Network Network securitysecurity

Look at the Look at the surroundings surroundings

before you leapbefore you leap

LecturersLecturers

PRAVIN SHETTY – 990 31945,B3.35 PRAVIN SHETTY – 990 31945,B3.35 pravin.shetty@infotech.monash.edu.pravin.shetty@infotech.monash.edu.auau

TopicsTopics Basic principles (Access Control /Authentication/Models of threat Basic principles (Access Control /Authentication/Models of threat

& Practical Countermeasures).& Practical Countermeasures). Security issues over LANS & WANS[Earlier Models & Current Security issues over LANS & WANS[Earlier Models & Current

Solutions].Solutions]. Public key encryptions/ PKI/Digital signatures/KerberosPublic key encryptions/ PKI/Digital signatures/Kerberos Unix security [Internet=TCP/IP Security—VPNs/Firewalls.Unix security [Internet=TCP/IP Security—VPNs/Firewalls. Intrusion detection systems.Intrusion detection systems. Security in E-Commerce and banking, Including WWW, EDI , Security in E-Commerce and banking, Including WWW, EDI ,

EFT,ATM.EFT,ATM.

References:References: Computer Security—Dieter GollmanComputer Security—Dieter Gollman Network and Internetwork Security---William Stallings.Network and Internetwork Security---William Stallings. Open Systems Networking—David M Piscitello/ A Lyman Chapin.Open Systems Networking—David M Piscitello/ A Lyman Chapin.

Today’s lecture isToday’s lecture is

Domain of network securityDomain of network security Taxonomy of security attacksTaxonomy of security attacks Aims or services of securityAims or services of security Model of internetwork securityModel of internetwork security Methods of defenceMethods of defence

SecuritySecurity

Human natureHuman nature physical, financial, mental,…, data and physical, financial, mental,…, data and

information securityinformation security

Information SecurityInformation Security

1. Shift from the physical security to 1. Shift from the physical security to the protection of data and to thwart the protection of data and to thwart hackers (by means of automated hackers (by means of automated software tools) – calledsoftware tools) – called computer securitycomputer security

Network SecurityNetwork Security

2. With the widespread use of 2. With the widespread use of distributed systems and the use of distributed systems and the use of networks and communications networks and communications require protection of data during require protection of data during transmission – calledtransmission – called network securitynetwork security

Internetwork securityInternetwork security

The term The term Network SecurityNetwork Security may be may be misleading, because virtually all misleading, because virtually all business, govt, and academic business, govt, and academic organisations interconnect their organisations interconnect their data processing equipment with a data processing equipment with a collection of interconnected collection of interconnected networks – probably we should call it networks – probably we should call it as as internetwork securityinternetwork security

Aspects of information Aspects of information securitysecurity

Security attack – any action that Security attack – any action that compromises the security of compromises the security of information.information.

Security mechanism – to detect, Security mechanism – to detect, prevent, or recover from a security prevent, or recover from a security attack.attack.

Security service – service that Security service – service that enhances and counters security enhances and counters security attacks.attacks.

Security mechanismsSecurity mechanisms

No single mechanism that can provide No single mechanism that can provide the services mentioned in the previous the services mentioned in the previous slide. However one particular aspect that slide. However one particular aspect that underlines most (if not all) of the security underlines most (if not all) of the security mechanism is the mechanism is the cryptographic cryptographic techniquestechniques..

Encryption or encryption-like Encryption or encryption-like transformation of information are the transformation of information are the most common means of providing most common means of providing security.security.

Why Internetwork Why Internetwork Security?Security?

Internetwork security is not simple as it might Internetwork security is not simple as it might first appear.first appear.

In developing a particular security measure In developing a particular security measure one has to consider potential one has to consider potential countermeasures.countermeasures.

Because of the countermeasures the problem Because of the countermeasures the problem itself becomes complex.itself becomes complex.

Once you have designed the security Once you have designed the security measure, it is necessary to decide where to measure, it is necessary to decide where to use them.use them.

Security mechanisms usually involve more Security mechanisms usually involve more than a particular algorithm or protocol.than a particular algorithm or protocol.

Security Attacks - Security Attacks - TaxonomyTaxonomy

Interruption – attack on Interruption – attack on availabilityavailability Interception – attack on Interception – attack on

confidentialityconfidentiality Modification – attack on Modification – attack on integrityintegrity Fabrication – attack on Fabrication – attack on authenticityauthenticity

Propertythat is

compromised

InterruptionInterruption

also known as also known as denial of servicesdenial of services.. Information resources Information resources (hardware, (hardware,

software and data) are deliberately software and data) are deliberately made unavailable, lost or unusable, made unavailable, lost or unusable, usually through malicious usually through malicious destruction.destruction.

e.g: cutting a communication line, e.g: cutting a communication line, disabling a file management system, disabling a file management system, etc.etc.

InterceptionInterception

also known as also known as un-authorised accessun-authorised access.. Difficult to trace as no traces of Difficult to trace as no traces of

intrusion might be left.intrusion might be left. E.g: illegal eavesdropping or E.g: illegal eavesdropping or

wiretapping or sniffing, illegal wiretapping or sniffing, illegal copying.copying.

ModificationModification

also known as also known as tampering a tampering a resourceresource..

Resources can be data, programs, Resources can be data, programs, hardware devices, etc.hardware devices, etc.

FabricationFabrication

also known as also known as counterfeitingcounterfeiting.. Allows to by pass the authenticity Allows to by pass the authenticity

checks.checks. e.g: insertion of spurious messages e.g: insertion of spurious messages

in a network, adding a record to a in a network, adding a record to a file, counterfeit bank notes, fake file, counterfeit bank notes, fake cheques,…cheques,…

Security Attacks - Security Attacks - TaxonomyTaxonomy

InformationSource

InformationDestination

Normal

InformationSource

InformationDestination

Interruption

InformationSource

InformationDestination

Interception

InformationSource

InformationDestination

Modification

InformationSource

InformationDestination

Fabrication

Attacks – Passive typesAttacks – Passive types

Passive (Passive (interceptioninterception) – ) – eavesdropping on, monitoring of, eavesdropping on, monitoring of, transmissions.transmissions.

The goal is to obtain information The goal is to obtain information that is being transmitted.that is being transmitted.

Types here are: release of message Types here are: release of message contents and traffic analysis.contents and traffic analysis.

Attacks – Active typesAttacks – Active types

Involve modification of the data Involve modification of the data stream or creation of a false stream stream or creation of a false stream and can be subdivided into – and can be subdivided into – masquerade, replay, modification of masquerade, replay, modification of messages and denial of service.messages and denial of service.

AttacksAttacks

Passive

Interception(confidentiality)

Release ofMessage contents

Trafficanalysis

Active

Modification(integrity)

Fabrication(integrity)

Interruption(availability)

Security servicesSecurity services

ConfidentialityConfidentiality AuthenticationAuthentication IntegrityIntegrity Non-repudiationNon-repudiation Access controlAccess control AvailabilityAvailability

Model for internetwork Model for internetwork securitysecurity

Information channel

Message Message

SecretinformationSecret

information

PrincipalPrincipal

Opponent

Trusted Third party

Gate Keeper

Methods of defence (1)Methods of defence (1)

Modern cryptologyModern cryptology Encryption, authentication code, digital Encryption, authentication code, digital

signature,etc.signature,etc. Software controlsSoftware controls

Standard development tools (design, Standard development tools (design, code, test, maintain,etc)code, test, maintain,etc)

Operating systems controlsOperating systems controls Internal program controls (e.g: access Internal program controls (e.g: access

controls to data in a database)controls to data in a database) Fire wallsFire walls

Methods of defence (2)Methods of defence (2)

Hardware controlsHardware controls Security devices, smart cards, …Security devices, smart cards, …

Physical controlsPhysical controls Lock, guards, backup of data and Lock, guards, backup of data and

software, thick walls, ….software, thick walls, …. Security polices and proceduresSecurity polices and procedures User educationUser education LawLaw