Kittiphan Techakittiroj (19 . . 2566เม ย )

Network Security(the Internet Security)

Kittiphan Techakittiroj

engktc@au.ac.th

Kittiphan Techakittiroj (19 . . 2566เม ย )

Goals of Security

• Ensure the only authorized individuals have ac

cess to information

• Preventing unauthorized creation, alteration, or

destruction of data

• Ensuring that legimate users are not denied acc

ess to information

• Ensuring that resources are used in legitimate

way

Kittiphan Techakittiroj (19 . . 2566เม ย )

Classication of Security

• Communication security

– signal

• Computer security

– user permission

– file sharing access control

Kittiphan Techakittiroj (19 . . 2566เม ย )

Classication of Security (secondary)Classication of Security

• Physical security: locks on doors, access badges, b

iometrics

• Personnel security: employee screening

• Administrative security: investigation of security b

reaches, policy

• Information/data security: controlling the reporduc

tion of sensitive material

• Online security: controlling access to online data

Kittiphan Techakittiroj (19 . . 2566เม ย )

Classication of Security Violation

• Cracking

• Spoofing

• Snooping

• Social Engineering

• Denial of Service

Kittiphan Techakittiroj (19 . . 2566เม ย )

Cracking

• Often called as “Hacking”

• Break through the security by using the

knowledge of

– Software Engineer

– Computer Network

– Operating System

– etc.

Classification of Security Violation

Kittiphan Techakittiroj (19 . . 2566เม ย )

Cracker

• few real crackers (super crackers)

• other cracker used

– asking expert

– public available information (WWW)

• protected by

– security report

– patches, updates and hot fixes

Classification of Security Violation: Cracking

Kittiphan Techakittiroj (19 . . 2566เม ย )

Spoofing• Act as the others, e.g.

– fake e-mail: e.g. sending an e-mail by pretending to b

e other (theoritical can be any name)

– fake IP: e.g. to gain accesses to the prohibit area

Classification of Security Violation

http://www.data.com/roundups/images/vpn_servers_figure1.html

Kittiphan Techakittiroj (19 . . 2566เม ย )

Spoofing

• Starting point for other security violation

• False information

• protected by

– digital signature

– digital certification

Classification of Security Violation

Kittiphan Techakittiroj (19 . . 2566เม ย )

Snooping

• Steal information during transmission

• Hardware:

– Packet Sniffer

– usually need access to the physical network

• Software:

– capture keystroke

Classification of Security Violation

Kittiphan Techakittiroj (19 . . 2566เม ย )

Snooping cont.

• Other:

– Trashing (happened to credit card number)

• protected by:

– encryption

– security access control

Classification of Security Violation

Kittiphan Techakittiroj (19 . . 2566เม ย )

Social Engineering

• Talking between user and cracker

• Serious and Common

• protected by:

– policy

– knowledge of users

Classification of Security Violation

Kittiphan Techakittiroj (19 . . 2566เม ย )

Denial of Service

• attack the weakness of the network, e.g.

– spamming e-mail (mail bomb)

– spamming web request

– WinNuke

• protected by:

– hot fixes & patches

– firewall

– logging system

Classification of Security Violation

Kittiphan Techakittiroj (19 . . 2566เม ย )

Benefit of Security

• Confidentiality

• Authentication (including access control)

• Message Digest (including data integrity)

– protect unknown modification, e.g. virus

– sampling keywords of the information and do the

encryption

• Non-repudiation: digital signature & certification

Kittiphan Techakittiroj (19 . . 2566เม ย )

Potential Security Risk

• Lack of safeguards

• poorly configured & administered systems

• basic security problems with communication

protocol (IP, TCP, UDP)

• faulty service program

• basic security problem with service programs

(WWW, FTP)

Kittiphan Techakittiroj (19 . . 2566เม ย )

General rules for Protection

• software current & update

– fixed & patch & upgrade

• encrypt sensitive information

• train user & administrator

– password & security

– policy

• monitoring: 100% monitor --> 100% secure

Kittiphan Techakittiroj (19 . . 2566เม ย )

Standard Technology on Security

• firewall: packet filtering & proxy

• Intrusion Detection Systems:

Detect the attack before it happens

• Network Address Translation:

Not design for scurity but generate a high-level o

f security

• encryption

– VPN (virtual private network)

– digital signature & certification

General rules for Protection

Kittiphan Techakittiroj (19 . . 2566เม ย )

Emerging Technology on Security

• encryption

– SET, S-HTTP, IPSec (IP Security Protocol), S

SL or TLS (Transport Layer Security), CDSA

(Common Data Security Architecture), XBSS

(Baseline Security Services), XDAS (Distribut

e Audit Service), XSSO (Single Sign On)

General rules for Protection

Kittiphan Techakittiroj (19 . . 2566เม ย )

Reference Books

Developing Secure Commerce Applications by Onli

ne O’Reilly Web Development Courses (http://20

8.233.153.3/oreilly/security/westnet: 1999)