Network security Network security

Look at the surroundings before you leap

Lecturers PRAVIN SHETTY – ,B3.35 PRAVIN SHETTY – ,B3.35

Topics Basic principles (Access Control /Authentication/Models of threat & Practical Countermeasures). Basic principles (Access Control /Authentication/Models of threat & Practical Countermeasures). Security issues over LANS & WANS[Earlier Models & Current Solutions]. Security issues over LANS & WANS[Earlier Models & Current Solutions]. Public key encryptions/ PKI/Digital signatures/Kerberos Public key encryptions/ PKI/Digital signatures/Kerberos Unix security [Internet=TCP/IP Security—VPNs/Firewalls. Unix security [Internet=TCP/IP Security—VPNs/Firewalls. Intrusion detection systems. Intrusion detection systems. Security in E-Commerce and banking, Including WWW, EDI, EFT,ATM. Security in E-Commerce and banking, Including WWW, EDI, EFT,ATM. References: References: Computer Security—Dieter Gollman Computer Security—Dieter Gollman Network and Internetwork Security---William Stallings. Network and Internetwork Security---William Stallings. Open Systems Networking—David M Piscitello/ A Lyman Chapin. Open Systems Networking—David M Piscitello/ A Lyman Chapin.

Today’s lecture is Domain of network security Domain of network security Taxonomy of security attacks Taxonomy of security attacks Aims or services of security Aims or services of security Model of internetwork security Model of internetwork security Methods of defence Methods of defence

Security Human nature Human nature physical, financial, mental,…, data and information security physical, financial, mental,…, data and information security

Information Security 1. Shift from the physical security to the protection of data and to thwart hackers (by means of automated software tools) – called computer security 1. Shift from the physical security to the protection of data and to thwart hackers (by means of automated software tools) – called computer security

Network Security 2. With the widespread use of distributed systems and the use of networks and communications require protection of data during transmission – called network security 2. With the widespread use of distributed systems and the use of networks and communications require protection of data during transmission – called network security

Internetwork security The term Network Security may be misleading, because virtually all business, govt, and academic organisations interconnect their data processing equipment with a collection of interconnected networks – probably we should call it as internetwork security The term Network Security may be misleading, because virtually all business, govt, and academic organisations interconnect their data processing equipment with a collection of interconnected networks – probably we should call it as internetwork security

Aspects of information security Security attack – any action that compromises the security of information. Security attack – any action that compromises the security of information. Security mechanism – to detect, prevent, or recover from a security attack. Security mechanism – to detect, prevent, or recover from a security attack. Security service – service that enhances and counters security attacks. Security service – service that enhances and counters security attacks.

Security mechanisms No single mechanism that can provide the services mentioned in the previous slide. However one particular aspect that underlines most (if not all) of the security mechanism is the cryptographic techniques. No single mechanism that can provide the services mentioned in the previous slide. However one particular aspect that underlines most (if not all) of the security mechanism is the cryptographic techniques. Encryption or encryption-like transformation of information are the most common means of providing security. Encryption or encryption-like transformation of information are the most common means of providing security.

Why Internetwork Security? Internetwork security is not simple as it might first appear. Internetwork security is not simple as it might first appear. In developing a particular security measure one has to consider potential countermeasures. In developing a particular security measure one has to consider potential countermeasures. Because of the countermeasures the problem itself becomes complex. Because of the countermeasures the problem itself becomes complex. Once you have designed the security measure, it is necessary to decide where to use them. Once you have designed the security measure, it is necessary to decide where to use them. Security mechanisms usually involve more than a particular algorithm or protocol. Security mechanisms usually involve more than a particular algorithm or protocol.

Security Attacks - Taxonomy Interruption – attack on availability Interruption – attack on availability Interception – attack on confidentiality Interception – attack on confidentiality Modification – attack on integrity Modification – attack on integrity Fabrication – attack on authenticity Fabrication – attack on authenticity Property that is compromised

Interruption also known as denial of services. also known as denial of services. Information resources (hardware, software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction. Information resources (hardware, software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction. e.g: cutting a communication line, disabling a file management system, etc. e.g: cutting a communication line, disabling a file management system, etc.

Interception also known as un-authorised access. also known as un-authorised access. Difficult to trace as no traces of intrusion might be left. Difficult to trace as no traces of intrusion might be left. E.g: illegal eavesdropping or wiretapping or sniffing, illegal copying. E.g: illegal eavesdropping or wiretapping or sniffing, illegal copying.

Modification also known as tampering a resource. also known as tampering a resource. Resources can be data, programs, hardware devices, etc. Resources can be data, programs, hardware devices, etc.

Fabrication also known as counterfeiting. also known as counterfeiting. Allows to by pass the authenticity checks. Allows to by pass the authenticity checks. e.g: insertion of spurious messages in a network, adding a record to a file, counterfeit bank notes, fake cheques,… e.g: insertion of spurious messages in a network, adding a record to a file, counterfeit bank notes, fake cheques,…

Security Attacks - Taxonomy Information Source Information Destination Normal Information Source Information Destination Interruption Information Source Information Destination Interception Information Source Information Destination Modification Information Source Information Destination Fabrication

Attacks – Passive types Passive (interception) – eavesdropping on, monitoring of, transmissions. Passive (interception) – eavesdropping on, monitoring of, transmissions. The goal is to obtain information that is being transmitted. The goal is to obtain information that is being transmitted. Types here are: release of message contents and traffic analysis. Types here are: release of message contents and traffic analysis.

Attacks – Active types Involve modification of the data stream or creation of a false stream and can be subdivided into – masquerade, replay, modification of messages and denial of service. Involve modification of the data stream or creation of a false stream and can be subdivided into – masquerade, replay, modification of messages and denial of service.

Attacks Passive Interception (confidentiality) Release of Message contents Traffic analysis Active Modification (integrity) Fabrication (integrity) Interruption (availability)

Security services Confidentiality Confidentiality Authentication Authentication Integrity Integrity Non-repudiation Non-repudiation Access control Access control Availability Availability

Model for internetwork security Information channel Message Secret information Secret information Principal Opponent Trusted Third party Gate Keeper

Methods of defence (1) Modern cryptology Modern cryptology Encryption, authentication code, digital signature,etc. Encryption, authentication code, digital signature,etc. Software controls Software controls Standard development tools (design, code, test, maintain,etc) Standard development tools (design, code, test, maintain,etc) Operating systems controls Operating systems controls Internal program controls (e.g: access controls to data in a database) Internal program controls (e.g: access controls to data in a database) Fire walls Fire walls

Methods of defence (2) Hardware controls Hardware controls Security devices, smart cards, … Security devices, smart cards, … Physical controls Physical controls Lock, guards, backup of data and software, thick walls, …. Lock, guards, backup of data and software, thick walls, …. Security polices and procedures Security polices and procedures User education User education Law Law