of network

advertisement

Network Security

12-1

Physical Protection of Assets and Security

 PPA is done using the following means:

• Locks

• Barriers

• Guards

 Security is provided for the following:

• Computer processing

• Large databases

• Communication networks

• Preventing a hacker from breaking into your computer

12-2

3-things to know in security

 Why networks need security?

 How to provide security!

 Types of security threats

 Network (NW)-Controls

Primary goal of the NW-Security

 To protect the data and application-SW

12-3

Introduction

For many people, security means

 preventing unauthorized access, such as

 preventing a hacker from breaking into your computer.

Security is more than that, it also includes being able to recover

 from temporary service problems, or

 from natural disasters.

12-4

Security Threats to -----!

 Software(SW)

 Hardware(HW)

 Files and database

 Data communication circuits

Threats are from different sources:

 External and internal hacking

 External —disaster, vandalism, fraud, theft

 Personal errors, dishonesty, incompetence

12-5

Introduction

12-6

Why Networks Need Security

In recent years, organizations have become increasingly dependent on the data communication networks for their daily business communications, database retrieval, distributed data processing, and the internetworking of LANs.

The losses associated with security failures can be huge.

More important than direct theft losses are the potential losses from the disruption of applications systems that run on computer networks.

12-7

2-Types of Security Threats

 Category-1: 3-Ds

-due to fire, flood, power-loss,circuit failure & virus --

• Disruption

• Destruction

• Disaster

 Category-2: U nauthorized access

• Refers to intruders

• External hackers

• Internal hackers

12-8

What an intruder will achieve!

 Gain knowledge and Change files

• To Commit fraud, threat

• To destroy information

• To injure the organization

• To sadistic thrill for his misadventure

12-9

Types of Security Threats

Category-1: 3-Ds!

Disruptions (means what!)

• are the loss or reduction in NW-service.

• Could be minor, temporary and due to

• Switch-failure or circuit-cut

 Destructions (of data):

• are caused by and/or result in the disruption

• could be due to virus or else

• Could be due to crash of hard-disk

 Disasters (of network):

 destroy host computers, sections of the NW

 Could be manmade or natural

12-10

Natural and Man-made disasters

Principal causes which are responsible for the

Category-1: 3-D Threats:

 Fires

 Floods

 Earthquakes

 Mudslides

 Storms

 Tornadoes

 Terrorist attacks

 --All these can destroy buildings and networks---

12-11

What the 3-Ds do!

 Give rise to interruptions in the NW-Service

 Cause loss of data due to NW-failure

FTS = Fault Tolerant Server

 Contains many redundant components

 (which) help prevent the NW-failure

Disk-Duplexing

• Is a disk-mirroring concept

• Provides backup against NW-failure

• (so that) even if the disk-controller fails, the server continues to operate

12-12

What are the 3-S!

 Smaller

 Smarter

 Simpler, Sophisticated

The NW-HW/SW being produced now always keep these 3-things in mind when developing their products.

12-13

Types of Security Threats

Category-2: UA

 Category-2:

 Unauthorized Access is often viewed as hackers gaining access to organizational data files and resources.

• External intruders

• Internal intruders

• Eavesdropping

---(I.e, listening secretly to a private conversation---

Keep in mind, however, that most unauthorized access incidents involve employees.

12-14

Network Controls

Developing a secure network means developing controls---i.e, mechanisms that reduce or eliminate both Cat-1 and Cat-2 threats to network security.

There are 3-types of controls:

• P reventative controls---restrain, stop a person from acting or hinder an event from occurring.

• D etective controls---reveal or discover any kind of unwanted events.

• C orrective controls---rectify an unwanted event or a trespass.

 PDC-controls should be periodically verified & tested

12-15

Network Controls

 6- areas need NW-Controls in a network

Data Communication

• Client computers

• Host/server computers (mini/mainframe/LANs)

• Communication circuits

• NW-devices and components

• NW-Software

• Application-Software

12-16

Network Controls

 It is important to remember that it is not enough to just establish a series of controls; someone or some department must be accountable for the control and security of the network.

 PDC-Controls must be reviewed periodically to be sure that they are still useful, and should be:

• Verified - ensuring that the control is still present

• Tested - determining whether the control is working as originally specified.

(PDC = Preventive, Detective and Corrective)

12-17

RISK ASSESSMENT

12-18

Risk Assessment

 One key step in developing a secure-NW is to conduct a risk assessment:

• This assigns a level of risk to various threats to the network security by comparing the nature of the threats to the controls designed to reduce them.

 Threat could mean:

• Theft of data

• Destruction of data

• Damage to NW-HW, NW-SW and NW-Circuits

12-19

7 Most Common Threats to NW

 Virus-----------------------87%

 Device failure------------52%

 Internal hacker-----------51%

 Equipment theft----------48%

 External hacker----------30%

 Natural disaster----------28%

 Industrial espionage----10%

12-20

About Computer Viruses

 Cause destruction of data

 Cause unwanted events/nuisances

 Attach themselves to some programs

 (and as a result) the viruses spread

How to prevent the spread of Viruses

Don’t share diskettes (37% due to sharing)

Don’t copy files or disks of unknown origin

 Be careful about downloading files from the Web

 Install ant-virus SW in your computer

12-21

Developing a Control

Spreadsheet

To be sure that the data communications network and microcomputer workstations have the necessary controls and that these controls offer adequate protection, it is best to build a control spreadsheet.

12-22

Developing a Control

Spreadsheet

Threats

Components

Host Computers

Client Computers

Communication Circuits

Disruption, Destruction, Disaster

Power Circuit

Unauthorized Access

External Internal

Fire Flood Loss Failure Virus Intruder Intruder Eavesdrop

Network Devices

Network Software

People

12-23

Threats

A threat to the data communications network is any potential adverse occurrence that can do harm, interrupt the systems using the network, or cause a momentary loss to the organizations.

Once the threats are identified they must be ranked on their importance.

12-24

Threats

12-25

Network Components

The next step is to identify the network components. A network component is one of the individual pieces that compose the data communications network. They include:

• Servers

• Client computers

• Communications circuits

• Network devices

• Network software

• Application software

12-26

Identify and Document the

Controls

Once the specific network threats and controls have been identified, you can begin working on the network controls.

Begin by considering the network component and the specific threat, and then describe each control that prevents, detects or corrects that threat.

12-27

Identify and Document the

Controls

Threats Disruption, Destruction, Disaster Unauthorized Access

Power Circuit External Internal

Components Fire Flood Loss Failure Virus Intruder Intruder Eavesdrop

1,2 1,3 4 1,5,6 7,8 9,10,11,12 9,10

Host Computers

Client Computers

Communication Circuits

Network Devices

Network Software

People

1. Disaster recovery plan

2. Halon fire system/sprinklers

3. Host computer room on 5th floor

4. UPS on servers

5. Contract guarantees from IXCs

6. Extra backbone fiber laid between servers

7. Virus checking software present

8. Extensive user training on viruses

9. Strong password software

10. Extensive user training on security

11. Call-back modem system

12. Application Layer firewall

12-28

Evaluate the Network’s

Security

The last step in designing a control spreadsheet is to evaluate the adequacy of the existing controls, and the resulting degree of risk associated with each threat.

The assessment can be done by the network manager, but it is better done by a team of experts chosen for their in-depth knowledge about the network and environment being reviewed.

12-29

CONTROLLING

DISRUPTION,

DESTRUCTION, AND

DISASTER

12-30

Preventing Disruption,

Destruction and Disaster

The key principle in preventing disruption, destruction and disaster - or at least reducing their impact - is redundancy.

• Disk mirroring

• Disk duplexing

• Fault-tolerant servers

• Uninterruptible power supplies (UPS)

Redundancy can be built into other network components as well.

12-31

Preventing Disruption,

Destruction and Disaster

Disasters are different, the best solution is to have a complete redundant network that duplicates every network component, but in a different location.

Generally speaking, preventing disasters is difficult. The most fundamental principle is to decentralize the network resources.

Other steps depend on the type of disaster to be prevented.

12-32

Preventing Disruption,

Destruction and Disaster

In some cases, the disruption is intentional

(i.e. theft).

Another special case is the denial-of-service attack, in which the hacker attempts to disrupt the network by sending messages to the network that prevent other’s messages from being processed.

12-33

Preventing Disruption,

Destruction and Disaster

Special attention also must be paid to preventing computer viruses - software designed to produce unwanted events. Most viruses attach themselves to other programs to special parts on disks.

How to prevent the spread of viruses

 Do not to copy files or disks of unknown origin.

 Use/Install anti-virus software packages that are available to check disks and files to ensure that they are virus-free.

12-34

NW-Monitoring Software and other means for Detecting 3-Ds

 NWM-software alerts network managers to problems so that they can be corrected.

 Some intelligent NW-servers can be programmed to send an alarm to pager, if necessary!

 On going monitoring for damaged cables which could result from hungry squirrels and rats eating the cables

12-35

Other means for Detecting 3-Ds!

Detecting minor disruptions can be more difficult. The network should routinely log fault information to enable network managers to recognize minor service problems. In addition, there should be a clear procedure by which network users can report problems.

12-36

Correcting Disruption,

Destruction and Disaster

A critical control is the disaster recovery plan, which should address various levels of response to a number of possible disasters and should provide for partial or complete recovery of all data, application software, network components, and physical facilities.

The most important element of the disaster recovery plan are backup and recovery controls that enable the organization to recover its data and restart its application software should some portion of the network fail.

12-37

Elements of a Disaster

Recovery Plan

Names of responsible individuals

Staff assignments and responsibilities

List of priorities of “fix-firsts”

 Location of alternative facilities.

 Recovery procedures for data communications facilities, servers and application systems.

 Actions to be taken under various contingencies.

 Manual processes

 Updating and Testing procedures

 Safe storage of data, software and the disaster recovery plan itself.

12-38

Correcting Disruption,

Destruction and Disaster

Backups ensure that important data is safe.

However it does not guarantee the data can be used.

Most large organizations have a two-level disaster recovery plan.

LVL 1: When they build networks they build enough capacity and have enough spare equipment to recover from a minor disaster, such as loss of a major server or portion of the network.

12-39

Correcting Disruption,

Destruction and Disaster

LVL2: most large organizations rely on professional disaster recovery firms to provide second level support for major disasters.

Disaster recovery firms provide a full range of services from secure storage for backups, to a complete networked data center that clients can use when they experience a disaster.

12-40

CONTROLLING

UNAUTHORIZED ACCESS

12-41

Controlling Unauthorized

Access

Four types of intruders attempt to gain unauthorized access to computer networks.

1. Casual computer users who only have limited knowledge of computer security.

2. Experts in security, but whose motivation is the thrill of the hunt.

3. Professional hackers who break into corporate or government computer for specific purposes.

4. Organization employees who have legitimate access to the network but who gain access to information they are not authorized to use.

12-42

Preventing Unauthorized

Access

The key principle in preventing unauthorized access is to be proactive. This means routinely testing your security systems before an intruder does.

Approaches to preventing unauthorized access:

• Developing a security policy

• Developing user profiles

• Plugging known security holes

• Securing network access points

• Preventing eavesdropping

• Using encryption

A combination of all techniques is best to ensure strong security.

12-43

Developing a Security Policy

The security policy should clearly define the important network components to be safeguarded and the important controls needed to do that.

The most common way for a hacker to break into a system, is through some social engineering (breaking security simply by asking).

12-44

Elements of a Security Policy

 Name of responsible individuals

 Incident reporting system and response team

 Risk assessment with priorities

 Controls on access points to prevent or deter unauthorized external access.

 Controls within the network to ensure internal users cannot exceed their authorized access.

 An acceptable use policy

 User training plan on security

 Testing and updating plans.

12-45

Developing User Profiles

The basis of network access is the user profile for each user’s account that is assigned by the network manager.

More and more systems are requiring users to enter a password in conjunction with something they have, such as a smart card.

In high-security applications, a user may be required to present something they are, such as a finger, hand or the retina of their eye for scanning by the system (biometric scanning).

12-46

Developing User Profiles

User profiles can limit the allowable log-in days, time of day, physical locations, and the allowable number of incorrect log-in attempts.

Creating accounts and profiles is simple, as they are created when new personnel arrive. One security problem is the removal of user accounts when someone leaves an organization.

12-47

Developing User Profiles

It is important to screen and classify both users and data (need to know).

The effect of any security software packages that restrict or control access to files, records, or data items should be reviewed.

Adequate user training on network security should be provided through self-teaching manuals, newsletters, policy statements, and short courses.

12-48

Plugging Known Security

Holes

Many commonly used operating systems have major security problems well known to potential users (security holes), many of which are highly technical.

Some security holes are not really holes, but simply policies adopted by computer vendors that open the door for security problems, such as computer systems that come with a variety of preinstalled user accounts.

12-49

Plugging Known Security

Holes

The U.S. Government requires certain levels of security in the operating systems and network operating systems it uses for certain applications.

12-50

Securing Network Access

Points

There are three major ways of gaining access:

• Using a terminal or computer located in the organization’s offices

• Dialing into the network via modem

• Accessing the network from another network to which it is connected (e.g. Internet)

The physical security of the building or buildings that house any of the hardware, software or communications circuits must be evaluated.

12-51

Securing Network Access

Points

The network components themselves also have a level of physical security.

Any organization that permits staff members to access its networks via dial-in modems opens itself to a broader range of intruders.

One strategy is to routinely change modem numbers, another is to use a call-back modem.

One-time passwords is another strategy for traveling employees for who call-back modems and automatic number identifications are inappropriate.

12-52

Securing Network Access

Points

With the increasing use of the Internet, and information superhighway, it becomes important to prevent unauthorized access to your network from intruders on other networks. For this, we have to use a

Firewall!

What is a firewall?

12-53

What is a Firewall!

 A firewall is a router, gateway, or special purpose computer that examines packets flowing into and out of a network and restricts access to the organization’s network.

 FW is designed so that it is placed on every NWconnection between the organization and the

Internet and

 No access is permitted except thru the firewall

 2-Types of firewall:

• PLF = packet level firewall

• ALF = application level firewall

12-54

Securing Network Access

Points

A packet-level firewall examines the source and destination address of every network packet that passes through it and only allows packets that have acceptable source and destination addresses to pass.

Some packet-level firewalls are vulnerable to IP-level spoofing, accomplished by changing the source address on incoming packets from their real address to an address inside the organization’s network.

Many firewalls have had their security strengthened since the first documented case of IP spoofing in

December 1994.

12-55

Securing Network Access

Points

An application-level firewall acts as an intermediate host computer or gateway between the Internet and the rest of the organization’s network.

In many cases, special programming code must be written to permit the use of application software unique to the organization.

A proxy server is a new type of application-level firewall that addresses some of the compatibility problems with traditional application-level firewalls.

12-56

Securing Network Access Points

The proxy server uses an address table to translate network addresses inside the organizations into fake addresses for use on the

Internet (network address translation or address mapping).

This way systems outside the organization never see the actual internal IP addresses.

Proxy servers work very well and are becoming the application-level firewall of choice.

Many organizations use a combination of packetlevel and application-level firewalls.

12-57

12-58

What is a Smartcard!

 It is a card about the size of a credit card that contains a small processing chip and also a memory chip that can be read by a smart-device

To gain access to a NW:

 The user must present both smart card and also password

 The intruder must have access to both before they can breakin

12-59

Example of a Smartcard!

 ATM-NW = automated teller machine NW is a best, practical, example of a smart card

 Before you can gain access to your account you must have both:

• ATM-card

• Access number

12-60

Eavesdropping on Network!

 It is way to gain unauthorized access on network traffic (where)

 the intruder inserts a listening device or computer into the organization’s network to record messages.

Two areas vulnerable to this type of unauthorized access:

• Network cabling

• Network devices

12-61

Preventing Eavesdropping

Network cables are the easiest target because they often run long distances and usually are not regularly checked for tampering.

Certain types of cable can impair or increase security by making eavesdropping easier (i.e. wireless) or more difficult (i.e. fiber optic).

Physical security of the network’s local loop and interexchange telephone circuits is the responsibility of the common carrier.

12-62

Preventing Eavesdropping

Network devices such as controllers, hubs, and bridges should be secured in a locked wiring closets.

A secure hub for Ethernet networks makes sniffer program eavesdropping more difficult, by requiring a special authorization code before new computers can be added to the hub.

A review of software controls that can be programmed into remote network devices is also needed.

12-63

What is IP-Spoofing!

 IPS means sending packets to a target computer

 IPS is done by changing the source address on the incoming packets from their real address inside the organization’s NW

12-64

Sniffer Program

 Is a spy-software/program

 (which is) installed in a computer

 (which is subsequently) plugged into an unattended hub or bridge or router

 (and as a result) it eavesdrop on all kinds of message traffic

Sniff (means what!)

 To smell (forcibly thru the nose)

 To inhale (forcibly thru the nose)

12-65

Using Encryption

One of the best ways to prevent unauthorized access is encryption, which is a means of disguising information by the use of mathematical rules known as algorithms.

An encryption system has two parts: the algorithm itself and the key, which personalizes the algorithm by making the transformation of the data unique.

12-66

What is Encryption!

It’s the best way to prevent any attempt to gain unauthorized access

 It means disguising info by the use of mathematical rules known as algorithms

Actually, it’s the CRYPTION!

• Encryption

• Decryption

 Cryptic (means what!)

 Secret and/or mystifying

12-67

Plaintext and Hypertext

Plaintext:

• It means the information is in a readable form or format! This means that the info is in a decrypted form.

Ciphertext:

• It means the information is in an encrypted

(i.e, disguised) form or format!

12-68

Using Encryption

Good encryption systems do not depend on keeping the algorithm secret, only the keys.

Today, the U.S. government considers encryption to be a weapon, and regulates its export in the same way it regulates the export of machine guns or bombs. The government is also trying to develop a policy called key escrow, requiring key registration with the government.

12-69

Using Encryption

One commonly used encryption algorithm is the data encryption standard (DES). DES is a symmetric algorithm, which means the key used to decrypt a particular bit stream is the same one used to encrypt it.

Symmetric algorithms can cause problem with key management; keys must be dispersed and stored carefully.

A 56-bit version of DES is the most commonly used encryption technique today.

12-70

Using Encryption

A second popular technique is public key encryption, the most popular of which is

RSA.

Public key encryption is inherently different from secret key systems like DES, because it is an asymmetric algorithms; there are two keys. The public key is used to encrypt the message, and the private key is used to decrypt it. Public key encryption greatly reduces the key management problem.

12-71

Using

Encryption

Private Key

12-72

Using Encryption

Public key encryption also permits authentications

(digital signatures), using a process of encrypting with the private key, and decrypting with the public key providing irrefutable proof of origin.

A certificate authority is a trusted organization that can vouch for the authenticity of the person of organization using authentication. For higher level security certification, the CA requires that a unique “fingerprint” (key) be issued by the CA for each message sent by the user.

12-73

Using

Encryption

12-74

Detecting Unauthorized Access

Detecting unauthorized access means looking for anything out of the ordinary. It means logging all messages sent and received by the network, all software used, and all logins (or attempted logins) to the network.

• Increases in the number of logins

• Unusual number of unsuccessful login attempts to a user’s or several users’ accounts.

Regular monitoring should also be extended to network hardware.

12-75

Correcting Unauthorized

Access

Once an unauthorized access is detected, the next step is to identify how the security breach occurred and fix it so that it will not reoccur.

Many organizations have taken their own steps to detect intruders by using entrapment techniques.

In recent years, there has been a stiffening of computer security laws and in the legal interpretation of other laws that pertain to computer networks.

12-76

Download