Chapter 2: Understanding Network Security Guide to Computer Network Security Kizza - Guide to Computer Network Security 1 What Is Network Security? Security is a continuous process of protecting an object from attack. That object may be a person, an organization such as a business, or property such as a computer system or a file. In a distributed computer system such as a network, the protection covers physical and nonphysical resources that make up the network including communication channels and connectors like modems, bridges, switches, and servers, as well as the files stored on those servers. In each one of these cases, therefore, security means preventing unauthorized access, use, alteration, and theft or physical damage to these resources. Kizza - Guide to Computer Network 2 Security Physical Security – A facility is physically secure if it is surrounded by a barrier like a fence, has secure areas both inside and outside, and can resist penetration by intruders. Physical security can be guaranteed if the following four mechanisms are in place: deterrence, prevention, detection, response Kizza - Guide to Computer Network Security 3 Pseudosecurity is a theoretical state of security, commonly known “security through obscurity” (STO). STO is a false hope of security. With security through obscurity, many believe that any resource on the system can be secure so long as nobody outside the core implementation group is allowed to find out anything about its internal mechanisms. This security is often referred to as “bunk mentality” security. Kizza - Guide to Computer Network Security 4 Computer Security This is a study focusing on creating a secure environment for the use of computers. The field consists of three areas of interest: – the study of computer ethics, – the development of both software and hardware protocols, – The development of best practices. It is a complex field of study involving detailed mathematical designs of cryptographic protocols. Kizza - Guide to Computer Network Security 5 Network Security The study of the security of computer networks. It is still a branch of computer science but a lot broader that computer security. It involves creating an environment in which a computer network, including all its resources, which are many, all the data in it both a in storage and in transit, and all its users are secure. Because it is wider than computer security, this is a more complex field of study than computer security involving more detailed mathematical Kizza - Guide to Computer Network Security 6 Information Security Information security is even a bigger field of study inncludig computer and computer network security. Is a study of detailed mathematical designs of cryptographic, communication, transport, exchange protocols and best practices,of the state of both data and information in motion. It includes a variety of disciplines including computer science, business management, information studies, and engineering. It involves the creation of a state in which information and data are secure. In this model, Kizza - Guide to Computer Network information or data is either in motion through Security 7 Securing the Computer Network Securing a computer network is protecting the netwo from both internal and external unauthorized access. These resources, physical or not, are objects which are the hardware resources in the system and the intangible object like information and data both in transition and static in storage. Kizza - Guide to Computer Network Security 8 What are we Protecting? Hardware – Protecting hardware resources include protecting: End user objects that include the user interface hardware components like all client system input components including a keyboard, the mouse, touch screen, light pens, and others. Network objects like firewalls, hubs, switches, routers and gateways which are vulnerable to hackers; Network communication channels to prevent eavesdroppers from intercepting network communications. Software – Protecting software resources includes protecting hardware-based software, operating systems, server protocols, browsers, application software, and intellectual property stored on network storage disks and databases. client software like investment portfolios, financial data, real estate records, images or pictures, and other personal files commonly stored on home and business computers. Kizza - Guide to Computer Network Security 9 Security Services Security services include the following: – Access control – to require that access to information resources is controlled – Authentication – a process whereby the system gathers and builds up information about the user to assure that the user is genuine. – Confidentiality – prevention of unauthorized disclosure of information – Integrity – prevention of unauthorized modification of information – Nonrepudiation – to require that neither the sender nor the receiver of a message can deny the transmission. Kizza - Guide to Computer Network Security 10 Security Standards Because security solutions come in many different types and use different technologies, security standards are used to bring about interoperability and uniformity among the many system resources with differing technologies within the system and between systems. System managers, security chiefs, and experts choose or prefer standards, if no de facto standard exists, that are based on service, industry, size, or mission. The type of service an organization is offering determines the types of security standards used. Like service, the nature of the industry an organization is in also determines the types of services offered by the system, which in turn determines the type of standards to adopt. Kizza - Guide to Computer Network Security 11 The size of an organization also determines what type of standards to adopt. In relatively small establishments, the ease of implementation and running of the system influence the standards to be used Examples include: – Homeland National Security Awareness – Orange Book - the U.S. Department of Defense Trusted Computer System Evaluation Criteria (DOD-5200.28-STD) standard known as the Orange Book. – British Standard 799 (BS 7799) - outlines a code of practice for information security management that further helps determine how to secure network systems. Kizza - Guide to Computer Network Security 12 Forms of Protection The Security Policy – Is a an organization’s security blueprint that emphasizes a number of security factors starting with the identification of all critical operations in the system that must be secured, those that are needed, but not critical to daily operations, and those operations that can be secured. Second it prioritizes the system resources and the information stored on each. – It also assigns risk factors to all these classified resources. – Some security experts do not consider it essential while others do. However, it is an important element in the security environment of an enterprise. Kizza - Guide to Computer Network Security 13 Access Control – allowing access to information assets to only authorized users. – As information becomes more valuable and more people join the ever growing Internet, scavenger hunters, hackers, activists, robbers, and all sorts of people are flocking onto the Internet and the security of information of a society increasingly dependent on computer networks will become vital. The importance of this security element, therefore, cannot be over emphasized. Kizza - Guide to Computer Network Security 14 Strong Encryption Algorithms – The amount of information stored and traversing the computer systems and networks has been increasing both in volume and value as networks expand. – The security of that information is increasingly threatened by the quality and security of the software running on these machines: a high volume of vulnerabilities in the network infrastructure embarrassingly poor protocols. Hackers are exploiting these software bugs, which are sometimes easy to fix, eavesdropping and intercepting communication data with increasing ease. – The security of information, therefore, rests with finding strong encryption algorithms that will 15 - Guide to Computer Network swat would be Kizza intruders. Security Authentication Techniques – The future of e-commerce is riding on strong encryption and authentication techniques. – As more and more people go online to buy and sell their wares, they need strong and trustworthy algorithms that will make such transactions safe. – If the most recent headliner hacker attack on credit card databases is any indication, we are still a long way from safe ecommerce. – Strong authentication techniques will go a long way to ensure safe business transactions online. Kizza - Guide to Computer Network Security 16 Confidentiality The confidentiality service protects system data and information from unauthorized disclosure. It involves the use of encryption algorithms to ensure that no third party like a cryptanalysis or a man-in-the middle has eavesdropped on the data. Kizza - Guide to Computer Network Security 17 Integrity A hash function is used on the input message to create a code from it that provides the message’s authenticity. Kizza - Guide to Computer Network Security 18 Non-repudiation This is a security service that provides proof of origin and delivery of service and/or information. This service, through digital signature and encryption algorithms, ensures that digital data may not be repudiated by providing proof of origin difficult to deny. A digital signature is a cryptographic mechanism that is the electronic equivalent of a written signature to Kizza - Guide to Computer Network Security 19 Security Standards The computer network model also suffers from the standardization problem. Security protocols, solutions and best practices that can secure the computer network model come in many different types and use different technologies resulting in incompartibility of interfaces System managers, security chiefs, and experts , therefore, need standards. The type of service an organization is offering determines the types of security standards used. Also the mission of the establishment also determines the types of standards used. Kizza - Guide to Computer Network Security 20 Types of Security Standards Security Standards Based on Type of Service/Industry Security Standards Based on Size/Implementation Security Standards Based on Interests Kizza - Guide to Computer Network Security 21 Best Security Practices There is a rich repertoire of standards and best practices on the system and info-security landscape This complicates the security landscape There a need for security experts to keep abreast of all changes This takes security management, planning, policy development, and the design of procedures. Kizza - Guide to Computer Network Security 22