NETWORING and SECURITY

ALHAD G APTE
BARC

SACET09 October 28, 2009

PRESENTATION OUTLINE

• Information Security – Overview & Definitions

• Information Security Technologies

• Approach to Information Security

• ISO Standards

• Security Issues in Computing Grids

SACET09 October 28, 2009
 Information asset:
Information of value to organization,
g ,
which is owned by the organization, and
equipment, devices
and
d other
th hardware
h d and
d software
ft used
d to
t
process, store and communicate the information.

In addition, attributes such as

Information security:
preservation of authenticity,
confidentiality, non-repudiation
integrity and accountability
availability reliability
y
attributes of information are also to be assured.
assets.
Information assurance
SACET09 October 28, 2009

Confidentiality: ensuring that information is

accessible only to those authorized to have access

Integrity: the accuracy and completeness of assets

Availability: accessibility and usability upon demand

by an authorized entity.

Authentication: A process that establishes the

origin of information, or validates an entity's
identity .
Non-repudiation: A service that provides
protection against false denial of involvement in a
communication
SACET09 October 28, 2009
 Information Security Components
SACET09 October 28, 2009

Vulnerability:
y
An exploitable capability or weakness that could
result in a successful attack causing damage to the
asset
asset.

Threat:
An event which could have an undesirable impact
on an asset.

Risk:
The potential that a given threat will exploit
vulnerabilities and cause harm to the asset
asset.

SACET09 October 28, 2009

 DOS/DDOS Malicious codes
WWW attacks BOTs/ Zombies
qd.)
phistication
edge (Req Autoscans

Packet Spoofing/
Sniffing
Backdoors
er Knowle
Atttack Sop
Intrude

Password Cracking
Viruses

1980 1990 2000 2010

SACET09 October 28, 2009

Value
Owners
O es Wish to minimise

Impose
To reduce
Countermeasures That may
That may posses
be reduced by
Vulnerabilities
May be aware of
L di to
Leading t
That
Attacker exploit Risk

Give Rise That increase to

to
Threats to Assets

Wish to abuse and/or may damage

Security Concepts and Relationships

SACET09 October 28, 2009
 Information Security Life Cycle
PLAN

PDCA ACT
DO
Model

CHECK

Secure network
and application setup

Monitoring
o to g anda d
S
Security
it Audit
A dit
knowledge update

POLICY PLAN EXECUTION

SACET09 October 28, 2009

The McCumber Cube

Where

What
How

SACET09 October 28, 2009

 PRESENTATION OUTLINE

• Information Security – Overview & Definitions

• Information Security Technologies

• Approach to Information Security

• ISO Standards

Security Issues in Computing Grids

SACET09 October 28, 2009

Firewall:
A set of security measures, located at a network
gateway,
to prevent unauthorized electronic access
to a networked computer system.
It is configured
to permit,
permit deny
deny, encrypt
encrypt, decrypt
decrypt, or proxy
all computer traffic
between different security domains
based upon a set of rules and other criteria.

SACET09 October 28, 2009

 Firewalls – Defence-in-depth
Internet

DMZ
Firewall
Email
WWW DNS
GW
Extranet Servers
Firewall

E il
Email IIntranet
t t
Firewall
server servers

Intranet
Server Segment Intranet
Client Segment

SACET09 October 28, 2009

Information Security Systems

• Firewall

• Intrusion Detection & Prevention

• Server hardening

• Access Control

• Client Security

• Network Security

• Communication Security

• Storage Security
SACET09 October 28, 2009
 Technological Solutions

Encryption
Symmetric Encryption

Asymmetric Encryption – Public Key Infrastructure

Virtual Private Networking (VPN)

Network Level VPN

Application Level VPN

Client Security
Secure Network Access System

SACET09 October 28, 2009

PRESENTATION OUTLINE

• Information Security – Overview & Definitions

• Information Security Technologies

• Approach to Information Security

• ISO Standards

• Security Issues in Computing Grids

SACET09 October 28, 2009
 Graded approach:

A process or method in which

the stringency of the control measures
and conditions to be applied
is commensurate, to the extent practicable,
with the likelihood and possible consequences of,
of
and the level of risk associated with,
a loss of control.

SACET09 October 28, 2009

EXAMPLE ZONE MODEL

INTRANET SECURE PUBLIC

C&I INTERNET
- CLIENT INTERNET
ASSETS SERVERS
SEGMENT

Data flow
CLASSIFIED
INTRANET Access
ASSETS
SERVERS

SACET09 October 28, 2009

 Security Issues

External Cyber-attacks
Denail of Service attacks
Security of client PCs:
Attacks through viruses/ malware
Possible network bridging by users
PC sharing over network
Official Data on PC used for Internet
Conformance to Security Guidelines of MHA
Limited services on separate networks

SACET09 October 28, 2009

Balancing
security extreme views
I want tight security.
I want all services freely.
I don’t bother
Security is your responsibility.
what users get.

Excessive constraints Open environment

Denial of service just Increase in vulnerability

By presence of threat SACET09 October 28, 2009
Approach to provision of Secure Services

Use of technological solutions

Strengthening the monitoring

and reporting process

Classified/sensitive information
kept physically isolated

Isolated intranet and Internet

except for a secure channels
for cross network transfer

Defense-in-depth
p philosophy
p p y

SACET09 October 28, 2009

Defense in depth implementation

Defense-in-depth

Multi layered network design -Firewalls,

Host & Network intrusion detection system,
Host hardening
g & Secure application
pp configuration,
g ,
Firewalling around the applications,
only one application per server,
server
Centralized antivirus/ antispyware system,
Advanced authentication system,
Client End Point Security and
ISMS (Information Security Monitoring System).
SACET09 October 28, 2009
 Public Networks Enterprise WAN

Firewall Level 1 Firewall Level 1

DMZ-I-1 DMZ-A-1

Firewall Level 2 Firewall Level 2

DMZ I 2
DMZ-I-2
Secure INTRANET
Internet Server Controlled USER
Segment services* SEGMENT
Fire-wall Level 3 ( S
(USER PCs)
C )
Firewall Level 3
Secure
INTERNET Intranet
USER Services
SEGMENT
(USER PCs)

SACET09 October 28, 2009

PRESENTATION OUTLINE

• Information Security – Overview & Definitions

• Information Security Technologies

• Approach to Information Security

• ISO Standards

• Security Issues in Computing Grids

SACET09 October 28, 2009
 ISO 27001:
Information security Management systems —
Requirements

• Establishment and Management ISMS

• Document and Records Control
• Management Responsibilities and Support
• ISMS Internal Audit
• ISMS Review
• ISMS Improvement
p

SACET09 October 28, 2009

ISO 27000 Series Standards

ISO 27001 ISO 27002

Specification for an information Renumbered ISO 17799
securityy management
g system
y standard. ISMS Code of
(an ISMS) Practice.

ISO 27003 ISO 27004

Intended to offer guidance for Information security system
the implementation of an ISMS management measurement
(IS Management System) . and metrics..

ISO 27005 ISO 27006

Methodology independent ISO Guidelines for the accreditation
standard for information of organizations offering ISMS
security risk management.. certification.
SACET09 October 28, 2009
 Information Security Policy
B
Based
d on ISO 27002 Standard
St d d B Bestt P
Practices
ti

Controls
• Policy Versions and approvals
• Security Management Set-up
• Classification of Information Assets
• Network Security and Access Control
• Digital Media Security
• Information Exchange e.g.
e g email
• User Awareness and responsibilities
• Third Party Access/ Outsourcing
• Personnel Security
• Physical and Environmental Security
• Business Continuity y
• Policy Conformance/ Auditing
SACET09 October 28, 2009

PRESENTATION OUTLINE

• Information Security – Overview & Definitions

• Information Security Technologies

• Approach to Information Security

• ISO Standards

• Security Issues in Computing Grids

SACET09 October 28, 2009
 GRID SECURITY REQUIREMENTS Grid

1. Secu
Security
ty iss one
o e of
o the
t e most
ost important
po ta t issue
ssue in Grid
G d Environment.
o e t
¾ Privacy
¾ Integrity
¾ Authentication (& Authorization)
2 .Overcome the security challenges posed by grid applications through
th Grid
the G id S
Security
it IInfrastructure
f t t ( GSI).
(or GSI) It uses public
bli kkey
cryptography (asymmetric cryptography as the basis for its
functionality.
• The need for secure communication (authenticated and perhaps
confidential) between elements of a computational Grid.
• The need to support security across organizational boundaries
boundaries, thus
prohibiting a centrally-managed security system.
• The need to support "single sign-on" for users of the Grid, including
delegation of credentials for comp
computations
tations that in
involve
ol e m
multiple
ltiple
resources and/or sites.
SACET09 October 28, 2009

Proxy

Physical
Domain
Credentials 1
Virtual
Organisation

User Physical
Domain
2

SACET09 October 28, 2009

 Access to Resources Grid

SACET09 October 28, 2009

Proxy Certificate (PC) Grid

Motivation:

1. Dynamic (Credential) Delegation: In Grid, there is need for one entity

wishing
g to g
grant another entity
y some of its p
privileges.
g
E.g: A job submitted to the grid by the user goes to the Grid
Scheduler (Resource Broker) and so this Grid Scheduler needs to be
granted the user credentials, in order to further redirect the job to the actual
compute machine on behalf of user.

2. Repeated Authentication: Private keys are encrypted with passphrase.

Thi means that
This th t the
th user would
ld have
h to
t sign
i on (provide
( id th
the password)
d) tto
access the key and perform authentication.

SACET09 October 28, 2009

Thanks

SACET09 October 28, 2009

SACET09 October 28, 2009

 Original
Data Private Network
Packet Zone I
VPN Adaptor
VPN Tunnel
Original Packet
encrypted and
Packets of data
Shared Network
tunneled by adding exchanged between two
Infra structure
new header zones of a private
network are tunneled
through the untrusted
VPN Adaptor
Original
g network by y encrypting
yp g
Data Private Network and encpsulating the
Packet Zone II
original packet
into another packet
pertaining to the
untrusted network.

New Technologies to be used: VPN Tunneling

SACET09 October 28, 2009

SACET09 October 28, 2009

 TARGET
NETWORK

Firewall SNAS
authorization Servers

Users with
SNAS Monitoring
Web Client
Network devices
INTRANET

S
Secure Network
N t kAAccess S
System
t (SNAS)
developed by BARC

New Technologies to be used: Endpoint Security

SACET09 October 28, 2009

SACET09 October 28, 2009

 PUBLIC KEY INFRASTRUCTURE

SACET09 October 28, 2009

PB Public key A Public key B Public key C

PR Private key A Private key B Private key C

User A User B User C

Generate Key Pairs

PB Public key B Public key A Public key A

PR Public key C Public key C Public key B

User B User C
User A

Distribution Key
User A wants to communicant with User B
Encrypt with Decrypt with
PR(A) & PR(B) & PB(A)
PB(B)
send
User A User B

SACET09 October 28, 2009

 A simple digital signature

Name: A. G. Tole
##$$$%%%&
Emp.Id: 3385
!!!^^$$##
Email:tole@barc.gov.in

Private Key
Signature

Name: A. G. Tole
##$$$%%%& Emp Id: 3385
Emp.Id:
!!!^^$$##
Email:tole@barc.gov.in

Public Key
y

SACET09 October 28, 2009

How to maintain variable length signatures ?

##$$
Name:A.G.Tole %%
Email:tole@bar %%
$$##
.:
Emp.No 335

Hash
H h function
f i M
Message digest
di P i
Private key
k Digital
( mix ) signature

##$$
N
Name:A.G.Tole
AGT l
%%
Email:tole@bar %%
$$##
.:
Emp.No 335

Hash function Message digest Private key

Digital
( mix ) signature
Achie es Integrit
Achieves Integrity and Verification

SACET09 October 28, 2009

 Sending Messages using PKI

Get Message M

Compute a session key S(N)

P: PB(B) [ PR(A) (S(N)] ] Encrypt session key with private/public keys.

Q: MD(M) Compute Message Digest

Digest.

R: PR(A) [MD(M)] Encrypt Message Digest with own private key.

T: S(N) [ M + R ] Encrypt
E message and
d encrypted
d Digest
Di with
i h session
i key.
k

Transmit P & T

S M MD

SACET09 October 28, 2009

Certificates Grid

A digital certificate is a digital document that certifies that a certain

public key is owned by a particular user. This document is signed by
a third party called the certificate authority (or CA).

Its all about trust - Having a certificate to prove to everyone else that
your public key is really, truly, honestly yours allows us to conquer
the third pillar of a secure conversation: authentication.

SACET09 October 28, 2009

SACET09 October 28, 2009