Networks and SecurityNetworks and Security

A Series of Lectures, Outlining:How Networks affect Security of a system

Security of System

Security of Network

Security of Organisation

Secure vs Trustworthy

Attack Vulnerabilities

Web references and Bibliography

Eur Ing Brian C TompsettUniversity of Hull

Networking PrinciplesNetworking PrinciplesRevisionRevision

•ISO 7 Layer Model•Names and function of layers•Layer interconnect terminology

Internet BasicsInternet Basics RevisionRevision

IP Addresses (and registrars)150.237.92.11

192.168.0.1

Domain Names (and registrars)www.dcs.hull.ac.uk

on.to / i.am / name.is

Services/Socketshttp port 80

ISO 7 Layer ModelISO 7 Layer Model

Network

Datalink

Physical

Application

Presentation

Session

TransportNetwork

Datalink

Physical

Application

Presentation

Session

Transport

Hub/Repeater

GatewayProxy/Relay

NAT/ICS/Proxy

Router

Switch/BridgePTU

FrameDatagram

PacketDatagram

Segment

Message

IP

TCP/UDP

HTTP/FTPSMTP

PPP/SLIPEthernet

10BaseT

ADSL

Internet The MovieInternet The Movie

Animation covering salient points

It has some factual errorCan you spot them?

First Mention of FirewallsCovered later

SummarySummary

Overall Networking Architecture

Role of Layers & Layer Interface

Internet Protocols

Network Interconnections

Any further revision?

22

What is it for?What is it for?

What is the purpose ofTrustworthy Computing?

Computer Security?

Information Security?

DataDataProceduresProceduresActivityActivityInfrastructureInfrastructureOrganisationOrganisationEnvironmentEnvironmentEntitiesEntities

EntitiesEntitiesEnvironmentEnvironmentOrganisationOrganisationInfrastructureInfrastructureActivitiesActivitiesProceduresProceduresDataData

EntitiesEntities

ProceduresProcedures

DataData

EnvironmentEnvironment

OrganisationOrganisation

InfrastructureInfrastructure

ActivitiesActivities

Information Security ModelInformation Security Model

Entities Protection

Environment Protection

Organisation Protection

Infrastructure Protection

Activity Protection

Procedure level Protection

Data Protection

Security 7 Layer ModelSecurity 7 Layer Model

Activity

Procedures

Data

Entities

Environment

Organisation

InfrastructureActivity

Procedures

Data

Entities

Environment

Organisation

Infrastructure

Translation

Relationship

Contract

Language

Protocol

Packet

Document

Business

Contact

Information

Connection

Exchange

Gateway

Exchange

EntitiesEntities

Objects being manipulated by the systemEntities can be active or passiveData about entities is being protectedEntities can be People, Organisations or ObjectsEntities themselves encompass other entities – Collection or ContainmentSecurity involves:

Physical Changes – CommissioningOperational Procedure – What they doStructure – Interrelations

EnvironmentEnvironment

The restrictions on entities

Can act to limit or constrain security or freedom of action

Legislation, Regulation, Ethics

Technical Capability, Resource Limitation

Compatibility, Standards, Procedures

Physical Limitation

OrganisationOrganisation

The Mechanism by which operations a performed

The Organisation within the environment

InfrastructureInfrastructure

That which enables activities

The physical components which may or may not be entities in their own right

ActivityActivity

The tasks which process the data

Usually a business activity

Could be a software Application

ProcedureProcedure

The component steps that enable an activity

Can be software components or human procedures

DataData

The actual data about entities

The goal of a security breach

Protected byCryptography

Integrity

Security ModelsSecurity Models

ISO 17799ISO 27001 – ISO 27000 series

SABSASherwood Applied Business Security Architecture

Based on Zachman IS Framework

Financial Security Model

SABSA ModelSABSA Model

Financial Security ModelFinancial Security Model

FinanceApplications for financial users, issuers of digital value, trading and

market operationsValue

Instruments that carry monetary valueGovernance

Protection of the system from non-technical threatsAccounting

Value within defined placesRights

An authentication concept – moving value between identitiesSoftware Engineering

Tools to move instructions over the netCryptography

Sharing truths between parties

ISO 17799ISO 17799

Security PolicyOrganisation of Information SecurityAsset ManagementHuman Resources SecurityPhysical and Environmental SecurityCommunications and Operational ManagementAccess ControlSystems Development, Acquisition, MaintenanceSecurity Incident ManagementBusiness Continuity ManagementCompliance

ISO 17799ISO 17799

Network Security ModelNetwork Security Model

Personal Protection

Organisation Protection

Network Protection

System Protection

Application Protection

Code level Protection

Data Protection

DataDataCodeCodeApplicationApplicationSystemsSystemsInfrastructureInfrastructureOrganisationOrganisationPersonPerson

PersonPersonOrganisationOrganisationInfrastructureInfrastructureSystemsSystemsApplicationApplicationProcedureProcedureDataData

PersonPerson

ProceduresProcedures

DataData

OrganisationOrganisation

InfrastructureInfrastructure

SystemsSystems

ApplicationsApplications

Security 7 Layer ModelSecurity 7 Layer Model

Application

Procedures

Data

Person

Organisation

Infrastructure

SystemsApplication

Procedures

Data

Person

Organisation

Infrastructure

Systems

Translation

Relationship

Contract

Language

Protocol

Packet

Document

Business

Contact

Information

Connection

Exchange

Gateway

Exchange

StaticStatic

DynamicDynamic

ActivityActivityObjectObject

Personal ProtectionPersonal Protection

Personal SecurityLocking Doors, Staying Safe

Personal Data ProtectionGiving out DOB, Credit Card, Family info

Securing Access to your Computer

Personal Security Policy for all

Protect others personal security

Organisation ProtectionOrganisation Protection

Organisation / Institution / CompanyA Holistic View

Corporate Image

Make public only what required

Hide internal structure & information

Window & Door into Organisation

Manages Input & Output

Doors and WindowsDoors and Windows

Decide What Services are availableWeb servers, ftp, email

Which hosts on which networks

Which domains used

On which IP nets

Hosted by whom

What registration informationNames, addresses phone numbers

WWW

Internet

FTP

SMTP

Gateway

Inside

Outside

Network ProtectionNetwork Protection

Protect Network as entity/resource

Manage permitted traffic flow

Manage authorised use

Architect the Network - zoning

Firewalling

Network ArchitectureNetwork Architecture

Proper use of Subnets and domainsLimit traffic to local segments

Use Bridges/Switches/Routers/Proxies

Prevent data and authority leaks

What to Firewall?What to Firewall?

Certain Protocols – netBios

Certain Responses – ping/traceroute

Certain Applications Real/IRC

Certain Systems/Networks

Control Port/Host combinationsEmail Port/25, HTTP Port/80, FTP Port/21

Rate LimitDenial of Service/Scanners

System ProtectionSystem Protection

Protect each system from misuseIncoming & Outgoing!

Control Which Services Runhttp://support.microsoft.com/?kbid=832017

Virus checkers

Application ProtectionApplication Protection

Specific Application ConfigurationParental Controls of Web Browsers

Domain/IP blockers

Spam filters

Control file/device exports

Code Level ProtectionCode Level Protection

Writing Secure CodeEven on secured system

Bad Code compromises security

Hence software updates

Data ProtectionData Protection

Hiding the Data

Cryptography

Data Transience

Data Integrity

33

Forms of AttackForms of Attack

Denial of Service

Input Data Attack

Spoofing

Sniffing

Social Engineering