|
|
1
|
|
Motivation for Network Security
|
|
|
1.1
|
|
Aims of Network Security
|
|
|
1.1.1
|
|
Confidentiality
|
|
|
1.1.2
|
|
Unalterability
|
|
|
1.1.3
|
|
Traceability
|
|
|
1.1.4
|
|
Availability
|
|
|
1.2
|
|
Fundamental Threats
|
|
|
1.2.1
|
|
Spoofing
|
|
|
1.2.2
|
|
Bugging
|
|
|
1.2.3
|
|
Denial of Service
|
|
|
1.2.4
|
|
Source of Information
|
|
|
1.3
|
|
The Basic Protection Manual of the BSI (Federal Office for Information Security)
|
|
|
1.4
|
|
Current Threats
|
|
|
1.4.1
|
|
Attacks on Browsers
|
|
|
1.4.2
|
|
Phishing
|
|
|
1.4.3
|
|
WLANs
|
|
|
|
|
|
|
|
2
|
|
Weak Points of the IP Protocol Family
|
|
|
2.1
|
|
ARP Spoofing
|
|
|
2.1.1
|
|
ARP Cache Poisoning
|
|
|
2.1.2
|
|
Flooding the Switching Table
|
|
|
2.2
|
|
Attacks on IP
|
|
|
2.3
|
|
Attacks on TCP
|
|
|
2.3.1
|
|
SYN Flooding
|
|
|
2.3.2
|
|
Sequence Number Attack
|
|
|
2.3.3
|
|
Blind Spoofing
|
|
|
2.4
|
|
DNS
|
|
|
2.4.1
|
|
Forged Host File
|
|
|
2.4.2
|
|
Spoofing of DNS Replies
|
|
|
2.4.3
|
|
Attacks on the Servers
|
|
|
2.5
|
|
Routing
|
|
|
2.5.1
|
|
Denial of Service on BGP-4
|
|
|
2.5.2
|
|
Data Rerouting
|
|
|
2.6
|
|
Attacks on Applications
|
|
|
2.7
|
|
Typical Methods and Tools
|
|
|
2.7.1
|
|
Search Engines
|
|
|
2.7.2
|
|
The whois Service
|
|
|
2.7.3
|
|
DNS-nslookup and dig
|
|
|
2.7.4
|
|
Scanning
|
|
|
2.7.5
|
|
Phishing
|
|
|
|
|
|
|
|
3
|
|
Data Protection via Encryption
|
|
|
3.1
|
|
The Beginnings of Cryptography
|
|
|
3.2
|
|
Symmetrical Encryption
|
|
|
3.3
|
|
Lifetime and Distribution of the Keys
|
|
|
3.4
|
|
Generation of Keys
|
|
|
3.4.1
|
|
Diffie-Hellman
|
|
|
3.4.2
|
|
SPEKE
|
|
|
3.5
|
|
Asymmetrical Encryption
|
|
|
3.5.1
|
|
RSA
|
|
|
3.5.2
|
|
El Gamal
|
|
|
|
|
|
|
|
4
|
|
Data Integrity and Authentication
|
|
|
4.1
|
|
Data Integrity: Hash Values
|
|
|
4.1.1
|
|
Typical Features
|
|
|
4.1.2
|
|
Keyed Hash
|
|
|
4.1.3
|
|
Replay Attacks
|
|
|
4.2
|
|
Data Origin Authentication
|
|
|
4.2.1
|
|
Pre-Shared Key
|
|
|
4.2.2
|
|
Keyed Hash
|
|
|
4.2.3
|
|
Digital Signature
|
|
|
4.3
|
|
Authentication of the Communication Partner
|
|
|
4.3.1
|
|
Man in the Middle
|
|
|
4.3.2
|
|
Certificates
|
|
|
4.3.3
|
|
PKI and CA
|
|
|
4.3.4
|
|
Single Sign-On and Kerberos
|
|
|
4.3.5
|
|
Smart Token Systems
|
|
|
4.3.6
|
|
Biometrics
|
|
|
4.3.7
|
|
Authentication with RADIUS
|
|
|
|
|
|
|
|
5
|
|
Application Examples
|
|
|
5.1
|
|
OSI Model and Encryption
|
|
|
5.2
|
|
IPsec VPNs
|
|
|
5.2.1
|
|
IPsec Modes
|
|
|
5.2.2
|
|
IPsec Protocols
|
|
|
5.2.3
|
|
Example: IPsec VPN and VoIP
|
|
|
5.3
|
|
SSL VPNs
|
|
|
5.3.1
|
|
Architecture of SSL VPNs
|
|
|
5.3.2
|
|
The Browser as a Universal Client
|
|
|
5.3.3
|
|
OpenSSL
|
|
|
5.4
|
|
PGP and GNU PG
|
|
|
5.5
|
|
Secure Shell
|
|
|
5.6
|
|
Blackberry
|
|
|
5.6.1
|
|
Blackberry and Security
|
|
|
5.6.2
|
|
Payload Data Transport
|
|
|
5.7
|
|
Encrypted File System
|
|
|
|
|
|
|
|
6
|
|
Firewalls
|
|
|
6.1
|
|
The Role of the Firewall in the Network
|
|
|
6.2
|
|
Static Packet Filters
|
|
|
6.2.1
|
|
Working Mode of Static Packet Filters
|
|
|
6.2.2
|
|
Static Packet Filters-Weak Points and Limits
|
|
|
6.3
|
|
Dynamic Packet Filters-Stateful Firewalls
|
|
|
6.3.1
|
|
Working Mode of Dynamic Packet Filters
|
|
|
6.3.2
|
|
Dynamic Packet Filters-Strong and Weak Points
|
|
|
6.4
|
|
Proxy Firewalls
|
|
|
6.4.1
|
|
Application Layer Gateways
|
|
|
6.4.2
|
|
Circuit Relays-Generic Proxies
|
|
|
6.5
|
|
Network Design
|
|
|
6.5.1
|
|
Network Address Translation (NAT) and Firewalls
|
|
|
6.5.2
|
|
DMZ Concepts-An Overview
|
|
|
6.5.3
|
|
Firewalls and VPNs
|
|
|
6.5.4
|
|
Redundancy and Load Sharing
|
|
|
|
|
|
|
|
7
|
|
Behind the Firewall-IDS and IPS
|
|
|
7.1
|
|
What is IDS?
|
|
|
7.2
|
|
Threat Detection via IDS
|
|
|
7.2.1
|
|
Sample Identification
|
|
|
7.2.2
|
|
Detection of Anomalies
|
|
|
7.2.3
|
|
Protocol Evaluation
|
|
|
7.3
|
|
Network-Based IDS
|
|
|
7.3.1
|
|
The Advantages of NIDS
|
|
|
7.3.2
|
|
The Disadvantages of NIDS
|
|
|
7.4
|
|
Host-Based Intrusion-Detection-Systems
|
|
|
7.4.1
|
|
The Advantages of HIDS
|
|
|
7.4.2
|
|
The Disadvantages of HIDS
|
|
|
7.5
|
|
NNIDS-IDS on Network Components
|
|
|
7.6
|
|
Intrusion Prevention Systems
|
|
|
7.7
|
|
The Computer Security Incident Response Team
|
|
|
7.7.1
|
|
Detecting a Burglary
|
|
|
7.7.2
|
|
Limiting the Damage-A Case Study
|
|
|
7.8
|
|
Legal Background
|
|
|
7.8.1
|
|
The Bundesdatenschutzgesetz (BDSG) (Federal Law on Data Protection)
|
|
|
7.8.2
|
|
The Betriebsverfassungsgesetz (BetrVG) (Works Constitution Act)
|
|
|
7.8.3
|
|
Right of Access to Personal Data
|
|
|
|
|
|
|
