Download - Network Chapter7 - Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
1/38
Internet Security
Main Menu 1 of 38
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
2/38
Internet Security
Main Menu 2 of 38
Objective
At the end of this chapter, students will be able to
appreciate the cost and value of information stored
on a network, and will also understand the concept
of network security and the various measures/tools
that can be used to enhance network security.
-
8/9/2019 Network Chapter7 - Internet Security
3/38
Internet Security
Main Menu 3 of 38
Scope
Price for Data Loss
Introduction to Network Security
Basic Network Security Concepts
Security Policy
Authentication
Non-Repudiation
Integrity
Confidentiality and Access Control
Two Approaches to security
-
8/9/2019 Network Chapter7 - Internet Security
4/38
Internet Security
Main Menu 4 of 38
Scope
Tools for different layers
Risk Management
Internet Security Toolkit
Encryption
Some Elementary Security Tips
Conclusion-What should I do
-
8/9/2019 Network Chapter7 - Internet Security
5/38
Internet Security
Main Menu 5 of 38
Whenever there is a successful malicious attack on a
computer system valuable data is either lost and/or
compromised.
Loss of data also occurs during system failures and
disk crashes and the precautions to be taken against
them have already been covered in an earlier section.
The consequences of lost data are at best, lost time,and at worst, the disappearance of irrecoverable and
valuable mission critical data .
The Price of Data Loss
-
8/9/2019 Network Chapter7 - Internet Security
6/38
Internet Security
Main Menu 6 of 38
The consequence of a data loss can be measured inmany other ways, including :
Lost Intelligence -- Some key data, such as the dataelements and results of an extensive research project
are priceless and the loss is irreplaceable.
Lost Revenue -- The loss of desktop systemssupporting on line transactions can easily translateinto lost business revenue, as agents are unable to
fulfill customer orders or requests.
Lost Productivity and Worker Inefficiency --Employees who need to spend frustrating timerecovering or recreating lost data are treading oldground in a highly unproductive effort.
The Price of Data Loss
-
8/9/2019 Network Chapter7 - Internet Security
7/38
Internet Security
Main Menu 7 of 38
Lost Opportunity -- Lost productivity translates intolost opportunity as workers fail to capitalize onbusiness possibilities because they are tied uprecovering from system failures.
Unanticipated Expense -- One great frustration onthe part of management is incurring unexpectedcosts due to system failures. These often result indelays to important system upgrades or other
sidetracking of important projects put on hold forlack of budget.
The Price of Data Loss
-
8/9/2019 Network Chapter7 - Internet Security
8/38
Internet Security
Main Menu 8 of 38
Network security is a contradiction in terms, like the
classic references to Jumbo Shrimp and Military
Intelligence .
True security can only be achieved when theinformation is isolated, locked in a safe, surrounded
by guards, dogs and fences, and rendered inaccessible.
Some would argue that even then, there is not absolutesecurity .
Introduction to N/W Security
-
8/9/2019 Network Chapter7 - Internet Security
9/38
Internet Security
Main Menu 9 of 38
A good place to begin is by defining the basic
concepts involved in securing any object. The key
words in the security lexicon are vulnerability, threat,
attack, and countermeasure.
Vulnerability is the susceptibility of a situation to
being compromised. It is a potential, a possibility, a
weakness, an opening.
A Threat is an action or tool, which can exploit and
expose vulnerability and therefore compromise the
integrity of a given system.
Basic Network Security Concepts
-
8/9/2019 Network Chapter7 - Internet Security
10/38
Internet Security
Main Menu 10 of 38
An Attack defines the details of how a particular
threat could be used to exploit vulnerability. It is
entirely possible that situations could exist where
vulnerabilities are known and threats are developed .
Countermeasures are those actions taken to protect
systems from attacks, which threaten specific
vulnerabilitie.
Basic Network Security Concepts
-
8/9/2019 Network Chapter7 - Internet Security
11/38
Internet Security
Main Menu 11 of 38
Develop security requirements based on an analysis
of the organization's mission, the information at risk,
the threats to that information and the implications
of any successful attacks.
Appoint a security officer and delineate clearly the
required job responsibilities and skills.
Define appropriate security services andmechanisms and allocate them to components of the
company's IT systems.
Security Policy
-
8/9/2019 Network Chapter7 - Internet Security
12/38
Internet Security
Main Menu 12 of 38
Identify different measures of security appropriate
for each level.
Remember that security is not only technology;
physical security and procedural security are asimportant as the technology used.
Identify users who should have access to each level
of security.
Security Policy
-
8/9/2019 Network Chapter7 - Internet Security
13/38
Internet Security
Main Menu 13 of 38
A primary tool in securing any computer system isthe ability to recognize and verify the identity ofusers. This security feature is known asauthentication.
Traditionally, special names and secret passwordshave been used to authenticate users, but as theanecdote above demonstrates, the password is onlyas good as the users' ability to keep it secret and
protect it from being abused by unauthorized users. There are three generally accepted techniques for
authenticating users to host machines.
Authentication
-
8/9/2019 Network Chapter7 - Internet Security
14/38
Internet Security
Main Menu 14 of 38
Authentication by something the user knows.
This is the password/username concept described
above. There are two common approaches to
password authentication, known as PAP andCHAP .
Authentication by something the user has. In this
technique, the user is given some kind of token,
such as a magnetic stripe card, key, or insophisticated cases the user has a smart card
equipped with a computer chip which can generate
an encrypted code back to the computer system.
Authentication
-
8/9/2019 Network Chapter7 - Internet Security
15/38
Internet Security
Main Menu 15 of 38
Authentication by physical characteristics. Here,
the mechanism is to recognize some measure of the
individual, which ostensibly cannot be duplicated.
Biometric techniques such as fingerprint ID, palmprint ID, retinal scan, manual and digital signature,
or voice recognition are used to validate the identity
of the potential user.
Authentication
-
8/9/2019 Network Chapter7 - Internet Security
16/38
Internet Security
Main Menu 16 of 38
This security concept protects against the sender or
receiver denying that they sent or received certain
communications .
For example, when a person sends a certified orregistered letter via the United States Postal Service
(USPS), the recipient is supposed to prove his or her
identity to the delivery person, and then confirm
their receipt by signing a form.
The signed form is then returned to the sender,
which proves to the sender that their correspondence
was delivered.
Non-Repudiation
-
8/9/2019 Network Chapter7 - Internet Security
17/38
Internet Security
Main Menu 17 of 38
This prevents the recipient (for example a debtor)from claiming that they never received thecorrespondence (for example a demand note) andtherefore using that as an excuse for their actions(not paying the debt).
In computer networks, these kinds of services arealso available, and are becoming increasinglyvaluable as commerce on the Internet continues togain in popularity.
Non-Repudiation
-
8/9/2019 Network Chapter7 - Internet Security
18/38
Internet Security
Main Menu 18 of 38
There are three different types of non-repudiation
services that are applicable in computer network
messaging:
Non-repudiation of Delivery Service,
Non-repudiation of Origin Service, and
Non-repudiation of Submission Service.
Non-Repudiation
S
-
8/9/2019 Network Chapter7 - Internet Security
19/38
Internet Security
Main Menu 19 of 38
Integrity refers to the completeness and fidelity of
the message as it passes through the network.
The key here is making sure that the data passes
from the source to the destination withoutundetected alteration. Note the use of the word
"undetected" .
We may not be able to thwart someone fromtapping out messages and attempting to modify them
as they move through the network .
Integrity
I S i
-
8/9/2019 Network Chapter7 - Internet Security
20/38
Internet Security
Main Menu 20 of 38
If the order of transmitted data also is ensured, the
service is termed connection-oriented integrity. The
term anti-replay refers to a minimal form of
connection-oriented integrity designed to detect andreject duplicated or very old data units.
Integrity
I S i
-
8/9/2019 Network Chapter7 - Internet Security
21/38
Internet Security
Main Menu 21 of 38
Confidentiality is a security property that ensuresthat data is disclosed only to those authorized to useit, and that it is not disclosed to unauthorized parties.
The key point behind ensuring the confidentiality of
information on the network is to deny information toanyone who is not specifically authorized to see it oruse it .
Encryption is a frequently used mechanism for
guaranteeing confidentiality, since only thoserecipients who have access to the decrypting key areable to decode the messages
Confidentiality and Access Control
I S i
-
8/9/2019 Network Chapter7 - Internet Security
22/38
Internet Security
Main Menu 22 of 38
Over time, two distinct approaches have evolved toapplying security countermeasures: network coupledsecurity and application coupled security .
As the names imply, the first philosophy favors the
use of securing the network infrastructure, while thesecond builds security into the applicationsthemselves.
Network Coupled Security
In a Network coupled scheme, the focus is to makethe network itself a trusted and secure subsystem sothat the applications can assume the data beingtransmitted is safe .
Approaches to Security
I t t S it
-
8/9/2019 Network Chapter7 - Internet Security
23/38
Internet Security
Main Menu 23 of 38
Application Coupled Security Proponents of this scheme argue that the application
knows best what kind of security is required for thatapplication. Therefore, control of the security
aspects should rest in the application layer . To these proponents, the need to create security
aware applications is not a disadvantage, but rather anatural and reasonable consequence of the need to
apply security at that level .
Similarly, the potential for interoperability issues isseen as a flexibility advantage to the proponents ofapplication- coupled security .
Approaches to Security
I t t S it
-
8/9/2019 Network Chapter7 - Internet Security
24/38
Internet Security
Main Menu 24 of 38
There is no shortage of technology available to
secure an organization's Internet connections. More
appropriate questions have to do with which tools to
use at which layers to effect the securecommunications .
Early on, router manufacturers recognized the key
role they could play in this endeavor, and have
placed filtering capabilities in their products toestablish a primary front line of defense. A router's
ability to examine and discriminate network traffic
based on the IP packet addresses is known as a
"screening router.
Tools for Different Layers
I t t S it
-
8/9/2019 Network Chapter7 - Internet Security
25/38
Internet Security
Main Menu 25 of 38
Some advanced routers provide the capability to
screen packets based upon other criteria such as the
type of protocol (http, ftp, udp), the source address,
and the destination address fields for a particulartype of protocol.
This way, a communications manager can build
"profiles" of users who are allowed access to
different applications based on the protocols.
Tools for Different Layers
I t t S it
-
8/9/2019 Network Chapter7 - Internet Security
26/38
Internet Security
Main Menu 26 of 38
Network security is all about managing risks andusing this risk management analysis to provide
appropriate security at an affordable price.
Assessment of Major Threats to a Network Risks can be characterized by two criteria: the
likelihood that a particular attack will be successful,
and the consequences of the results if the attack is
successful .
Security costs money, and therefore we must use
that money wisely and only spend it where there is a
real likelihood of significant damage.
Risk Management
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
27/38
Internet Security
Main Menu 27 of 38
Firewalls A firewall is a device or software application, which
serves as a flexible barrier which sits between the
computers on your internal network and the outsideworld (i.e. the Internet).
Firewalls apply a set of rules to decide who gets to
connect to which machines and what services they
are authorized to use .
A firewall, when set up properly, provides an
excellent means for protecting your network and the
machines connected to it from intrusion.
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
28/38
Internet Security
Main Menu 28 of 38
A firewall's primary purpose is to prevent outside
users from accessing machines other than those set
up for public access (i.e. your webserver, FTP
servers, etc). They do this using several different tools like packet
filtering, client access lists, server access lists, user
authentication, address obfuscation etc.
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
29/38
Internet Security
Main Menu 29 of 38
Packet Filtering
here the firewall discards data before it ever reachesa particular machine. For example, you might want
to deny access to a specific machine from outsideyour local area network .
Using packet filtering, you tell the firewall to discardall packets destined to a specific machine .
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
30/38
Internet Security
Main Menu 30 of 38
Packet filtering is probably the easiest way to secureyour Internet connection. What you do here is topermit certain services to cross your LAN Internetconnection (i.e. email, HTTP/worldwide web, IPphone calls, etc), while blocking connections toservices such as FTP, TFTP, Telnet, etc .
The general rule of thumb used is to deny access to
everything except for common services such as webaccess, email, etc, and then allow other types oftraffic to pass through upon request.
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
31/38
Internet Security
Main Menu 31 of 38
Client Access Lists
here the firewall is given a list of client PCs (outside
IP addresses) which may access machines) on your
LAN. This is a useful tool for securing a network. This
technique allows you to grant restricted or
unrestricted access to all or part of your LAN based
on the IP address of the outside party .
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
32/38
Internet Security
Main Menu 32 of 38
Server Access Lists
here the firewall is given a list of servers which can
be accessed from outside your LAN This is a
variation of packet filtering. Here you are defining alist of servers which can be accessed from outside
your office.
This makes it relatively easy to declare certain
workstations verboten, and even to conceal their
existence from the outside network.
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
33/38
Internet Security
Main Menu 33 of 38
User Authentication
here the firewall prompts outside users for a user
name and password, and has an opportunity to grant
or deny access to services on your network.
User authentication is a useful tool in environments
where it is not practical to globally block access to
specific workstations or services.
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
34/38
Internet Security
Main Menu 34 of 38
Address Obfuscation
here the firewall masks the IP addresses of yourinternal machines and makes them appear to outside
users to be on different IP addresses. This makes it very difficult for hackers to access
these machines without knowing what their real IPaddresses are. This is a great example of the premise
of "security through obscurity." If an intruder has noidea where a particular resource is located, it will bedifficult to compromise .
Internet Security Toolkit
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
35/38
Internet Security
Main Menu 35 of 38
Encryption
Encryption is a technique as old as the Romans. It issimply the scrambling of the transmitted text using aset of rules (algorithms, which in today's worldmeans mathematical manipulations) which is known
to the recipient, but hopefully to no one else. The recipient can then use the same set of rules in
reverse to unscramble the coded text and read theintended message.
The majority of the data transmitted across theInternet is not encrypted, it is sent as clear text. Thismeans that if somebody is able to monitor the rawdata coming in and out of your network, they will beable to see quite a bit.
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
36/38
Internet Security
Main Menu 36 of 38
Some Elementary Security Tips
Besides installing a firewall there are a number ofsimple things you can do which will further enhancethe security of your network.
Put sensitive data on a machine, which cannot be
accessed via TCP/IP - most PC operating systemssupport multiple networking protocols, such asNetBEUI, IPX/SPX, TCP/IP and others .
One technique for sequestering sensitive data is to
put it on a machine, which has no TCP/IPconnectivity, and instead talks to other machinesusing a local area network protocol such asNetBEUI .
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
37/38
Internet Security
Main Menu 37 of 38
Summary
Any security scheme must identify vulnerabilitiesand threats, anticipate potential attacks, assesswhether they are likely to succeed or not, assesswhat the potential damage might be from successfulattacks .
A primary tool in securing any computer system isthe ability to recognize and verify the identity ofusers. This security feature is known asauthentication. This security concept of NonRepudiation protects against the sender or receiverdenying that they sent or received certaincommunications .
Internet Security
-
8/9/2019 Network Chapter7 - Internet Security
38/38
Internet Security
M i M 38 f 38
Integrity refers to the completeness and fidelity of
the message as it passes through the network .
Risks can be characterized by two criteria: the
likelihood that a particular attack will be successful,and the consequences of the results if the attack is
successful.
Summary