What is Security?

advertisement
Chapter 2: Understanding
Network Security
Guide to Computer Network Security
Kizza - Guide to Computer Network
Security
1
What Is Network Security?
Security is a continuous process of protecting an
object from attack. That object may be a person,
an organization such as a business, or property
such as a computer system or a file.
In a distributed computer system such as a
network, the protection covers physical and nonphysical resources that make up the network
including communication channels and
connectors like modems, bridges, switches, and
servers, as well as the files stored on those
servers. In each one of these cases, therefore,
security means preventing unauthorized access,
use, alteration, and theft or physical damage to
these resources. Kizza - Guide to Computer Network
2
Security
Physical Security
– A facility is physically secure if it is
surrounded by a barrier like a fence, has
secure areas both inside and outside,
and can resist penetration by intruders.
Physical security can be guaranteed if
the following four mechanisms are in
place:
deterrence,
prevention,
detection,
response
Kizza - Guide to Computer Network
Security
3
Pseudosecurity is a theoretical state of
security, commonly known “security
through obscurity” (STO). STO is a false
hope of security. With security through
obscurity, many believe that any resource
on the system can be secure so long as
nobody outside the core implementation
group is allowed to find out anything about
its internal mechanisms. This security is
often referred to as “bunk mentality”
security.
Kizza - Guide to Computer Network
Security
4
Computer Security
This is a study focusing on creating a
secure environment for the use of
computers.
The field consists of three areas of
interest:
– the study of computer ethics,
– the development of both software and
hardware protocols,
– The development of best practices.
It is a complex field of study involving
detailed mathematical designs of
cryptographic protocols.
Kizza - Guide to Computer Network
Security
5
Network Security
The study of the security of computer
networks.
It is still a branch of computer science
but a lot broader that computer security.
It involves creating an environment in
which a computer network, including all
its resources, which are many, all the
data in it both a in storage and in transit,
and all its users are secure. Because it
is wider than computer security, this is a
more complex field of study than
computer security involving more
detailed mathematical
Kizza - Guide to Computer Network
Security
6
Information Security
Information security is even a bigger field of study
inncludig computer and computer network security.
Is a study of detailed mathematical designs of
cryptographic, communication, transport, exchange
protocols and best practices,of the state of both data
and information in motion.
It includes a variety of disciplines including
computer science, business management,
information studies, and engineering.
It involves the creation of a state in which
information and data are secure. In this model,
Kizza - Guide to Computer Network
information or data
is either
in motion through
Security
7
Securing the Computer Network
Securing a computer network is
protecting the netwo from both internal
and external unauthorized access.
These resources, physical or not, are
objects which are the hardware
resources in the system and the
intangible object like information and
data both in transition and static in
storage.
Kizza - Guide to Computer Network
Security
8
What are we Protecting?
Hardware
– Protecting hardware resources include protecting:
End user objects that include the user interface hardware
components like all client system input components
including a keyboard, the mouse, touch screen, light pens,
and others.
Network objects like firewalls, hubs, switches, routers and
gateways which are vulnerable to hackers;
Network communication channels to prevent eavesdroppers
from intercepting network communications.
Software
– Protecting software resources includes protecting
hardware-based software, operating systems, server
protocols, browsers, application software, and intellectual
property stored on network storage disks and databases.
client software like investment portfolios, financial data,
real estate records, images or pictures, and other personal
files commonly stored on home and business computers.
Kizza - Guide to Computer Network
Security
9
Security Services
Security services include the following:
– Access control – to require that access to
information resources is controlled
– Authentication – a process whereby the system
gathers and builds up information about the
user to assure that the user is genuine.
– Confidentiality – prevention of unauthorized
disclosure of information
– Integrity – prevention of unauthorized
modification of information
– Nonrepudiation – to require that neither the
sender nor the receiver of a message can deny
the transmission.
Kizza - Guide to Computer Network
Security
10
Security Standards
Because security solutions come in many different
types and use different technologies, security
standards are used to bring about interoperability
and uniformity among the many system resources
with differing technologies within the system and
between systems. System managers, security
chiefs, and experts choose or prefer standards, if
no de facto standard exists, that are based on
service, industry, size, or mission.
The type of service an organization is offering
determines the types of security standards used.
Like service, the nature of the industry an
organization is in also determines the types of
services offered by the system, which in turn
determines the type of standards to adopt.
Kizza - Guide to Computer Network
Security
11
The size of an organization also determines
what type of standards to adopt. In
relatively small establishments, the ease of
implementation and running of the system
influence the standards to be used
Examples include:
– Homeland National Security Awareness
– Orange Book - the U.S. Department of Defense
Trusted Computer System Evaluation Criteria
(DOD-5200.28-STD) standard known as the
Orange Book.
– British Standard 799 (BS 7799) - outlines a code
of practice for information security management
that further helps determine how to secure
network systems.
Kizza - Guide to Computer Network
Security
12
Forms of Protection
The Security Policy
– Is a an organization’s security blueprint that
emphasizes a number of security factors
starting with the identification of all critical
operations in the system that must be secured,
those that are needed, but not critical to daily
operations, and those operations that can be
secured. Second it prioritizes the system
resources and the information stored on each.
– It also assigns risk factors to all these
classified resources.
– Some security experts do not consider it
essential while others do. However, it is an
important element in the security environment
of an enterprise.
Kizza - Guide to Computer Network
Security
13
Access Control – allowing access to
information assets to only authorized
users.
– As information becomes more valuable
and more people join the ever growing
Internet, scavenger hunters, hackers,
activists, robbers, and all sorts of people
are flocking onto the Internet and the
security of information of a society
increasingly dependent on computer
networks will become vital. The
importance of this security element,
therefore, cannot be over emphasized.
Kizza - Guide to Computer Network
Security
14
Strong Encryption Algorithms
– The amount of information stored and traversing
the computer systems and networks has been
increasing both in volume and value as
networks expand.
– The security of that information is increasingly
threatened by the quality and security of the
software running on these machines:
a high volume of vulnerabilities in the network
infrastructure
embarrassingly poor protocols.
Hackers are exploiting these software bugs, which are
sometimes easy to fix, eavesdropping and intercepting
communication data with increasing ease.
– The security of information, therefore, rests with
finding strong encryption algorithms that will
15
- Guide to Computer Network
swat would be Kizza
intruders.
Security
Authentication Techniques
– The future of e-commerce is riding on
strong encryption and authentication
techniques.
– As more and more people go online to
buy and sell their wares, they need strong
and trustworthy algorithms that will make
such transactions safe.
– If the most recent headliner hacker attack
on credit card databases is any indication,
we are still a long way from safe ecommerce.
– Strong authentication techniques will go a
long way to ensure safe business
transactions online.
Kizza - Guide to Computer Network
Security
16
Confidentiality
The confidentiality service protects system
data and information from unauthorized
disclosure.
It involves the use of encryption algorithms
to ensure that no third party like a
cryptanalysis or a man-in-the middle has
eavesdropped on the data.
Kizza - Guide to Computer Network
Security
17
Integrity
A hash function is used on the input
message to create a code from it that
provides the message’s authenticity.
Kizza - Guide to Computer Network
Security
18
Non-repudiation
This is a security service that provides
proof of origin and delivery of service
and/or information.
This service, through digital signature and
encryption algorithms, ensures that digital
data may not be repudiated by providing
proof of origin difficult to deny.
A digital signature is a cryptographic
mechanism that is the electronic
equivalent of a written signature to
Kizza - Guide to Computer Network
Security
19
Security Standards
The computer network model also suffers from the standardization
problem. Security protocols, solutions and best practices that can
secure the computer network model come in many different types
and use different technologies resulting in incompartibility of
interfaces
System managers, security chiefs, and experts , therefore, need
standards.
The type of service an organization is offering determines the
types of security standards used.
Also the mission of the establishment also determines the types of
standards used.
Kizza - Guide to Computer Network
Security
20
Types of Security Standards
Security Standards Based on Type of Service/Industry
Security Standards Based on Size/Implementation
Security Standards Based on Interests
Kizza - Guide to Computer Network
Security
21
Best Security Practices
There is a rich repertoire of
standards and best practices on the
system and info-security landscape
This complicates the security
landscape
There a need for security experts to
keep abreast of all changes
This takes security management,
planning, policy development, and the
design of procedures.
Kizza - Guide to Computer Network
Security
22
Download