Network Chapter7 - Internet Security

8/9/2019 Network Chapter7 - Internet Security

1/38

Internet Security

Main Menu 1 of 38

Internet Security


2/38

Internet Security

Main Menu 2 of 38

Objective

At the end of this chapter, students will be able to

appreciate the cost and value of information stored

on a network, and will also understand the concept

of network security and the various measures/tools

that can be used to enhance network security.


3/38

Internet Security

Main Menu 3 of 38

Scope

Price for Data Loss

Introduction to Network Security

Basic Network Security Concepts

Security Policy

Authentication

Non-Repudiation

Integrity

Confidentiality and Access Control

Two Approaches to security


4/38

Internet Security

Main Menu 4 of 38

Scope

Tools for different layers

Risk Management

Internet Security Toolkit

Encryption

Some Elementary Security Tips

Conclusion-What should I do


5/38

Internet Security

Main Menu 5 of 38

Whenever there is a successful malicious attack on a

computer system valuable data is either lost and/or

compromised.

Loss of data also occurs during system failures and

disk crashes and the precautions to be taken against

them have already been covered in an earlier section.

The consequences of lost data are at best, lost time,and at worst, the disappearance of irrecoverable and

valuable mission critical data .

The Price of Data Loss


6/38

Internet Security

Main Menu 6 of 38

The consequence of a data loss can be measured inmany other ways, including :

Lost Intelligence -- Some key data, such as the dataelements and results of an extensive research project

are priceless and the loss is irreplaceable.

Lost Revenue -- The loss of desktop systemssupporting on line transactions can easily translateinto lost business revenue, as agents are unable to

fulfill customer orders or requests.

Lost Productivity and Worker Inefficiency --Employees who need to spend frustrating timerecovering or recreating lost data are treading oldground in a highly unproductive effort.



7/38

Internet Security

Main Menu 7 of 38

Lost Opportunity -- Lost productivity translates intolost opportunity as workers fail to capitalize onbusiness possibilities because they are tied uprecovering from system failures.

Unanticipated Expense -- One great frustration onthe part of management is incurring unexpectedcosts due to system failures. These often result indelays to important system upgrades or other

sidetracking of important projects put on hold forlack of budget.



8/38

Internet Security

Main Menu 8 of 38

Network security is a contradiction in terms, like the

classic references to Jumbo Shrimp and Military

Intelligence .

True security can only be achieved when theinformation is isolated, locked in a safe, surrounded

by guards, dogs and fences, and rendered inaccessible.

Some would argue that even then, there is not absolutesecurity .

Introduction to N/W Security


9/38

Internet Security

Main Menu 9 of 38

A good place to begin is by defining the basic

concepts involved in securing any object. The key

words in the security lexicon are vulnerability, threat,

attack, and countermeasure.

Vulnerability is the susceptibility of a situation to

being compromised. It is a potential, a possibility, a

weakness, an opening.

A Threat is an action or tool, which can exploit and

expose vulnerability and therefore compromise the

integrity of a given system.



10/38

Internet Security

Main Menu 10 of 38

An Attack defines the details of how a particular

threat could be used to exploit vulnerability. It is

entirely possible that situations could exist where

vulnerabilities are known and threats are developed .

Countermeasures are those actions taken to protect

systems from attacks, which threaten specific

vulnerabilitie.



11/38

Internet Security

Main Menu 11 of 38

Develop security requirements based on an analysis

of the organization's mission, the information at risk,

the threats to that information and the implications

of any successful attacks.

Appoint a security officer and delineate clearly the

required job responsibilities and skills.

Define appropriate security services andmechanisms and allocate them to components of the

company's IT systems.

Security Policy


12/38

Internet Security

Main Menu 12 of 38

Identify different measures of security appropriate

for each level.

Remember that security is not only technology;

physical security and procedural security are asimportant as the technology used.

Identify users who should have access to each level

of security.

Security Policy


13/38

Internet Security

Main Menu 13 of 38

A primary tool in securing any computer system isthe ability to recognize and verify the identity ofusers. This security feature is known asauthentication.

Traditionally, special names and secret passwordshave been used to authenticate users, but as theanecdote above demonstrates, the password is onlyas good as the users' ability to keep it secret and

protect it from being abused by unauthorized users. There are three generally accepted techniques for

authenticating users to host machines.

Authentication


14/38

Internet Security

Main Menu 14 of 38

Authentication by something the user knows.

This is the password/username concept described

above. There are two common approaches to

password authentication, known as PAP andCHAP .

Authentication by something the user has. In this

technique, the user is given some kind of token,

such as a magnetic stripe card, key, or insophisticated cases the user has a smart card

equipped with a computer chip which can generate

an encrypted code back to the computer system.

Authentication


15/38

Internet Security

Main Menu 15 of 38

Authentication by physical characteristics. Here,

the mechanism is to recognize some measure of the

individual, which ostensibly cannot be duplicated.

Biometric techniques such as fingerprint ID, palmprint ID, retinal scan, manual and digital signature,

or voice recognition are used to validate the identity

of the potential user.

Authentication


16/38

Internet Security

Main Menu 16 of 38

This security concept protects against the sender or

receiver denying that they sent or received certain

communications .

For example, when a person sends a certified orregistered letter via the United States Postal Service

(USPS), the recipient is supposed to prove his or her

identity to the delivery person, and then confirm

their receipt by signing a form.

The signed form is then returned to the sender,

which proves to the sender that their correspondence

was delivered.

Non-Repudiation


17/38

Internet Security

Main Menu 17 of 38

This prevents the recipient (for example a debtor)from claiming that they never received thecorrespondence (for example a demand note) andtherefore using that as an excuse for their actions(not paying the debt).

In computer networks, these kinds of services arealso available, and are becoming increasinglyvaluable as commerce on the Internet continues togain in popularity.

Non-Repudiation


18/38

Internet Security

Main Menu 18 of 38

There are three different types of non-repudiation

services that are applicable in computer network

messaging:

Non-repudiation of Delivery Service,

Non-repudiation of Origin Service, and

Non-repudiation of Submission Service.

Non-Repudiation

S


19/38

Internet Security

Main Menu 19 of 38

Integrity refers to the completeness and fidelity of

the message as it passes through the network.

The key here is making sure that the data passes

from the source to the destination withoutundetected alteration. Note the use of the word

"undetected" .

We may not be able to thwart someone fromtapping out messages and attempting to modify them

as they move through the network .

Integrity

I S i


20/38

Internet Security

Main Menu 20 of 38

If the order of transmitted data also is ensured, the

service is termed connection-oriented integrity. The

term anti-replay refers to a minimal form of

connection-oriented integrity designed to detect andreject duplicated or very old data units.

Integrity

I S i


21/38

Internet Security

Main Menu 21 of 38

Confidentiality is a security property that ensuresthat data is disclosed only to those authorized to useit, and that it is not disclosed to unauthorized parties.

The key point behind ensuring the confidentiality of

information on the network is to deny information toanyone who is not specifically authorized to see it oruse it .

Encryption is a frequently used mechanism for

guaranteeing confidentiality, since only thoserecipients who have access to the decrypting key areable to decode the messages

Confidentiality and Access Control

I S i


22/38

Internet Security

Main Menu 22 of 38

Over time, two distinct approaches have evolved toapplying security countermeasures: network coupledsecurity and application coupled security .

As the names imply, the first philosophy favors the

use of securing the network infrastructure, while thesecond builds security into the applicationsthemselves.

Network Coupled Security

In a Network coupled scheme, the focus is to makethe network itself a trusted and secure subsystem sothat the applications can assume the data beingtransmitted is safe .

Approaches to Security

I t t S it


23/38

Internet Security

Main Menu 23 of 38

Application Coupled Security Proponents of this scheme argue that the application

knows best what kind of security is required for thatapplication. Therefore, control of the security

aspects should rest in the application layer . To these proponents, the need to create security

aware applications is not a disadvantage, but rather anatural and reasonable consequence of the need to

apply security at that level .

Similarly, the potential for interoperability issues isseen as a flexibility advantage to the proponents ofapplication- coupled security .

Approaches to Security

I t t S it


24/38

Internet Security

Main Menu 24 of 38

There is no shortage of technology available to

secure an organization's Internet connections. More

appropriate questions have to do with which tools to

use at which layers to effect the securecommunications .

Early on, router manufacturers recognized the key

role they could play in this endeavor, and have

placed filtering capabilities in their products toestablish a primary front line of defense. A router's

ability to examine and discriminate network traffic

based on the IP packet addresses is known as a

"screening router.

Tools for Different Layers

I t t S it


25/38

Internet Security

Main Menu 25 of 38

Some advanced routers provide the capability to

screen packets based upon other criteria such as the

type of protocol (http, ftp, udp), the source address,

and the destination address fields for a particulartype of protocol.

This way, a communications manager can build

"profiles" of users who are allowed access to

different applications based on the protocols.

Tools for Different Layers

I t t S it


26/38

Internet Security

Main Menu 26 of 38

Network security is all about managing risks andusing this risk management analysis to provide

appropriate security at an affordable price.

Assessment of Major Threats to a Network Risks can be characterized by two criteria: the

likelihood that a particular attack will be successful,

and the consequences of the results if the attack is

successful .

Security costs money, and therefore we must use

that money wisely and only spend it where there is a

real likelihood of significant damage.

Risk Management

Internet Security


27/38

Internet Security

Main Menu 27 of 38

Firewalls A firewall is a device or software application, which

serves as a flexible barrier which sits between the

computers on your internal network and the outsideworld (i.e. the Internet).

Firewalls apply a set of rules to decide who gets to

connect to which machines and what services they

are authorized to use .

A firewall, when set up properly, provides an

excellent means for protecting your network and the

machines connected to it from intrusion.


Internet Security


28/38

Internet Security

Main Menu 28 of 38

A firewall's primary purpose is to prevent outside

users from accessing machines other than those set

up for public access (i.e. your webserver, FTP

servers, etc). They do this using several different tools like packet

filtering, client access lists, server access lists, user

authentication, address obfuscation etc.


Internet Security


29/38

Internet Security

Main Menu 29 of 38

Packet Filtering

here the firewall discards data before it ever reachesa particular machine. For example, you might want

to deny access to a specific machine from outsideyour local area network .

Using packet filtering, you tell the firewall to discardall packets destined to a specific machine .


Internet Security


30/38

Internet Security

Main Menu 30 of 38

Packet filtering is probably the easiest way to secureyour Internet connection. What you do here is topermit certain services to cross your LAN Internetconnection (i.e. email, HTTP/worldwide web, IPphone calls, etc), while blocking connections toservices such as FTP, TFTP, Telnet, etc .

The general rule of thumb used is to deny access to

everything except for common services such as webaccess, email, etc, and then allow other types oftraffic to pass through upon request.


Internet Security


31/38

Internet Security

Main Menu 31 of 38

Client Access Lists

here the firewall is given a list of client PCs (outside

IP addresses) which may access machines) on your

LAN. This is a useful tool for securing a network. This

technique allows you to grant restricted or

unrestricted access to all or part of your LAN based

on the IP address of the outside party .


Internet Security


32/38

Internet Security

Main Menu 32 of 38

Server Access Lists

here the firewall is given a list of servers which can

be accessed from outside your LAN This is a

variation of packet filtering. Here you are defining alist of servers which can be accessed from outside

your office.

This makes it relatively easy to declare certain

workstations verboten, and even to conceal their

existence from the outside network.


Internet Security


33/38

Internet Security

Main Menu 33 of 38

User Authentication

here the firewall prompts outside users for a user

name and password, and has an opportunity to grant

or deny access to services on your network.

User authentication is a useful tool in environments

where it is not practical to globally block access to

specific workstations or services.


Internet Security


34/38

Internet Security

Main Menu 34 of 38

Address Obfuscation

here the firewall masks the IP addresses of yourinternal machines and makes them appear to outside

users to be on different IP addresses. This makes it very difficult for hackers to access

these machines without knowing what their real IPaddresses are. This is a great example of the premise

of "security through obscurity." If an intruder has noidea where a particular resource is located, it will bedifficult to compromise .


Internet Security


35/38

Internet Security

Main Menu 35 of 38

Encryption

Encryption is a technique as old as the Romans. It issimply the scrambling of the transmitted text using aset of rules (algorithms, which in today's worldmeans mathematical manipulations) which is known

to the recipient, but hopefully to no one else. The recipient can then use the same set of rules in

reverse to unscramble the coded text and read theintended message.

The majority of the data transmitted across theInternet is not encrypted, it is sent as clear text. Thismeans that if somebody is able to monitor the rawdata coming in and out of your network, they will beable to see quite a bit.

Internet Security


36/38

Internet Security

Main Menu 36 of 38

Some Elementary Security Tips

Besides installing a firewall there are a number ofsimple things you can do which will further enhancethe security of your network.

Put sensitive data on a machine, which cannot be

accessed via TCP/IP - most PC operating systemssupport multiple networking protocols, such asNetBEUI, IPX/SPX, TCP/IP and others .

One technique for sequestering sensitive data is to

put it on a machine, which has no TCP/IPconnectivity, and instead talks to other machinesusing a local area network protocol such asNetBEUI .

Internet Security


37/38

Internet Security

Main Menu 37 of 38

Summary

Any security scheme must identify vulnerabilitiesand threats, anticipate potential attacks, assesswhether they are likely to succeed or not, assesswhat the potential damage might be from successfulattacks .

A primary tool in securing any computer system isthe ability to recognize and verify the identity ofusers. This security feature is known asauthentication. This security concept of NonRepudiation protects against the sender or receiverdenying that they sent or received certaincommunications .

Internet Security


38/38

Internet Security

M i M 38 f 38

Integrity refers to the completeness and fidelity of

the message as it passes through the network .

Risks can be characterized by two criteria: the

likelihood that a particular attack will be successful,and the consequences of the results if the attack is

successful.

Summary

Network Chapter7 - Internet Security

Documents