Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI

advertisement
Matakuliah
Tahun
Versi
: H0242 / Keamanan Jaringan
: 2006
:1
Pertemuan 02
Aspek dasar keamanan
Jaringan dan ketentuan
baku OSI
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan
mahasiswa akan mampu :
• Mahasiswa dapat menggunakan Aspek
dasar keamanan jaringan dan ketentuan
baku OSI untuk keamanan jaringan
2
Outline Materi
•
•
•
•
Latar Belakang Network Security
Trend
Definisi
Arsitektur OSI untuk Network Security
3
Why Is Security Important
• Computers and networks are the nerves of
the basic services and critical
infrastructures in our society
– Financial services and commerce
– Transportation
– Power grids
– Etc.
• Computers and networks are targets of
attacks by our adversaries
4
Why Is Security Hard
• The complexity of computers and networks
• User expectation
• User ignorance
– Social engineering
• Defense is inherently more expensive
– Offense only needs the weakest link
5
Vulnerability Trends
• Flaws can be found without source code
– common: system call trace
– new: subroutine call trace
– protocols can be examined for
vulnerabilities
– program instabilities (buffer overflow, etc.)
• Good news — the public & vendors
becoming more security conscious
• Patches now being released via Internet
• Still untested — product liability
6
What is Security
• Security is concerned with preventing
undesired behavior
– An enemy/opponent/hacker/adversary
may be actively and maliciously trying
to circumvent any protective measures
you put in place
7
Goal
• Security is always a trade-off
• The goal should never be “to make the
system as secure as possible”…
• …but instead, “to make the system as
secure as possible within certain
constraints” (cost, usability, convenience)
8
Concerns
• Detection and response
– How do you know when you are being
attacked?
– How quickly can you stop the attack?
– Can you prevent the attack from
recurring?
• Recovery
– Can be much more important than
prevention
• Legal issues?
9
Definitions
• Computer Security
– generic name for the collection of tools designed
to protect data and to thwart hackers
• Network Security (Includes Internet Security)
– measures to protect data during their
transmission
– measures to protect data during their
transmission over a collection of interconnected
networks
– consists of measures to deter, prevent, detect,
and correct security violations that involve the
transmission of information
10
OSI Security Architecture
• ITU-T X.800 Security Architecture for
OSI
• Defines a systematic way of defining
and providing security requirements
• International Standard
• 5 Categories
• 14 Services
11
Service Categories
1. Authentication
• Peer-entity, Data-origin
• Assurance that the communicating entity is the
one claimed
2. Access Control
• Prevention of the unauthorized use of a resource
3. Data Confidentiality
• Connection, connectionless, selective-field,
traffic-flow)
• Protection of data from unauthorized disclosure
12
Service Categories
4. Data Integrity
• Connection recovery, no-recovery, selective-field
• Connectionless no-recovery,selective-field
• assurance that data received is as sent by an
authorized entity
5. Non Repudiation
• origin, destination
• protection against denial by one of the parties in a
communication
13
Security Service
– Something that enhances the security of the data
processing systems and the information transfers
of an organization
– Intended to counter security attacks
– Make use of one or more security mechanisms to
provide the service
– Replicate functions normally associated with
physical documents
• eg. have signatures, dates; need protection
from disclosure, tampering, or destruction; be
notarized or witnessed; be recorded or licensed
14
Security Mechanism
• A mechanism that is designed to detect,
prevent, or recover from a security attack
• No single mechanism that will support all
functions required
• One particular element underlies many of
the security mechanisms in use:
cryptographic techniques
15
Security Attack
• Any action that compromises the security of
information owned by an organization
• Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
• Have a wide range of attacks
• Can focus of generic types of attacks
• note: often threat & attack mean same
16
Network Security Model
17
Network Access Security
18
Security Policies
• A security policy is a statement that partitions the
state of the system into a set of authorized (or
secure) states, and a set of unauthorized (or
nonsecure) states
• A secure system is a system that starts in an
authorized state and cannot enter an unauthorized
state
– A breach of security occurs when a system enters
an unauthorized state
19
Download