Networks and Security A Series of Lectures, Outlining: How Networks affect Security of a system Security of System Security of Network Security of Organisation Secure vs Trustworthy Attack Vulnerabilities Web references and Bibliography Eur Ing Brian C Tompsett University of Hull Networking Principles Revision ISO 7 Layer Model Names and function of layers Layer interconnect terminology Internet Basics Revision IP Addresses (and registrars) 150.237.92.11 192.168.0.1 Domain Names (and registrars) www.dcs.hull.ac.uk on.to / i.am / name.is Services/Sockets http port 80 ISO 7 Layer Model Application Presentation Session Transport Network Datalink Physical HTTP/FTP SMTP Message Gateway Proxy/Relay TCP/UDP IP Segment NAT/ICS/ Packet Proxy Datagram PPP/SLIP Router Ethernet Frame Datagram Switch/Bridge 10BaseT ADSL Hub/Repeater PTU Application Presentation Session Transport Network Datalink Physical Internet The Movie Animation covering salient points It has some factual error Can you spot them? First Mention of Firewalls Covered later Summary Overall Networking Architecture Role of Layers & Layer Interface Internet Protocols Network Interconnections Any further revision? 2 What is it for? What is the purpose of Trustworthy Computing? Computer Security? Information Security? Entities Environment Organisation Infrastructure Activity Procedures Data Data Procedures Activities Infrastructure Organisation Environment Entities Data Entities Environment Procedures Activities Organisation Infrastructure Information Security Model Entities Protection Environment Protection Organisation Protection Infrastructure Protection Activity Protection Procedure level Protection Data Protection Security 7 Layer Model Contact Entities Environment Organisation Infrastructure Activity Relationship Business Entities Environment Contract Connection Exchange Gateway Language Exchange Document Packet Procedures Protocol Data Translation Information Organisation Infrastructure Activity Procedures Data Entities Objects being manipulated by the system Entities can be active or passive Data about entities is being protected Entities can be People, Organisations or Objects Entities themselves encompass other entities – Collection or Containment Security involves: Physical Changes – Commissioning Operational Procedure – What they do Structure – Interrelations Environment The restrictions on entities Can act to limit or constrain security or freedom of action Legislation, Regulation, Ethics Technical Capability, Resource Limitation Compatibility, Standards, Procedures Physical Limitation Organisation The Mechanism by which operations a performed The Organisation within the environment Infrastructure That which enables activities The physical components which may or may not be entities in their own right Activity The tasks which process the data Usually a business activity Could be a software Application Procedure The component steps that enable an activity Can be software components or human procedures Data The actual data about entities The goal of a security breach Protected by Cryptography Integrity Security Models ISO 17799 ISO 27001 – ISO 27000 series SABSA Sherwood Applied Business Security Architecture Based on Zachman IS Framework Financial Security Model SABSA Model Financial Security Model Finance Applications for financial users, issuers of digital value, trading and market operations Value Instruments that carry monetary value Governance Protection of the system from non-technical threats Accounting Value within defined places Rights An authentication concept – moving value between identities Software Engineering Tools to move instructions over the net Cryptography Sharing truths between parties ISO 17799 Security Policy Organisation of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operational Management Access Control Systems Development, Acquisition, Maintenance Security Incident Management Business Continuity Management Compliance ISO 17799 Network Security Model Personal Protection Organisation Protection Network Protection System Protection Application Protection Code level Protection Data Protection Person Organisation Infrastructure Systems Application Code Data Data Procedure Application Systems Infrastructure Organisation Person Data Person Organisation Procedures Infrastructure Applications Systems Security 7 Layer Model Contact Person Organisation Infrastructure Systems Application Relationship Business Person Organisation Contract Connection Exchange Gateway Language Exchange Document Packet Procedures Protocol Data Translation Information Infrastructure Systems Application Procedures Data Object Static Dynamic Activity Personal Protection Personal Security Locking Doors, Staying Safe Personal Data Protection Giving out DOB, Credit Card, Family info Securing Access to your Computer Personal Security Policy for all Protect others personal security Organisation Protection Organisation / Institution / Company A Holistic View Corporate Image Make public only what required Hide internal structure & information Window & Door into Organisation Manages Input & Output Doors and Windows Decide What Services are available Web servers, ftp, email Which hosts on which networks Which domains used On which IP nets Hosted by whom What registration information Names, addresses phone numbers SMTP WWW Internet Gateway FTP Outside Inside Network Protection Protect Network as entity/resource Manage permitted traffic flow Manage authorised use Architect the Network - zoning Firewalling Network Architecture Proper use of Subnets and domains Limit traffic to local segments Use Bridges/Switches/Routers/Proxies Prevent data and authority leaks What to Firewall? Certain Protocols – netBios Certain Responses – ping/traceroute Certain Applications Real/IRC Certain Systems/Networks Control Port/Host combinations Email Port/25, HTTP Port/80, FTP Port/21 Rate Limit Denial of Service/Scanners System Protection Protect each system from misuse Incoming & Outgoing! Control Which Services Run http://support.microsoft.com/?kbid=832017 Virus checkers Application Protection Specific Application Configuration Parental Controls of Web Browsers Domain/IP blockers Spam filters Control file/device exports Code Level Protection Writing Secure Code Even on secured system Bad Code compromises security Hence software updates Data Protection Hiding the Data Cryptography Data Transience Data Integrity 3 Forms of Attack Denial of Service Input Data Attack Spoofing Sniffing Social Engineering