[soen321-f04] week 6.2 material (Oct 14)[soen321-f04] week 6.2 material (Oct 14) David K. Probst PROBST at vax2.concordia.ca Thu Oct 14 14:18:51 EDT 2004 Previous message: [soen321-f04] first assignment (Oct 10) Next message: [soen321-f04] week 7 material (Oct 14) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] SOEN 321 Week 6.2 Material __________________________ Def: A sequence of cryptographically-random random numbers is a sequence of numbers n_1, n_2, n_3, ... such that, for arbitrary k, knowledge of n_1, n_2, n_3, ..., n_k-1 is insufficient to predict n_k. Def: A sequence of cryptographically-random pseudorandom numbers is a sequence of numbers n_1, n_2, n_3, ... such that, for arbitrary k, knowledge of n_1, n_2, n_3, ..., n_k-1 is still makes it computationally infeasible to predict n_k, but this sequence of numbers is produced by a (parameterized) algorithm. Systems that replace reusable passwords with one-time passwords often work by having a smart card and a host generate the same cryptographically-random sequence of pseudorandom numbers so that each one-time password can be verified. Firewalls _________ | System | Internet | f/w A firewall regulates incoming traffic as an integrity issue. The rule is, do not accept messages that would cause (internal) servers to work incorrectly or crash. A firewall regulates outgoing traffic as an integrity/confidentiality issue. The rule is, the first rule plus the new rules of no alteration of data and no leakage of confidential data. This sounds complicated. A simpler example is a firewall that does _egress filtering_ to ensure that outgoing packets are properly labelled with source IP addresses of the internal network, to aid in resolving denial of service attacks. A firewall is a host that mediates access to a network, allowing and disallowing certain kinds of access, based on a security policy. Messages have headers that start . Ex: Suppose it is known that a dangerous attack always comes in on port 1234. In this trivial case, the firewall can simply block any incoming packet addressed to port 1234 of _any_ host. Firewalls come in different flavors. A _packet filter_ makes decisions based only on the information contained in the packet header, such as destination address, source address, and options. The packet is either allowed or disallowed. Note that, when the packets are allowed, the remote host establishes a direct connection with the local host. In contrast, a _proxy firewall_ (or applications-level gateway) does not allow direct connections. We re-write most of the server as a proxy intermediate point. | | server | proxy | Internet | | i/f i/f The proxy accepts connections from the outside. It then exercises them to see if they are innocuous. Only if they check out, will the proxy establish a direct connection with the server. Checking may involve packet headers and packet contents, and may operate at a high semantic level. Ex: e-mail virus scanning | proxy | mail agent | mail agent | Internet | | i/f i/f The proxy accepts the mail, scans it for viruses, and forwards it to the real mail agent only if it is virus free. Ex: nesting sensitive | public | hosts | services | Internet | | f/w f/w The public services are quite exposed behind a permissive firewall (precisely allowing the public services and nothing else). The sensitive hosts are protected behind a far more rigorous firewall. Among packet filters, there is a distinction: packet filter / \ / \ stateless stateful (table lookup) (maintains state_ Ex: ftp uses dynamically assigned ports to return data; need to keep track of state to know which port to block Ex: ports and services 11 tcp systat 15 tcp netstat 21 tcp ftp 23 tcp telnet 25 tcp smtp 69 udp tftp 79 tcp finger 80 tcp http On systems with a system manager distinct from users, the convention that ports numbered less than 1024 may be privileged (and hence untrustworthy) is often the case. Previous message: [soen321-f04] first assignment (Oct 10) Next message: [soen321-f04] week 7 material (Oct 14) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the soen321-f04 mailing list