Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
Network security Network security. Look at the surroundings before you leap.
-
Upload
roxanne-harvey -
Category
Documents
-
view
221 -
download
3
Transcript of Network security Network security. Look at the surroundings before you leap.
Network Network securitysecurity
Look at the Look at the surroundings surroundings
before you leapbefore you leap
LecturersLecturers
PRAVIN SHETTY – 990 31945,B3.35 PRAVIN SHETTY – 990 31945,B3.35 [email protected]@infotech.monash.edu.auau
TopicsTopics Basic principles (Access Control /Authentication/Models of threat Basic principles (Access Control /Authentication/Models of threat
& Practical Countermeasures).& Practical Countermeasures). Security issues over LANS & WANS[Earlier Models & Current Security issues over LANS & WANS[Earlier Models & Current
Solutions].Solutions]. Public key encryptions/ PKI/Digital signatures/KerberosPublic key encryptions/ PKI/Digital signatures/Kerberos Unix security [Internet=TCP/IP Security—VPNs/Firewalls.Unix security [Internet=TCP/IP Security—VPNs/Firewalls. Intrusion detection systems.Intrusion detection systems. Security in E-Commerce and banking, Including WWW, EDI , Security in E-Commerce and banking, Including WWW, EDI ,
EFT,ATM.EFT,ATM.
References:References: Computer Security—Dieter GollmanComputer Security—Dieter Gollman Network and Internetwork Security---William Stallings.Network and Internetwork Security---William Stallings. Open Systems Networking—David M Piscitello/ A Lyman Chapin.Open Systems Networking—David M Piscitello/ A Lyman Chapin.
Today’s lecture isToday’s lecture is
Domain of network securityDomain of network security Taxonomy of security attacksTaxonomy of security attacks Aims or services of securityAims or services of security Model of internetwork securityModel of internetwork security Methods of defenceMethods of defence
SecuritySecurity
Human natureHuman nature physical, financial, mental,…, data and physical, financial, mental,…, data and
information securityinformation security
Information SecurityInformation Security
1. Shift from the physical security to 1. Shift from the physical security to the protection of data and to thwart the protection of data and to thwart hackers (by means of automated hackers (by means of automated software tools) – calledsoftware tools) – called computer securitycomputer security
Network SecurityNetwork Security
2. With the widespread use of 2. With the widespread use of distributed systems and the use of distributed systems and the use of networks and communications networks and communications require protection of data during require protection of data during transmission – calledtransmission – called network securitynetwork security
Internetwork securityInternetwork security
The term The term Network SecurityNetwork Security may be may be misleading, because virtually all misleading, because virtually all business, govt, and academic business, govt, and academic organisations interconnect their organisations interconnect their data processing equipment with a data processing equipment with a collection of interconnected collection of interconnected networks – probably we should call it networks – probably we should call it as as internetwork securityinternetwork security
Aspects of information Aspects of information securitysecurity
Security attack – any action that Security attack – any action that compromises the security of compromises the security of information.information.
Security mechanism – to detect, Security mechanism – to detect, prevent, or recover from a security prevent, or recover from a security attack.attack.
Security service – service that Security service – service that enhances and counters security enhances and counters security attacks.attacks.
Security mechanismsSecurity mechanisms
No single mechanism that can provide No single mechanism that can provide the services mentioned in the previous the services mentioned in the previous slide. However one particular aspect that slide. However one particular aspect that underlines most (if not all) of the security underlines most (if not all) of the security mechanism is the mechanism is the cryptographic cryptographic techniquestechniques..
Encryption or encryption-like Encryption or encryption-like transformation of information are the transformation of information are the most common means of providing most common means of providing security.security.
Why Internetwork Why Internetwork Security?Security?
Internetwork security is not simple as it might Internetwork security is not simple as it might first appear.first appear.
In developing a particular security measure In developing a particular security measure one has to consider potential one has to consider potential countermeasures.countermeasures.
Because of the countermeasures the problem Because of the countermeasures the problem itself becomes complex.itself becomes complex.
Once you have designed the security Once you have designed the security measure, it is necessary to decide where to measure, it is necessary to decide where to use them.use them.
Security mechanisms usually involve more Security mechanisms usually involve more than a particular algorithm or protocol.than a particular algorithm or protocol.
Security Attacks - Security Attacks - TaxonomyTaxonomy
Interruption – attack on Interruption – attack on availabilityavailability Interception – attack on Interception – attack on
confidentialityconfidentiality Modification – attack on Modification – attack on integrityintegrity Fabrication – attack on Fabrication – attack on authenticityauthenticity
Propertythat is
compromised
InterruptionInterruption
also known as also known as denial of servicesdenial of services.. Information resources Information resources (hardware, (hardware,
software and data) are deliberately software and data) are deliberately made unavailable, lost or unusable, made unavailable, lost or unusable, usually through malicious usually through malicious destruction.destruction.
e.g: cutting a communication line, e.g: cutting a communication line, disabling a file management system, disabling a file management system, etc.etc.
InterceptionInterception
also known as also known as un-authorised accessun-authorised access.. Difficult to trace as no traces of Difficult to trace as no traces of
intrusion might be left.intrusion might be left. E.g: illegal eavesdropping or E.g: illegal eavesdropping or
wiretapping or sniffing, illegal wiretapping or sniffing, illegal copying.copying.
ModificationModification
also known as also known as tampering a tampering a resourceresource..
Resources can be data, programs, Resources can be data, programs, hardware devices, etc.hardware devices, etc.
FabricationFabrication
also known as also known as counterfeitingcounterfeiting.. Allows to by pass the authenticity Allows to by pass the authenticity
checks.checks. e.g: insertion of spurious messages e.g: insertion of spurious messages
in a network, adding a record to a in a network, adding a record to a file, counterfeit bank notes, fake file, counterfeit bank notes, fake cheques,…cheques,…
Security Attacks - Security Attacks - TaxonomyTaxonomy
InformationSource
InformationDestination
Normal
InformationSource
InformationDestination
Interruption
InformationSource
InformationDestination
Interception
InformationSource
InformationDestination
Modification
InformationSource
InformationDestination
Fabrication
Attacks – Passive typesAttacks – Passive types
Passive (Passive (interceptioninterception) – ) – eavesdropping on, monitoring of, eavesdropping on, monitoring of, transmissions.transmissions.
The goal is to obtain information The goal is to obtain information that is being transmitted.that is being transmitted.
Types here are: release of message Types here are: release of message contents and traffic analysis.contents and traffic analysis.
Attacks – Active typesAttacks – Active types
Involve modification of the data Involve modification of the data stream or creation of a false stream stream or creation of a false stream and can be subdivided into – and can be subdivided into – masquerade, replay, modification of masquerade, replay, modification of messages and denial of service.messages and denial of service.
AttacksAttacks
Passive
Interception(confidentiality)
Release ofMessage contents
Trafficanalysis
Active
Modification(integrity)
Fabrication(integrity)
Interruption(availability)
Security servicesSecurity services
ConfidentialityConfidentiality AuthenticationAuthentication IntegrityIntegrity Non-repudiationNon-repudiation Access controlAccess control AvailabilityAvailability
Model for internetwork Model for internetwork securitysecurity
Information channel
Message Message
SecretinformationSecret
information
PrincipalPrincipal
Opponent
Trusted Third party
Gate Keeper
Methods of defence (1)Methods of defence (1)
Modern cryptologyModern cryptology Encryption, authentication code, digital Encryption, authentication code, digital
signature,etc.signature,etc. Software controlsSoftware controls
Standard development tools (design, Standard development tools (design, code, test, maintain,etc)code, test, maintain,etc)
Operating systems controlsOperating systems controls Internal program controls (e.g: access Internal program controls (e.g: access
controls to data in a database)controls to data in a database) Fire wallsFire walls
Methods of defence (2)Methods of defence (2)
Hardware controlsHardware controls Security devices, smart cards, …Security devices, smart cards, …
Physical controlsPhysical controls Lock, guards, backup of data and Lock, guards, backup of data and
software, thick walls, ….software, thick walls, …. Security polices and proceduresSecurity polices and procedures User educationUser education LawLaw