kizza - guide to computer network security 1 chapter 2: understanding network security guide to...

Chapter 2: Understanding Chapter 2: Understanding Network Security Network Security

Guide to Computer Network Security

Kizza - Guide to Computer Network SecuriKizza - Guide to Computer Network Securityty

22

What Is Network Security?What Is Network Security?

Security is a continuous process of protecting an Security is a continuous process of protecting an object from attack. That object may be a person, object from attack. That object may be a person, an organization such as a business, or property an organization such as a business, or property such as a computer system or a file. such as a computer system or a file. In a distributed computer system such as a In a distributed computer system such as a network, the protection covers physical and non-network, the protection covers physical and non-physical resources that make up the network physical resources that make up the network including communication channels and including communication channels and connectors like modems, bridges, switches, and connectors like modems, bridges, switches, and servers, as well as the files stored on those servers, as well as the files stored on those servers. In each one of these cases, therefore, servers. In each one of these cases, therefore, security means preventing unauthorized access, security means preventing unauthorized access, use, alteration, and theft or physical damage to use, alteration, and theft or physical damage to these resources. these resources.


33

Physical SecurityPhysical Security– A facility is physically secure if it is A facility is physically secure if it is

surrounded by a barrier like a fence, has surrounded by a barrier like a fence, has secure areas both inside and outside, secure areas both inside and outside, and can resist penetration by intruders. and can resist penetration by intruders. Physical security can be guaranteed if Physical security can be guaranteed if the following four mechanisms are in the following four mechanisms are in place: place:

deterrence, deterrence,

prevention, prevention,

detection, detection,

responseresponse


44

Pseudosecurity is a Pseudosecurity is a theoretical state of theoretical state of security, commonly known security, commonly known “security “security through obscurity” (STO). STO is a false through obscurity” (STO). STO is a false hope of security. With security through hope of security. With security through obscurity, many believe that any resource obscurity, many believe that any resource on the system can be secure so long as on the system can be secure so long as nobody outside the core implementation nobody outside the core implementation group is allowed to find out anything about group is allowed to find out anything about its internal mechanisms. This security is its internal mechanisms. This security is often referred to as “bunk mentality” often referred to as “bunk mentality” security. security.


55

Computer SecurityComputer SecurityThis is a study focusing on creating a This is a study focusing on creating a secure environment for the use of secure environment for the use of computers. computers. The field consists of three areas of The field consists of three areas of interest:interest:– the study of computer ethics, the study of computer ethics, – the development of both software and the development of both software and

hardware protocols, hardware protocols, – The development of best practices. The development of best practices.

It is a complex field of study involving It is a complex field of study involving detailed mathematical designs of detailed mathematical designs of cryptographic protocols. cryptographic protocols.


66

Network SecurityNetwork Security

The study of the security of computer The study of the security of computer networks. networks. It is still a branch of computer science It is still a branch of computer science but a lot broader that computer security. but a lot broader that computer security. It involves creating an environment in It involves creating an environment in which a computer network, including all which a computer network, including all its resources, which are many, all the its resources, which are many, all the data in it both a in storage and in transit, data in it both a in storage and in transit, and all its users are secure. Because it and all its users are secure. Because it is wider than computer security, this is a is wider than computer security, this is a more complex field of study than more complex field of study than computer security involving more computer security involving more detailed mathematicaldetailed mathematical


77

Information SecurityInformation Security

Information security is even a bigger field of study Information security is even a bigger field of study inncludig computer and computer network security. inncludig computer and computer network security.

Is a study of detailed mathematical designs of Is a study of detailed mathematical designs of cryptographic, communication, transport, exchange cryptographic, communication, transport, exchange protocols and best practices,of the state of both data protocols and best practices,of the state of both data and information in motion.and information in motion.

It includes a variety of disciplines including It includes a variety of disciplines including computer science, business management, computer science, business management, information studies, and engineering. information studies, and engineering.

It involves the creation of a state in which It involves the creation of a state in which information and data are secure. In this model, information and data are secure. In this model, information or data is either in motion through information or data is either in motion through communication channels or in storage in databases communication channels or in storage in databases on server. on server.


88

Securing the Computer Network

Securing a computer network is Securing a computer network is protecting the netwo from both internal protecting the netwo from both internal and external unauthorized access. and external unauthorized access.

These resources, physical or not, are These resources, physical or not, are objects which are the hardware resources objects which are the hardware resources in the system and the intangible object like in the system and the intangible object like information and data both in transition and information and data both in transition and static in storage. static in storage.


99

What are we Protecting?What are we Protecting?HardwareHardware– Protecting hardware resources include protecting: Protecting hardware resources include protecting:

End user objects that include the user interface hardware End user objects that include the user interface hardware components like all client system input components components like all client system input components including a keyboard, the mouse, touch screen, light pens, including a keyboard, the mouse, touch screen, light pens, and others. and others. Network objects like firewalls, hubs, switches, routers and Network objects like firewalls, hubs, switches, routers and gateways which are vulnerable to hackers;gateways which are vulnerable to hackers;Network communication channels to prevent Network communication channels to prevent eavesdroppers from intercepting network communications.eavesdroppers from intercepting network communications.

SoftwareSoftware– Protecting software resources includes protecting Protecting software resources includes protecting

hardware-based software, operating systems, server hardware-based software, operating systems, server protocols, browsers, application software, and intellectual protocols, browsers, application software, and intellectual property stored on network storage disks and databases. property stored on network storage disks and databases. client software like investment portfolios, financial data, client software like investment portfolios, financial data, real estate records, images or pictures, and other personal real estate records, images or pictures, and other personal files commonly stored on home and business computers. files commonly stored on home and business computers.


1010

Security ServicesSecurity ServicesSecurity services include the following:Security services include the following:– Access control – to require that access to Access control – to require that access to

information resources is controlled information resources is controlled – Authentication – a process whereby the system Authentication – a process whereby the system

gathers and builds up information about the gathers and builds up information about the user to assure that the user is genuine. user to assure that the user is genuine.

– Confidentiality – prevention of unauthorized Confidentiality – prevention of unauthorized disclosure of informationdisclosure of information

– Integrity – prevention of unauthorized Integrity – prevention of unauthorized modification of informationmodification of information

– Nonrepudiation – to require that neither the Nonrepudiation – to require that neither the sender nor the receiver of a message can deny sender nor the receiver of a message can deny the transmission.the transmission.


1111

Security StandardsSecurity StandardsBecause security solutions come in many different Because security solutions come in many different types and use different technologies, security types and use different technologies, security standards are used to bring about interoperability standards are used to bring about interoperability and uniformity among the many system resources and uniformity among the many system resources with differing technologies within the system and with differing technologies within the system and between systems. System managers, security between systems. System managers, security chiefs, and experts choose or prefer standards, if no chiefs, and experts choose or prefer standards, if no de facto standard exists, that are based on service, de facto standard exists, that are based on service, industry, size, or mission. industry, size, or mission. The type of service an organization is offering The type of service an organization is offering determines the types of security standards used. determines the types of security standards used. Like service, the nature of the industry an Like service, the nature of the industry an organization is in also determines the types of organization is in also determines the types of services offered by the system, which in turn services offered by the system, which in turn determines the type of standards to adopt. determines the type of standards to adopt.


1212

The size of an organization also determines The size of an organization also determines what type of standards to adopt. In what type of standards to adopt. In relatively small establishments, the ease of relatively small establishments, the ease of implementation and running of the system implementation and running of the system influence the standards to be usedinfluence the standards to be usedExamples include:Examples include:– Homeland National Security AwarenessHomeland National Security Awareness– Orange Book - the U.S. Department of Defense Orange Book - the U.S. Department of Defense

Trusted Computer System Evaluation CriteriaTrusted Computer System Evaluation Criteria (DOD-5200.28-STD) standard known as the (DOD-5200.28-STD) standard known as the Orange Book.Orange Book.

– British Standard 799 (BS 7799) - outlines a code British Standard 799 (BS 7799) - outlines a code of practice for information security management of practice for information security management that further helps determine how to secure that further helps determine how to secure network systems. network systems.


1313

Forms of Protection Forms of Protection The Security Policy The Security Policy – Is a an organization’s security blueprint that Is a an organization’s security blueprint that

emphasizes a number of security factors emphasizes a number of security factors starting with the identification of all critical starting with the identification of all critical operations in the system that must be secured, operations in the system that must be secured, those that are needed, but not critical to daily those that are needed, but not critical to daily operations, and those operations that can be operations, and those operations that can be secured. Second it prioritizes the system secured. Second it prioritizes the system resources and the information stored on each. resources and the information stored on each.

– It also assigns risk factors to all these classified It also assigns risk factors to all these classified resources. resources.

– Some security experts do not consider it Some security experts do not consider it essential while others do. However, it is an essential while others do. However, it is an important element in the security environment important element in the security environment of an enterprise.of an enterprise.


1414

Access Control – allowing access to Access Control – allowing access to information assets to only authorized information assets to only authorized users.users.– As information becomes more valuable As information becomes more valuable

and more people join the ever growing and more people join the ever growing Internet, scavenger hunters, hackers, Internet, scavenger hunters, hackers, activists, robbers, and all sorts of people activists, robbers, and all sorts of people are flocking onto the Internet and the are flocking onto the Internet and the security of information of a society security of information of a society increasingly dependent on computer increasingly dependent on computer networks will become vital. The networks will become vital. The importance of this security element, importance of this security element, therefore, cannot be over emphasized. therefore, cannot be over emphasized.


1515

Strong Encryption Algorithms Strong Encryption Algorithms – The amount of information stored and traversing The amount of information stored and traversing

the computer systems and networks has been the computer systems and networks has been increasing both in volume and value as networks increasing both in volume and value as networks expand. expand.

– The security of that information is increasingly The security of that information is increasingly threatened by the quality and security of the threatened by the quality and security of the software running on these machines: software running on these machines:

a high volume of vulnerabilities in the network a high volume of vulnerabilities in the network infrastructure infrastructure

embarrassingly poor protocols. embarrassingly poor protocols.

Hackers are exploiting these software bugs, which are Hackers are exploiting these software bugs, which are sometimes easy to fix, eavesdropping and intercepting sometimes easy to fix, eavesdropping and intercepting communication data with increasing ease. communication data with increasing ease.

– The security of information, therefore, rests with The security of information, therefore, rests with finding strong encryption algorithms that will finding strong encryption algorithms that will swat would be intruders. swat would be intruders.


1616

Authentication TechniquesAuthentication Techniques– The future of e-commerce is riding on The future of e-commerce is riding on

strong encryption and authentication strong encryption and authentication techniques. techniques.

– As more and more people go online to buy As more and more people go online to buy and sell their wares, they need strong and and sell their wares, they need strong and trustworthy algorithms that will make trustworthy algorithms that will make such transactions safe. such transactions safe.

– If the most recent headliner hacker attack If the most recent headliner hacker attack on credit card databases is any indication, on credit card databases is any indication, we are still a long way from safe e- we are still a long way from safe e-commerce. commerce.

– Strong authentication techniques will go a Strong authentication techniques will go a long way to ensure safe business long way to ensure safe business transactions online. transactions online.


1717

ConfidentialityConfidentiality

The confidentiality serviceThe confidentiality service protects system protects system data and information from unauthorized data and information from unauthorized disclosure. disclosure.

It involves the use of encryption algorithms to It involves the use of encryption algorithms to ensure that no third party like a cryptanalysis ensure that no third party like a cryptanalysis or a man-in-the middle has eavesdropped on or a man-in-the middle has eavesdropped on the data. the data.


1818

IntegrityIntegrity

A hash function is used on the input message A hash function is used on the input message to create a code from it that provides the to create a code from it that provides the message’s authenticity. message’s authenticity.


1919

Non-repudiationNon-repudiation

This is a security service that provides proof of This is a security service that provides proof of origin and delivery of service and/or origin and delivery of service and/or information. information.

This service, through This service, through digital signaturedigital signature and and encryption algorithms, ensures that digital data encryption algorithms, ensures that digital data may not be repudiated by providing proof of may not be repudiated by providing proof of origin difficult to deny. origin difficult to deny.

A digital signature is a cryptographic A digital signature is a cryptographic mechanism that is the electronic equivalent of mechanism that is the electronic equivalent of a written signature to authenticate a piece of a written signature to authenticate a piece of data as to the identity of the sender.data as to the identity of the sender.


2020

Security StandardsSecurity StandardsThe computer network model also suffers from the standardization The computer network model also suffers from the standardization problem. Security protocols, solutions and best practices that can secure problem. Security protocols, solutions and best practices that can secure the computer network model come in many different types and use the computer network model come in many different types and use different technologies resulting in incompartibility of interfaces different technologies resulting in incompartibility of interfaces

System managers, security chiefs, and experts , therefore, need standards. System managers, security chiefs, and experts , therefore, need standards.

The type of service an organization is offering determines the types of The type of service an organization is offering determines the types of security standards used. security standards used.

Also the mission of the establishment also determines the types of Also the mission of the establishment also determines the types of standards used. standards used.


2121

Types of Security StandardsTypes of Security Standards

Security Standards Based on Type of Service/IndustrySecurity Standards Based on Type of Service/Industry

Security Standards Based on Size/ImplementationSecurity Standards Based on Size/Implementation

Security Standards Based on InterestsSecurity Standards Based on Interests


2222

Best Security PracticesBest Security Practices

There is a rich repertoire of standards There is a rich repertoire of standards and best practices on the system and and best practices on the system and info-security landscapeinfo-security landscape

This complicates the security This complicates the security landscapelandscape

There a need for security experts to There a need for security experts to keep abreast of all changeskeep abreast of all changes

This takes security management, This takes security management, planning, policy development, and the planning, policy development, and the design of procedures. design of procedures.

kizza - guide to computer network security 1 chapter 2: understanding network security guide to...

Documents

computer security

network security guide

security of computer

physical security

known security

security means

theoretical state of

false hope of security