## page was renamed from Reti e sicurezza informatica
#acl AlessandraMartello,GiovambattistaIanni,ClaudioPanetta,DavideFusca:read,write,revert,delete,admin All:read

= Network & Computer Security (Reti e Sicurezza Informatica) =

'''Professor''': Giovambattista Ianni - http://www.gibbi.com

'''Office hours and Exams registration''': Monday 15:00-17:00
 
'''Teaching assistant''': Davide Fuscà
'''Office hours''': by appointment


[[https://www.facebook.com/groups/223968634368349/|Facebook]] Group. 

{{{#!wiki caution
Starting from the academic year 2015-16, this course is no more active and has been split in the separate courses of [[https://www.mat.unical.it/informatica/NetworkAndSecurity|Network And Security]] and [[https://www.mat.unical.it/informatica/SecureSoftwareDesign|Secure Software Design]]
}}}

{{{#!wiki caution
For students following an old study curriculum (people enrolled to the Master in Computer Science up to and no later than academic year 2014-15): the exam (to be taken on the old course topics) can be taken up to exhaustion of students which require that. DON'T WORRY! 
 
You missed the course or you want to follow the course again? Then I suggest you to follow the two new courses of "Network and Security (1st year)" and "Secure Software Design (2nd year)"
}}}

----
<<TableOfContents>>
----

{{{#!wiki alert
 
 This course is given in English. Material in italian is available but it can be slightly or severely outdated

}}}

== General information ==

 * Detailed course description sheet [[http://www.mat.unical.it/ianni/storage/SCHEDA-RSI-2013.pdf|here/qui]] {it} {en} 


== News ==

 * None, at the moment.
 
=== Projects assignments ===
  * <<newicon>>[[RetiESicurezzaInformatica/AssegnazioneProgetti2015|Project assignments 2015]]
  * [[RetiESicurezzaInformatica/AssegnazioneProgetti2014|Project assignments 2014]]
  * [[RetiESicurezzaInformatica/AssegnazioneProgetti2013|Project assignments 2013]]
  * [[RetiESicurezzaInformatica/AssegnazioneProgetti2012|Project assignments 2012]]
  * [[RetiESicurezzaInformatica/AssegnazioneProgetti2011|Project assignments 2011]]
  * [[AssegnazioneSeminari2010|Project assignments 2010]]


== Teaching Material ==

   * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/Intro.ppt", text="Introductory lecture", expire=864000)>> 

=== Cryptography and Digital signature ===
 
 * All slide sets from the book "Criptography and Network Security" [[http://goo.gl/QVMFS3#downlaoddiv|download]]

 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch02-SimmetricCryptography.ppt", text="Symmetric Cryptography", expire=864000)>>
  * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/STEGHIDE+CRYPTOCAT/Cryptocat.pdf", text="Laboratory Session 1 (symmmetric cryptography)", expire=864000)>> 
  * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/STEGHIDE+CRYPTOCAT/Steghide.pdf", text="Laboratory Session 2 (steganography)", expire=864000)>>

 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch03-DES.ppt", text="DES Encryption", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch05-AES.ppt", text="AES Encryption", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch06-BlockCipherModes.ppt", text="Block Cipher Modes", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch07-RandomNumbersAndRC4.ppt", text="Random Numbers and stream ciphers", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch09-Critt.Asimettrica.ppt", text="Asymmetric Encryption", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch10-schemi.asimm-DH.ppt", text="Diffie-Helmann like key exchange", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch11-Hash.Functions.ppt", text="Cryptographic Hash Functions", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/ch14-Key.Distribution.ppt", text="Key Distribution and PKI", expire=864000)>>
 * [[http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-1|SSL+TLS]] infrastructure
 
=== Layer 2 Security ===

 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/LAYER2-ISSUES.pptx", text="Security of Layer 2 Links", expire=864000)>> 
 * [[attachment:layer2security.pptx|IT]] (old version 2012 in Italian)
 * [[http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf|WLAN]] technologies and security 
 * Most popular  [[http://www.security.iitk.ac.in/contents/events/workshops/iitkhack04/keynotes/ppt06.ppt|MITM attacks]] on layer 2

=== Layer 2 & 3: Virtual Private Networks ===

  * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/VPN.ppt", text="Principles and goals of a VPN", expire=864000)>>
 * VPN with [[https://help.ubuntu.com/community/SSH_VPN|SSH Tunneling]]
 * Linux VPN [[http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-86-46-PDFs/4370.Linux_2D00_VPN_2D00_Analysis_2D00_Howto_5F00_final.pdf|Technical Analysis]]
 * How to setup a  [[http://poptop.sourceforge.net/dox/debian-howto.phtml|PPTP/GRE]] server on Linux
 * How to setup a [[http://www.jacco2.dds.nl/networking/freeswan-l2tp.html|L2TP/IPSec]] server on Linux - 
  * IPV6 - [[http://www2.garr.it/ws5/pdf/TutorialIPv6.pdf|here]] and [[http://www.sanog.org/resources/sanog5-pfs-ipv6-tutorial.pdf|here]]
  * IPSec - [[http://www.mat.unical.it/ianni/storage/ipsec.pptx|IT]] - [[http://www.mat.unical.it/ianni/storage/ipsec2013.pptx|EN]]
  
  * [[https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.ipsec.html|IPSec HOWTO]]
 * Common VPN security [[http://www.nta-monitor.com/posts/2005/01/VPN-Flaws-Whitepaper.pdf|flaws]]

=== Layer 4 & 5 Security ===

 * HTTP authentication, Cookies & Privacy - [[attachment:cookies.ppt|IT]] - [[http://www.mat.unical.it/ianni/storage/CookiesPrivacy2013.ppt|EN]]
 * [[http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-1|SSL+TLS]] infrastructure
 <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/SSLSERVER/SSL.pdf", text="Laboratory: OpenSSL in practice", expire=864000)>> 
 * How to configure an Apache server with a SSL certificate - [[attachment:openssl.pdf|Download]] 
 * Firewall [[http://www.mat.unical.it/ianni/storage/firewalltranversal2012.ppt|IT]] - [[http://www.mat.unical.it/ianni/storage/firewalltranversal2013.ppt|EN]]

=== Laboratory sessions ===


 * Laboratory session 1 - [[attachment:primaParte.pdf]] [[attachment:secondaParte.pdf]]
 * Solution of laboratory session 1 - [[attachment:labRSI_soluzione_routing.zip|1]] [[attachment:istruzioni_avvio_lab.txt|2]]

 * Laboratory session of 24 March 2011 -[[attachment:esercizio1.pdf]] [[attachment:esercizio2.pdf]]

 * Laboratory session of April 3d 2013 - [[http://www.mat.unical.it/ianni/storage/SSL.pdf|PKI and SSL]]

 * Laboratory session of April 16th, 2013, Aircrack - WEP [[http://www.mat.unical.it/ianni/storage/Notes.txt|EN]] - [[attachment:appunti_esercitazione_20_4_2011.txt|IT]]
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/Aircrack-WPA/WPA-Lab.txt", text="Aircrack - WPA", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/Ettercap/Ettercap-Lab.txt", text="Ettercap MITM", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/SSLSERVER/HeartBleed-Lab.txt", text="SSL-Attack (HeartBleed)", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/SSLSERVER/SSLStrip-LAB.txt", text="SSL Attack (SSLStrip)", expire=864000)>>
 * Netkit [[http://www.mat.unical.it/ianni/storage/LAN-building.pdf|EN]] - [[attachment:primaParte.pdf|ITA]]. 
   * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/NETKIT-VPN/LAN-building-solution.pdf", text="Ip-Address", expire=864000)>>
   * Partial solution <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/NETKIT-VPN/RsiLab.rar", text="HERE", expire=864000)>>  
 * Instructions on how to build a SSH VPN on the above lab
  * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/NETKIT-VPN/exercise_SSHVPN/sshvpn.clientside.txt", text="Client", expire=864000)>>  
  * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/NETKIT-VPN/exercise_SSHVPN/sshvpn.serverside.txt", text="Server", expire=864000)>> 
 * Laboratory IPsec <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/NETKIT-VPN/ipsec/ipsec.txt", text="here", expire=864000)>> - <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/NETKIT-VPN/ipsec/ipsec-fullconf.txt", text="solution", expire=864000)>>
 * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/laboratorio/exploit-exercise/exploit-exercise.rar", text="Laboratory buffer overflow ", expire=864000)>>
 * Laboratory session of 12 April 2011 -[[attachment:esercitazione_12_aprile_2011.zip]]
 * Laboratory session of 20 April 2011 -[[attachment:appunti_esercitazione_20_4_2011.txt]]
 * Laboratory session of 3 May 2011 - [[attachment:labRSIclean.tar.gz]]
 * Laboratory session of 18 May 2011 - [[attachment:esercitazione_18_maggio_2011_new.tar.gz]]

## Laboratory session of 4 May 2011(VPN SSH-Based) - [[attachment:esercSSHVPN.tar.gz]]
=== Host security and other selected topics ===

  * DB Security - [[attachment:sicurezza_db.ppt|IT]] - [[http://www.mat.unical.it/ianni/storage/DatabaseSecurity2013.ppt|EN]]
  * Physical Security - [[attachment:sicurezza_app_fisica.ppt|download]] 
  * Software integrity, buffer overflow, SQL injection - [[http://www.mat.unical.it/ianni/storage/SoftSecSQLInj.ppt]] 
  * Windows Internals and its security - [[attachment:SicurezzaCosenza.pptx|download]]
  * Rule-based IDSs: [[http://searchfiletype.com/nsd/redirect.php?redir=http%3A%2F%2Fwww.cse.scu.edu%2F%7Etschwarz%2FCOEN252_09%2FPPtPre%2FSnort.ppt|Snort]]
  * <<newicon>> A [[http://cwe.mitre.org/top25/index.html#CWE-22|CWE-22]] simple exploit [[http://www.mat.unical.it/ianni/storage/hover.pl|script]]


  * Kerberos - [[http://www.mat.unical.it/ianni/storage/kerberos.pptx|IT]] - [[http://www.mat.unical.it/ianni/storage/kerberos_2013.pptx|EN]]
  * Malware analysis - [[https://www.mat.unical.it/informatica/Sistemi%20Operativi?action=AttachFile&do=view&target=security.zip|here]]
  * Demo of Functions for accessing the registry & Software integrity - [[https://www.mat.unical.it/informatica/Sistemi%20Operativi?action=AttachFile&do=view&target=registrydemo.zip|here]]
  * <<FancyURL(url="https://www.mat.unical.it/ianni/RSI-Web/slides/PasswordStorage.pptx", text="Password storage, MSChap-v2, SRP", expire=864000)>> 

=== How to install Netkit ===

 * Netkit consists of three files that are [[http://wiki.netkit.org/index.php/Download_Official|here]].
 * Then apply the patch 2 as described [[ElencoFaq|here]]
 * Netkit web site - http://www.netkit.org/

=== WebGoat Solution ===
 *Access Control Flaws:
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/UsingAccessControlMatrix.html|Using an Access Control Matrix]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BypassPathBasedAccessControl.html|Bypass a Path Based Access Control Scheme]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BypassBusinessLayerAccessControl.html|Bypass Business Layer Access Control]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BypassDataLayerAccessControl.html|Bypass Data Layer Access Control]]

 *Injection Flaws:
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/CommandInjection.html|Command Injection]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/NumericSQLInjection.html|Numeric SQL Injection]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/LogSpoofing.html|Log Spoofing]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/StringSqlInjection.html|String SQL Injection]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/ModifyDataSQLInjection.html|Modify Data with SQL Injection]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/AddDataSqlInjection.html|Add Data with SQL Injection]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/DatabaseBackDoors.html|Database Backdoors]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BlindNumericSqlInjection.html|Blind Numeric SQL Injection]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BlindStringSqlInjection.html|Blind String SQL Injection]]
  

 * XSS:
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/Phishing.html|Phishing with XSS]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/Lab_Stored_XSS.html|LAB: Cross Site Scripting]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/HttpOnly.html|HTTPOnly Test]]
 * Parameter Tampering:
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BypassHtmlFieldRestrictions.html|Bypass HTML Field Restrictions]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/ExploitHiddenFieldTampering.html|Exploit Hidden Fields]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/ExploitUncheckedEmail.html|Exploit Unchecked Email]]
  * [[http://www.mat.unical.it/~phd_nik/RSI/WebGoatSolution/BypassClientSideJavaScriptValidation.html|Bypass Client Side JavaScript Validation]]