer to peer network and client server network
Network centric computing
Packet switched network vs circuit switched
Principles of network applications in computer networks
Principles of network applications
Network leadership principles
Letoutr
Top management and middle management
Management pyramid
Top management and middle management
Wafec
Firewall analysis tools
Sophos utm web application firewall
Stateful firewall iptables
Qu firewall
Cisco packet tracer firewall icon
Commvault firewall ports
Auditing firewall security
Stateful and stateless firewall
Mc firewall
Juniper firewall icon
Linux bastille
Ace web application firewall
