CSC8 — NETWORK SECURITYFirst week course outlines Overview of network security Network security background Definitions How security became an issue Areas of security Security as a process Attacks, services and mechanisms Security goals Network modelsWhat is Security? Dictionary.com says: © 1. Freedom from risk or danger; safety. ° 2. Freedom from doubt, anxiety, or fear; confidence. 3. Something that gives or assures safety, as: 1. Agroup or department of private guards: Call building security if a visitor acts suspicious. 2. Measures adopted by a government ta prevent espionage, sabotage, or attack 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant. +n 8,Why Do We Need Network Security? Protect vital information while still allowing access to those who need it Trade secrets, medical records, ete. Provide authentication and access control for resources Guarantee availability of resources Ex: 5 9's (9.999% reliability) Safeguard Network from threats include internal and external threats. Internal threats are the most serious. These threats often occur because best practices are not followed. For example, blank or default passwords are used, or in-house developers use insecure programming practices. External threats typically rely on technical methods to attack the networkNetwork Security Background Information Security requirements have changed in recent times Traditionally provided by physical and administrative mechanisms locked in a file room ‘Access only for authorized user Such as Now, computer requires automated tools to protect files and other stored information The use of networks requires measures to protect data during transmissionDefinitions Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment. Networking infrastructure: Server Database/information (files, data, communication media) User accounts/passwords Configurations/settings eteHow Security Became an Issue People and businesses depend greatly on computer technology and automation in many different aspects of their lives. Examples: public util military defense systems, financial institutions, medical equipment, S,How Security Became an Issue With the increasing exposure to computing and processing, the individuals who used computers learned more about using the technology and getting the most out of it. However, the good things in life often have a darker side. Taking technology down from the pedestal of the mainframe and putting it into so many individuals’ hands led to a lot of issues that never had to be dealt with in the mainframe days.How Security became an Issue Now there were thousands of people not versed and experienced in computing who had much more access to important data and processes Barriers and protection mechanisms were not in place to protect employees and systems from mistakes, so important data got corrupted accidentally, and individual mistakes affected many other systems instead of just one.Network Models According to the IT security terms, there are two network models: 1. Closed network model 2. Open network modelClosed Network Model Advantages: » Strong security Strict security policy i ‘Typically implemented in corporate environments / Easy support and monitoring { Disadvantages: Low flexibility (no WLANs, no external connection) No external access for business partner No connection from public networksOpen Network Model Advantages: » Extemal access 4 “a Business advantages oa Flexible for users Internet access » This is the required model for modern enterprise » Hard to support, secure, and monitor Many potential threats Require strict security policy and disaster recovery planNeeded Balance The need for e-business, mobile commerce, wireless communication and Internet applications continue to grow Finding the balance between being isolated and being open, will be critical, along with the ability to distinguish the good guys from the bad guys.Security Goals _Security Goals Confidentiality: prevent unauthorized access Integrity: prevent unauthorized modification Availability: prevent a loss of access to resources by the authorized userSecurity as a Process *A single product cannot provide complete security for an organization. Usually more than one security mechanisms are used and integrated in an organization: 1. Every computer system should be capable of restricting access to files based on the ID of the user — Authorization 2. Ananti-virus software — Help to detect/clean the system from malicious software that want to gain access to a systemSecurity as a Process 3. Firewalls are access control devices for a network. ~ Exist between the internal and external networks. — However, they will not prevent an attacker, using an allowed connection, from attacking a system, for example an attacker from the inside. 4, Intrusion detection systems (IDS) could identify when someone is doing something wrong and stop them. — However, they will not detect legitimate users who may have access to inappropriate information.Security as a Process 5. Smarteards can be used for authentication ~ but cannot prevent misuse if lost or stolen 6. Biometric systems can be used to reduce the risk of someone guessing a password. —There are biometric scanners for verifying fingerprints, retina/iris, palm vein, hand geometry, facial geometry, and voice. ~ Issues on the precision of the devicesExamples of Biometric Technologies > Fingerprint + Iris Recognition * PalmVein + Retina Scan Ident ihastion Identification + Speaker . Identification (voice recognition) BYE Hand Geometry Identification + Face IdentificationSecurity as a Process 7. With a policy management system, an organization can be made aware of any system that does not conform to policy. ~ However, policy management may not consider vulneral application software. in systems or misconfigurations ofSecurity as a Process 8 Vulnerability scanning can help identify potential entry points of intruders. — However, it will not detect legitimate users with inappropriate access or intruders already in the system. 8. Encryption will protect information in storage and in transit. — However, encryption systems will not differentiate between legitimate and illegitimate users, if both present the same keys to the encryption algorithm, 10. Physical security will not protect the system from attacks by those using legitimate access or attacks through the networkAttacks, Services and Mechanisms “Three aspects of Information Security: 1, Security Attack: Any action that compromise the security of information 2. Security Mechanisms: A mechanism that is designed to detect, prevent, or recover from a security attack 3. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanismsSecurity Attack Categories Interruption - Attack on availability - An asset of the system is destroyed or becomes unavailable or unusable - Examples: The destruction of hardware (disk or wire), the cutting of a communication line, or swamping/flooding a computer communication link with packets. OW )| |O—- @ Information Information source destination (a) Normal flow eruptionSecurity attack categories Interception - Attack on confidentiality - This happens when any unauthorized unit gains access to an asset - Examples: Wiretapping to capture data in a network and the unauthorized copying of files or programs @___-® Information Information source destination, (2) Normal flow oy?Security Attack categories Modification - Attack on integrity - An unauthorized party gain access to the asset and make some changes to it - Examples: Changing data files, altering a program so that it performs differently, modifying the contents of a message (a) Normal flowSecurity Attack Categories Fabrication ~ Attack on authenticity - Ifan unauthorized party gains access to the asset and insert @ counterfeit object into the system - Examples: The insertion of spurious messages in a network or the insertion of records in data files. O—O o atio destination (a) Normal flowSecurity Attacks * Active and passive security threats *Passive attacks: This is an attack on the network in the nature of eavesdropping or monitoring of transmission of data Aims to learn or make use of information from the system but does not affect system resources. = Difficult to detect, measures are available to prevent their success. * Active attacks: This involves modification of the data in transmission or the creation of a false stream, — Attempts to alter system resources or a affect their operation ~ Difficult to prevent, measures available to detect and recover from destructionSecurity Attacks > Active and passive security threats Passive threats Active threats A \ Masquerade \ / “Modification of =. / \ Replay Message content po Release of a message content _Talfic analysis,Passive attacks Release of message content: Content of a message are read. ‘A message may be carrying se For example: A telephone conversation, email messages, or confidential information ive or confidential data.Passive attacks Traffic analysis: An intruder makes inferences by observing message patterns Can be done even if messages are encrypted Inferences: Location and identity of hostsActive Attacks Masquerade: An entity pretends to be some other entity. Example: An entity captures an authentication sequence and replays it later to impersonate the original entity Replay: Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect Modification: A portion of a legitimate message altered to produce an undesirable effect Denial of service: Inhibits normal use of computer and communications resources and facilitiesSecurity Mechanisms In order to detect, prevent, or recover from these security attacks, we use security mechanisms There is no single mechanism which will provide all the services or perform alll the functions mentioned A variety of mechanisms are used to detect and prevent certain attacks, and to provide certain functions and servicesSecurity Mechanisms Encryption Software Controls (access limitations in a database, in operating system protect each user from other users} Hardware Controls (smart card) Policies (frequent changes of passwords) Physical Controls Information flowing over an secure communications channel, for example: Virtual Private Network (VPN)Fable 2.3 Securky Mechanisms (X.800) prorat GN Under to proviae some OF Susry OF dhe data Soper eas "and Dare oF mars onchypron eee oe feannfOrsiation Of. a dada tune Ghat shows EASE amet AuehSmechaniens Wtenaes rose isons Sean Wrafic Snalysts veut RRS or maesicntar physicntty: SSNUngiShinnass: Ssneciniy semen a bromon Srvectriy iv suopested otartzation, The Ove De» tested hie inasenmiplenga Gas nue mc sp estes so Sas PACU BEY US eRe oe paso Trusted Functionality donpect io sone criteria (og) as eceabiainedd Sp Wesetwriy poles): may be a date uni that names or igtiaios the wwcusty attributes of chat event Detection, BE SP ecurtty-relevs Security Amat Pratt, Meogovery: SAT NSieots teow et fecovery actions Riscdione, and 8Security Services Enhance security of data processing systems and information transfers of an organization Intended to counter security attacks Using one or more security mechanisms Often replicates functions normally associated with physical documents, for example: signatures, dates, protection from disclosure, tampering, destruction; be notarized or witnessed; be recorded or licensedSecurity Services A dlassification of security services: ~ Confidentiality (privacy) - Authentication (who created or sent the data) - Integrity (has not been altered) - Non-repudiation (the order is final) - Access control (prevent misuse of resources) - Availability (permanence, non-erasure} * Denial of Service Attacks, Virus that deletes filesOther Issues: Legal Issues and Privacy Concerns For many businesses today, one of the biggest reasons to create and follow a security policy is compliance with the law. If business is running a publicly held e-business and a catastrophic attack seriously impairs the business, a lawsuit is possible.Other Issues: Wireless Access and Wirless LANs WiFi connections do not respect firewalls the way wired connections do. Implementation of Wireless LANs or other wireless technologies bring additional security threats.IT staff-shortage The IT staffing shortage is especially evident in the security field. To solve this problem, many enterprises are increasingly outsourcing day-to-day security management tasks. Clearly, there is a demand for skilled network security professionals.Information Security Organizations CERT/CC US-CERT SANS institute (iscy2 Common Criteria FIPS ICSA LabsReferences Pfleeger, C. Security in Computing. Prentice Hall, 1997. Certified Information Systems Security Professional (CISSP), All-in-One Exam Guide, Fifth Edition Network Management- Prof. Dr.-Ing. Alexandru Soceanu