1. Network Security Overview

2. Cryptographic algorithms and protocols can be grouped into four main areas: Symmetric encryption: Used to conceal the contents of blocks or streams of data of any size, including messages, files, encryption keys, and passwords. Asymmetric encryption: Used to conceal small blocks of data, such as encryption keys and hash function values, which are used in digital signatures. Data integrity algorithms: Used to protect blocks of data, such as messages, from alteration. Authentication protocols: These are schemes based on the use of cryptographic algorithms designed to authenticate the identity of entities.

3. Computer Security: Is the generic name for the collection of tools designed to protect data and to thwart hackers. Network and Internet security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information.

4. Examples of Security Violation:
Monitoring and capturing
Altering the content to add or delete entries
Replacing the file
Delaying the transmission
Denying

5. Computer Security [NIST Computer Security Handbook]: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

6. Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom that
information may be disclosed.
Integrity: This term covers two related concepts:
Data integrity: Assures that information and programs are changed only
in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
Availability: Assures that systems work promptly and service is not
denied to authorized users.

7. (A group or set of three related people or things)
CIA Triad
(A group or set of three related people or things)
The three concepts embody the fundamental security objectives for both data and for information and computing services.

8. Additional concepts with CIA triad
Authenticity (trustworthy, or genuine ): The property of being genuine
and being able to be verified and trusted; confidence in the validity of a
transmission, a message, or message originator. This means verifying that
users are who they say they are and that each input arriving at the system
came from a trusted source.
Accountability (responsibility, liability, answerability ): The security
goal that generates the requirement for actions of an entity to be traced
uniquely to that entity. This supports non-repudiation, deterrence, fault
isolation, intrusion detection and prevention, and after-action recovery and
legal action. Because truly secure systems are not yet an achievable goal,
we must be able to trace a security breach to a responsible party. Systems
must keep records of their activities to permit later forensic analysis to
trace security breaches or to aid in transaction disputes.

9. Three levels of impact from a security breach :
Low: The loss could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals. A limited
adverse effect means that, for example, the loss of confidentiality, integrity,
or availability might
(i) cause a degradation in mission capability to an
extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably reduced;
(ii) result in minor damage to organizational assets;
(iii) result in minor financial loss; or
(iv) result in minor harm to individuals.

10. Moderate: The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. A serious
adverse effect means that, for example, the loss might
(i) cause a significant degradation in mission capability to an extent and
duration that the organization is able to perform its primary functions, but
the effectiveness of the functions is significantly reduced;
(ii) result in significant damage to organizational assets;
(iii) result in significant financial loss; or
(iv) result in significant harm to individuals that does not involve loss of life
or serious, life-threatening injuries.

11. High: The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals.
A severe or catastrophic adverse effect means that, for example, the loss
might
(i) cause a severe degradation in or loss of mission capability to an
extent and duration that the organization is not able to perform one or
more of its primary functions;
(ii) result in major damage to organizational assets;
(iii) result in major financial loss; or
(iv) result in severe or catastrophic harm to individuals involving loss of life
or serious, life-threatening injuries.

12. Confidentiality:
For example, information confidentiality is more important than integrity or availability in the case of proprietary information of a company.
Also, confidentiality is the most important when the information is a record of people’s personal activities.
To guarantee confidentiality under the CIA triad, communications channels must be properly monitored and controlled to prevent unauthorized access.

13. Integrity:
For example, banks are more concerned about the integrity of financial records, with confidentiality having only second priority.
Some bank account holders or depositors leave ATM receipts unchecked and hanging around after withdrawing cash. This shows that confidentiality does not have the highest priority. Instead, the goal of integrity is the most important in information security in the banking system.
To guarantee integrity under the CIA triad, information must be protected from unauthorized modification.

14.  Availability:
The CIA triad goal of availability is more important than the other goals when government-generated online press releases are involved. Press releases are generally for public consumption. For them to be effective, the information they contain should be available to the public.
Thus, confidentiality is not of concern. Integrity has only second priority.
In the CIA triad, to guarantee availability of information in press releases, governments ensure that their websites and systems have minimal or insignificant downtime. Backups are also used to ensure availability of public information.

15. Implications of the CIA Triad
The CIA triad has the goals of confidentiality, integrity and availability, which are basic factors in information security.
Information security protects valuable information from unauthorized access, modification and distribution.
The CIA triad guides information security efforts to ensure success.
There are instances when one of the goals of the CIA triad is more important than the others. It is up to the IT team, the information security personnel, or the individual user to decide on which goal should be prioritized based on actual needs.
Thus, the CIA triad requires that organizations and individual users must always take caution in maintaining confidentiality, integrity and availability of information.

16. The OSI Security Architecture
To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements.
Provides a systematic framework for defining security attacks, mechanisms, and services. [ITU-T, X.800]

17. Security attack: Any action that compromises the security of
information owned by an organization.
Security mechanism: A process (or a device incorporating such a
process) that is designed to detect, prevent, or recover from a security
attack. Examples of mechanisms are encryption algorithms, digital
signatures, and authentication protocols.
Security service: A processing or communication service that
enhances the security of the data processing systems and the information
transfers of an organization. The services are intended to counter security
attacks, and they make use of one or more security mechanisms to provide
the service. It include authentication, access control, data confidentiality,
data integrity, nonrepudiation, and availability.

18. Threat: A potential for violation of security, which exists when
[RFC 2828, Internet Security Glossary]
Threat: A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that could
breach security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability. (It can be either
intentional or unintentional)
Attack: An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a
system. (attack is intentional)
Vulnerability: It is an inherent weakness in the design,
configuration, implementation, or management of a network or
system that renders it susceptible to a threat.

19. Security attacks are classified as either passive attacks, which
include unauthorized reading of a message of file and traffic analysis or
active attacks, such as modification of messages or files, and denial of
service.
Passive Attack:
Release of message content
Traffic analysis

20. Active Attack:
Masquerade: when one entity pretends to be a different entity
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
Modification of message: some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect
Denial of service: prevents or inhibits the normal use or management of communications facilities

21. Security Services
X.800 defines a security service as a service that is provided by a protocol
layer of communicating open systems and that ensures adequate security of
the systems or of data transfers.
RFC 2828:
A processing or communication service that is provided by a system to give
a specific kind of protection to system resources; security services
implement security policies and are implemented by security mechanisms.

22. Security
Services

23. Security Mechanisms
The mechanisms are divided into those that are implemented in a specific protocol layer, such as TCP or an application-layer protocol, and those that are not specific to any particular protocol layer or security service.

24. Security
Mechanism

25. Relationship Between Security Services and Mechanisms

26. Relationship between Security Services and Security Attacks

27. Relationship between Security Mechanisms and Attacks.

28. Positioning of Security Services in Network
Physical layer
Available Services
Connection Confidentiality
Traffic Flow Confidentiality
Full
Limited These services are restricted to passive threats and are applicable to point-to-point or multi-peer communications.
Available Mechanisms
Total encipherment
Transmission security (specific form of encipherment applicable to physical layer only)

29. Data link layer
Available Services
Connection Confidentiality
Connectionless Confidentiality
Available Mechanisms
Encipherment
Network layer
Available Services May be provided by the protocol that performs sub-network access functions or by the protocol that performs relaying and routing
Peer Entity Authentication
Data Origin Authentication
Access Control service
Traffic Flow Confidentiality
Connection Integrity without recovery
Connectionless Integrity These services may be provided alone or in combination.

30. Available Mechanisms
Peer Entity Authentication: appropriate combination of cryptographically-derived or protected authentication exchanges, protected password exchange and signature mechanisms
Data Origin Authentication: encipherment or signature mechs
Access Control service: appropriate use of specific access control mechs
Connection Confidentiality: encipherment and/or routing control
Connectionless Confidentiality: encipherment and/or routing control
Traffic Flow Confidentiality: traffic padding mech, in conjunction with a confidentiality service at or below the network layer and/or routing protocol
Connection Integrity without recovery: data integrity mechanism, sometimes in conjunction with an encipherment mechanism
Connectionless Integrity: same as above

31. Transport layer
Available Services
Peer Entity Authentication
Data Origin Authentication
Access Control service
Connection Confidentiality
Connectionless Confidentiality
Connection Integrity with recovery
Connection Integrity without recovery
Connectionless Integrity These services may be provided alone or in combination.

32. Available Mechanisms
Peer Entity Authentication: appropriate combination of cryptographically-derived or protected authentication exchanges, protected password exchange and signature mechanisms
Data Origin Authentication: encipherment or signature mechs
Access Control service: appropriate use of specific access control mechs
Connection Confidentiality: encipherment
Connectionless Confidentiality: encipherment
Connection Integrity with recovery: data integrity mechanism, sometimes in conjunction with an encipherment mechanism
Connection Integrity without recovery: same as above
Connectionless Integrity: same as above These mechanisms will operate in such a manner that individual transport connections can be isolated from each other

33. Application layer
Available Services
Peer Entity Authentication
Data Origin Authentication
Access Control Service
Connection Confidentiality
Connectionless Confidentiality
Selective Field Confidentiality
Traffic Flow Confidentiality
Connection Integrity with Recovery
Connection Integrity without Recovery
Selective Field Connection Integrity
Connectionless Integrity
Selective Field Connectionless Integrity
Non-repudiation with Proof of Origin
Non-repudiation with Proof of Delivery

34. Available Mechanisms
Peer Entity Authentication: auth info transferred between application entities, protected by lower layer encipherment
Data Origin Authentication: signature or loewr layer mechs
Access Control Service: combination of access control mechs in the application or lower layers
Connection Confidentiality: lower layer encipherment
Connectionless Confidentiality: lower layer encipherment
Selective Field Confidentiality: encipherment at presentation layer
Traffic Flow Confidentiality: traffic padding, plus confidentiality at a lower level
Connection Integrity with Recovery: lower layer data integrity
Connection Integrity without Recovery: lower layer data integrity
Selective Field Connection Integrity: data integrity
Connectionless Integrity: lower layer data integrity
Selective Field Connectionless Integrity: data integrity
Non-repudiation with Proof of Origin: combination of signature and lower layer data integrity (possibly in conjunction with 3rd party notaries)
Non-repudiation with Proof of Delivery: combination of signature and lower layer data integrity (possibly in conjunction with 3rd party notaries)

35. Model for Network Security

36. This general model shows that there are four basic tasks in designing a particular security service: 1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose. 2. Generate the secret information to be used with the algorithm. 3. Develop methods for the distribution and sharing of the secret information. 4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.

38. Options for Mini-Project
Data link Layer: ARP, RARP, NDP, OSPF, MAC, Wireless
Network Layer: IPv4, IPv6, ICMP, ICMPv6, IPSec, Mobile IP
Transport Layer: TCP, UDP, RSVP
Application Layer: DNS, DHCP, SNMP, RIP, HTTP, HTTPS, FTP