Introduction to Network Security Matt Curtin* March 1997 Reprinted with the permission of Kent Information Services, Inc. Abstract [Network seomity is a complicated subject histonically only tackled by welltrainad and experienced experts, However, as more and more people became “wired”, an increasing mumber of people nee! ‘to understand the besics of security in a networked world, This document was written with the basic computer user and information systems manager in mind, explaining the canccpts noeded to read through ‘the bype in the marketplace and understand risks and how to deal with them. Some history of networking is included, as well as an introduction to TCP/IP ane internetworking. ‘We gp on to consider risk management, network throats, firewalls, and more special-purpose secure networking devioes, ‘This is not intended to be a Sfreqnently asked questions” reference, nor is it a Shandon” document ctscrbing how to accomplish specific fmctionality ‘Te hoped that the reader will havea wider perpective on security in general, and better understand Iw to rednce and manage risk personally, at home, and in the workplace, This work completed while at Megandft Online, for Kent Infomation Serves 1Contents 1 Introduction to Networking ‘1.1 What isa Network? . 2.2.06 1.2. The ISO/OSI Reference Modal * 13 What are some Popular Networks? 13.1 UUCP... . 13.2 The Internet. 2 TCP/IP: The Language of the Intemet 21 Open Design. 22 DP oveeee 224 “Unlertanding 1? 2.2.2 Attacks Against IP 23 TCP 23.1 "Guaranteed Packet Delivery 24 UDP 24.1 "Lower Overbead than TCP | 3. Risk Management: The Game of Security 4 ‘Types And Sources Of Network Threats 4.1 DeniabofService .. . . . 4.2 Unautharized Aowss . . 42.1 Exeonting Commands Mlicitly 42.2 Confidentiality Breaches « 42.3 Destructive Behavior « « « 43. Whaw Do They Cane Fron 4A Lesons Leamed 44.1. Hope you have backups « 44.2 Don't put data where it docsr’t neod to be’ + 44.3. Avoid systems with single points of failure « 444 Stay current with relevant operating system patches 44.5 Watch for relevant security advisories. : 4.6 Have scmeone on staff be faniliar with Security practices | 5 Firewalls 51 Types of Firewalls... . 5.1L Application Gateways 2 Packet Filtering 5.13 Hybrid Systems. . 5.2 So, what's best for me? . 53 Some Wark of Caution . 53.1 Single Points of Failure 6 Secure Network Devices 6.1 Secure Modems Dial-Back Systems . 6.2. Crypto-Capable Routers . 63. Virtual Private Networks 7 Conclusions 15‘Application Presentation Session Transport Network Data Link Physical Figure 1: The ISO/OSI Reference Model 1 Introduction to Networking A basic undastanding of computer networks is requisite in order to understand the principles of network security. Ih this section, welll cover some of the foundations of computer networking, then move an to an overview of some popular networks, Following that, we'll take a more in-depth look at TCP /IP, the network protocd suite that is used to run the Intemet and many intranets. (Once we've covered this, we'll gp back and discuss some of the threats that managers and administrators of computer networks need to confront, and then some tools that can be used to rechive the exposure to the thks of network computing, 1.1 What is a Network? A “network” has been defined[I] as ‘any’ set of intertinking lines resembling a net, a network of roads [| an interconnected system, @ network of alliances” This definition suits our purpose well: a computer netweark 4s simply a system of interconnected computers. How they"re connected is inelevant, and as we'll sp0n S00, there are a number of ways to do this. 1.2. The ISO/OSI Reference Model ‘The International Standanis Organization (ISO) Open Systems Interconnect (OSI) Reference Model defines seven layers of communications types, and the interfaces among them. (See Figure 1.) Each layer depends on the services provided by the Tayer bdow it, all the way down to the physical network hardware, such 2 the computer's network interface card, and the wires that comect the cards together. An easy way to look at this is to compare this modd with something, we tse daily: the telephone. Tn order for you and T to talk when we're out of earshot, we need a device like a telephone. (In the ISO/OSI moda, this is at the application layer.) The telephones, of oouse, are uscless unless they have the ability to translate the sound into electronic pulses that: can be transferred over wire and back again, (These functions are provided in layers below the application layer.) Finally, we get down to the physical connection: both must. be plugged into an outlet that is connected to a switch that’s part of the telephone system's netweark of switebes. EF Tplace a call to you, I pick up the receiver, and dial your manber, This number specifies which central office to which to send my request, and then which phone from that, central offie to ring, Once you answer the phone, we begin talking, and our session has begun, Canceptually, computer networks funetion exactly the same way J it important for you to manotize the ISO/OSI Reference Models layers; but it's useful to know that they exist, and that each layer cannot. work without the services provided by the layer bow it.