Network Security - University of Hull

advertisement
Networks and Security
A Series of Lectures, Outlining:
How Networks affect Security of a system
Security of System
Security of Network
Security of Organisation
Secure vs Trustworthy
Attack Vulnerabilities
Web references and Bibliography
Eur Ing Brian C Tompsett
University of Hull
Networking Principles
Revision
ISO 7 Layer Model
Names and function of layers
Layer interconnect
terminology
Internet Basics
Revision
IP Addresses (and registrars)
150.237.92.11
192.168.0.1
Domain Names (and registrars)
www.dcs.hull.ac.uk
on.to / i.am / name.is
Services/Sockets
http port 80
ISO 7 Layer Model
Application
Presentation
Session
Transport
Network
Datalink
Physical
HTTP/FTP
SMTP
Message
Gateway
Proxy/Relay
TCP/UDP
IP
Segment
NAT/ICS/
Packet
Proxy
Datagram
PPP/SLIP Router
Ethernet
Frame
Datagram
Switch/Bridge
10BaseT
ADSL
Hub/Repeater
PTU
Application
Presentation
Session
Transport
Network
Datalink
Physical
Internet The Movie
Animation covering salient points
It has some factual error
Can you spot them?
First Mention of Firewalls
Covered later
Summary
Overall Networking Architecture
Role of Layers & Layer Interface
Internet Protocols
Network Interconnections
Any further revision?
2
What is it for?
What is the purpose of
Trustworthy Computing?
Computer Security?
Information Security?
Entities
Environment
Organisation
Infrastructure
Activity
Procedures
Data
Data
Procedures
Activities
Infrastructure
Organisation
Environment
Entities
Data
Entities
Environment
Procedures
Activities
Organisation
Infrastructure
Information Security Model
Entities Protection
Environment Protection
Organisation Protection
Infrastructure Protection
Activity Protection
Procedure level Protection
Data Protection
Security 7 Layer Model
Contact
Entities
Environment
Organisation
Infrastructure
Activity
Relationship
Business
Entities
Environment
Contract
Connection
Exchange
Gateway
Language
Exchange
Document
Packet
Procedures
Protocol
Data
Translation
Information
Organisation
Infrastructure
Activity
Procedures
Data
Entities
Objects being manipulated by the system
Entities can be active or passive
Data about entities is being protected
Entities can be People, Organisations or
Objects
Entities themselves encompass other entities –
Collection or Containment
Security involves:
Physical Changes – Commissioning
Operational Procedure – What they do
Structure – Interrelations
Environment
The restrictions on entities
Can act to limit or constrain security or
freedom of action
Legislation, Regulation, Ethics
Technical Capability, Resource Limitation
Compatibility, Standards, Procedures
Physical Limitation
Organisation
The Mechanism by which operations a
performed
The Organisation within the environment
Infrastructure
That which enables activities
The physical components which may or
may not be entities in their own right
Activity
The tasks which process the data
Usually a business activity
Could be a software Application
Procedure
The component steps that enable an
activity
Can be software components or human
procedures
Data
The actual data about entities
The goal of a security breach
Protected by
Cryptography
Integrity
Security Models
ISO 17799
ISO 27001 – ISO 27000 series
SABSA
Sherwood Applied Business Security
Architecture
Based on Zachman IS Framework
Financial Security Model
SABSA Model
Financial Security Model
Finance
Applications for financial users, issuers of digital value, trading and
market operations
Value
Instruments that carry monetary value
Governance
Protection of the system from non-technical threats
Accounting
Value within defined places
Rights
An authentication concept – moving value between identities
Software Engineering
Tools to move instructions over the net
Cryptography
Sharing truths between parties
ISO 17799
Security Policy
Organisation of Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operational Management
Access Control
Systems Development, Acquisition, Maintenance
Security Incident Management
Business Continuity Management
Compliance
ISO 17799
Network Security Model
Personal Protection
Organisation Protection
Network Protection
System Protection
Application Protection
Code level Protection
Data Protection
Person
Organisation
Infrastructure
Systems
Application
Code
Data
Data
Procedure
Application
Systems
Infrastructure
Organisation
Person
Data
Person
Organisation
Procedures
Infrastructure
Applications
Systems
Security 7 Layer Model
Contact
Person
Organisation
Infrastructure
Systems
Application
Relationship
Business
Person
Organisation
Contract
Connection
Exchange
Gateway
Language
Exchange
Document
Packet
Procedures
Protocol
Data
Translation
Information
Infrastructure
Systems
Application
Procedures
Data
Object
Static
Dynamic
Activity
Personal Protection
Personal Security
Locking Doors, Staying Safe
Personal Data Protection
Giving out DOB, Credit Card, Family info
Securing Access to your Computer
Personal Security Policy for all
Protect others personal security
Organisation Protection
Organisation / Institution / Company
A Holistic View
Corporate Image
Make public only what required
Hide internal structure & information
Window & Door into Organisation
Manages Input & Output
Doors and Windows
Decide What Services are available
Web servers, ftp, email
Which hosts on which networks
Which domains used
On which IP nets
Hosted by whom
What registration information
Names, addresses phone numbers
SMTP
WWW
Internet
Gateway
FTP
Outside
Inside
Network Protection
Protect Network as entity/resource
Manage permitted traffic flow
Manage authorised use
Architect the Network - zoning
Firewalling
Network Architecture
Proper use of Subnets and domains
Limit traffic to local segments
Use Bridges/Switches/Routers/Proxies
Prevent data and authority leaks
What to Firewall?
Certain Protocols – netBios
Certain Responses – ping/traceroute
Certain Applications Real/IRC
Certain Systems/Networks
Control Port/Host combinations
Email Port/25, HTTP Port/80, FTP Port/21
Rate Limit
Denial of Service/Scanners
System Protection
Protect each system from misuse
Incoming & Outgoing!
Control Which Services Run
http://support.microsoft.com/?kbid=832017
Virus checkers
Application Protection
Specific Application Configuration
Parental Controls of Web Browsers
Domain/IP blockers
Spam filters
Control file/device exports
Code Level Protection
Writing Secure Code
Even on secured system
Bad Code compromises security
Hence software updates
Data Protection
Hiding the Data
Cryptography
Data Transience
Data Integrity
3
Forms of Attack
Denial of Service
Input Data Attack
Spoofing
Sniffing
Social Engineering
Download