Information

Security

Dr. Qaisar Javaid

Information Security 1
 Course Staff
• Instructor:
– Qaisar Javaid
• Tel: 051-4438762, 0321-5000435
• Email: [email protected]

Information Security 2
 Instructor’s Introduction
• PhD Computer Science

• MS Computer Science

• MBA-Telecom Management

• BS Computer Science

• Microsoft Certified Trainer (MCT)

• Cisco Certified Academy Instructor (CCAI)

Information Security 3
 Instructor’s Introduction
Cisco Certifications

• Cisco Certified Internet Expert

(CCIE)
Cisco Systems USA
• Cisco Certified Network
Professional
(Cisco Systems USA)
• Cisco Certified Design Professional
(Cisco Systems USA)
• Cisco Certified Security Specialist
(Cisco Systems USA)
Information Security 4
 Instructor’s Introduction
Microsoft Certifications

• Microsoft Certified System Engineer (MCSE)

Microsoft Systems USA

• Microsoft Certified Database Administrator (MCDBA)

Microsoft Systems USA

• Microsoft Certified System Administrator

Microsoft Systems USA

• Microsoft Certified Solution Developer

Microsoft Systems USA

Information Security 5
 Course Schedule
• Lectures
– Wed: 12 to 3 pm
• Assignments
– Four assignments (or best 4 out of 5 assignments)
• Semester Projects
– Three group projects (or best 3 out of 4 projects)
• Midterm exam
– Tentative: Thursday, As per university policy
• Final exam
– In the first week of May (final exam week)

Information Security 6
 Grading Policy
• Assignments 15-20%
– Late assignments are not accepted
• Semester Projects 20%
– Can be done in groups of 2-3 students
• Midterm exam 25-30%
• Final exam 35%

Information Security 7
 Academic Honesty
• Your work in this class must be your
own
• If students are found to have
collaborated excessively or to have
cheated (e.g. by copying or sharing
answers during an examination), all
involved will at a minimum receive
grades of 0 for the first infraction
• Further infractions will result in failure in
the course. Information Security 8
 Course Material
• Reference books
– No single textbook covers the whole course!
• Lot of research papers!
– Many will be made available on course web
site
• RFCs and Internet drafts
– Related to network security protocols
• Web resources
– Tutorials, white papers, reports, etc.
Information Security 9
 Course Information
• Pre-requisites
– Computer Networks course
• You are assumed to have good knowledge of
TCP/IP protocol suite
– Operating Systems
– Basic understanding of programming
languages
• Class assessment by four assignments,
three projects, a mid-term and a final
exam
– May be one extra assignment and/or project
Information Security 10
 Course Contents
• Introduction to information security
• I. CRYPTOGRAPHY
– Symmetric Encryption and Message Confidentiality
– Public-Key Cryptography and Message Authentication
• II. NETWORK SECURITY APPLICATIONS
– Authentication Applications (Kerberos, X.509)
– Electronic Mail Security (PGP, S/MIME)
– IP Security (IPSec, AH, ESP, IKE)
– Web Security (SSL, TLS, SET)
– Network Management Security (SNMP)

Information Security 11
 Course Contents
• III. SYSTEM SECURITY
– Intruders and intrusion detection
– Malicious Software (viruses)
– Firewalls and trusted systems
• IV. Operating System and File System
Security
– Approximately 4 lectures
– Covered by Mr Farhan Zaidi

Information Security 12
 Textbooks
• One of the following three books is
required for this course:

• William Stallings, Network Security

Essentials, 2/E
– One or two chapters from CNS3e

• William Stallings, Cryptography

and Network Security: Principles
and Practice, 3/E
– Network management security from
NSE2e

Information Security 13
 Textbooks
• C Kaufman, R Perlman, M Speciner,
Network Security: Private
Communication in a Public World
– Detail of course contents
• Ed Skoudis, Counter Hack: A Step
by Step Guide to Computer Attacks
and Defenses
– Some Chapters from this book

Information Security 14
 Expectations

What do you want (or expect) to

learn from

this class ?

Information Security 15
 Expectations
• This class IS about …
– Network security principles and
concepts
– Overview of cryptography, its use,
principles and major algorithms
– Message authentication and
encryption techniques
– Security of network “system”
– Operating system security
– Security practices and applications
Information Security 16
 Expectations
• This class IS NOT about …
– Details of cryptographic algorithms
– Survey of existing protocol standards
– Survey of loopholes in current
protocols
– How to hack the network of CASE!
– Tools and tips to breach Internet
security
– How you can become a good hacker
Information Security 17
…
 Expectations

We will learn

Why and How

networks are made secure

Information Security 18
 Outline
• Attacks, services and mechanisms
• Security attacks
• Security services
• Methods of Defense
• A model for Internetwork Security
• Internet standards and RFCs

Information Security 19
 Background
• Information Security requirements have
changed in recent times
• Traditionally provided by physical and
administrative mechanisms
• Computer use requires automated tools
to protect files and other stored
information
• Use of networks and communications
links requires measures to protect data
during transmission
Information Security 20
 Definitions
• Computer Security - generic name for
the collection of tools designed to
protect data and to thwart hackers
• Network Security - measures to
protect data during their transmission
• Internet Security - measures to
protect data during their transmission
over a collection of interconnected
networks
Information Security 21
 Aim of this Course
• Our emphasis is on internet
security
• Consists of measures to deter,
prevent, detect, and correct
security violations that involve the
transmission of information
• Requirements seem
straightforward, but the
mechanisms used to meet them
can be quite complex
Information Security … 22
 Services, Mechanisms,
Attacks
• Need systematic way to define
requirements
• Consider three aspects of
information security:
– security attack
– security mechanism
– security service
• Consider in reverse order

Information Security 23
 Security Service
• Is something that enhances the security of the
data processing systems and the information
transfers of an organization
• Intended to counter security attacks
• Make use of one or more security mechanisms
to provide the service
• Replicate functions normally associated with
physical documents e.g.
– have signatures or dates
– need protection from disclosure, tampering, or
destruction
– be notarized or witnessed
– be recorded or licensed

Information Security 24
 Security Mechanism
• A mechanism that is designed to detect,
prevent, or recover from a security
attack
• No single mechanism that will support
all functions required
• However one particular element
underlies many of the security
mechanisms in use: cryptographic
techniques
• Hence our review of Security
Information this area 25
 Security Attack
• Any action that compromises the
security of information owned by an
organization
• Information security is about how to
prevent attacks, or failing that, to detect
attacks on information-based systems
• Have a wide range of attacks
• Can focus on generic types of attacks

– Note: often threat & attack mean same

Information Security 26
Security Attacks

Information Security 27
 Security Attacks
• Interruption: This is an attack on
availability
• Interception: This is an attack on
confidentiality
• Modification: This is an attack on
integrity
• Fabrication: This is an attack on
authenticity
Information Security 28
 Security Goals

Confidentiali
ty

Integrity
Availabilit
y

Information Security 29
 Summary: Attacks,
Services and Mechanisms
• Security Attack: Any action that
compromises the security of information.
• Security Mechanism: A mechanism
that is designed to detect, prevent, or
recover from a security attack.
• Security Service: A service that
enhances the security of data processing
systems and information transfers. A
security service makes use of one or more
security mechanisms.
Information Security 30
 OSI Security Architecture
• ITU-T X.800 Security Architecture
for OSI
• Defines a systematic way of
defining and providing security
requirements
• For us it provides a useful, if
abstract, overview of concepts we
will study
Information Security 31
 Security Services
• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (permanence, non-erasure)
– Denial of Service Attacks
– Virus that deletes files
Information Security 32
 Classify Security Attacks
as
• Passive attacks - eavesdropping on, or
monitoring of, transmissions to:
– obtain message contents, or
– monitor traffic flows
• Active attacks – modification of data
stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
Information Security 33
Passive Attacks: Release
of Message Contents

Information Security 34
Passive Attacks: Traffic
Analysis

Information Security 35
Active Attacks:
Masquerade

Information Security 36
Active Attacks: Replay

Information Security 37
 Active Attacks:
Modification of Messages

Information Security 38
Active Attacks: Denial of
Service

Information Security 39
Information Security 40
Model for Network
Security

Information Security 41
 Model for Network
Security
• Using this model requires us to:
1. design a suitable algorithm for the
security transformation
2. generate the secret information (keys)
used by the algorithm
3. develop methods to distribute and share
the secret information
4. specify a protocol enabling the principals
to use the transformation and secret
information for a security service
Information Security 42
Model for Network Access
Security

Information Security 43
 Model for Network Access
Security
• Using this model requires us to:
1. select appropriate gatekeeper
functions to identify users
2. implement security controls to
ensure only authorised users access
designated information or resources
• Trusted computer systems can be
used to implement this model
Information Security 44
 Methods of Defense
• Encryption
• Software Controls (access
limitations in a data base, in
operating system protect each
user from other users)
• Hardware Controls (smartcard)
• Policies (frequent changes of
passwords)
• Physical Controls
Information Security 45
 Internet standards and
RFCs
• The Internet society
– Internet Architecture Board (IAB)
– Internet Engineering Task Force (IETF)
– Internet Engineering Steering Group
(IESG)

Information Security 46
 Summary
• Have considered:
– computer, network, internet security
def’s
– security services, mechanisms,
attacks
– X.800 standard
– models for network (access) security

Information Security 47