network security2011 ver02
TRANSCRIPT
-
7/28/2019 Network Security2011 Ver02
1/41
Network Security
Dr. Dai Tho Nguyen
University of Engineering and TechnologyVietnam National University, Hanoi
-
7/28/2019 Network Security2011 Ver02
2/41
INTRODUCTION
Chapter 1
Dai Tho Nguyen Network Security 2
-
7/28/2019 Network Security2011 Ver02
3/41
Social Context
This new century has been characterized by
terrorist attacks and security defenses
IT has also been victim of an unprecedented
number of attacks on information
Information security is now at the core of IT
Protecting valuable electronic information
Demand for IT professionals who know how to
secure networks and computers is at a high
Dai Tho Nguyen Network Security 3
-
7/28/2019 Network Security2011 Ver02
4/41
Technological Context
Two major changes in the requirements of
information security in recent times
Traditionally information security is provided by
physical and administrative mechanisms
Computer use requires automated tools to protect
files and other stored information
Use of networks and communications facilitiesrequires measures to protect data during their
transmisson
Dai Tho Nguyen Network Security 4
-
7/28/2019 Network Security2011 Ver02
5/41
Defining Information Security
Security
A state of freedom from a danger or risk
The state or condition of freedom exists because
protective measures are established and maintained
Information security
Describes the tasks of guarding information in a
digital format Information security can be understood by
examining its goals and how it is accomplished
Dai Tho Nguyen Network Security 5
-
7/28/2019 Network Security2011 Ver02
6/41
Goals of Information Security
Ensures that protective measures are properlyimplemented
Protects information that has value to people
and organizations The value comes from the characteristicsconfidentiality, integrity, and availability
Protects the characteristics of information onthe devices that store, manipulate, andtransmit the information
Dai Tho Nguyen Network Security 6
-
7/28/2019 Network Security2011 Ver02
7/41
How Info Security is Accomplished
Through a combination of 3 entities
Hardware, software, and communications
Three layers of protection
Products
The physical security around the data
People
Those who implement and use security products
Procedures
Plans and policies to ensure correct use of the products
Dai Tho Nguyen Network Security 7
-
7/28/2019 Network Security2011 Ver02
8/41
Information Security Components
Dai Tho Nguyen Network Security 8
-
7/28/2019 Network Security2011 Ver02
9/41
Information Security Definition
A more comprehensive definition of
information security
That which protects the integrity, confidentiality,
and availability of information on the devices that
store, manipulate, and transmit the information
through products, people, and procedures
Dai Tho Nguyen Network Security 9
-
7/28/2019 Network Security2011 Ver02
10/41
Information Security Concepts (1)
Confidentiality
Preserving authorized restrictions on informationaccess and disclosure
Including means for protecting personal privacy andproprietary information
Integrity
Guarding against improper information
modification or destruction Including ensuring information nonrepudiation and
authenticity
Dai Tho Nguyen Network Security 10
-
7/28/2019 Network Security2011 Ver02
11/41
Information Security Concepts (2)
Availability
Ensuring timely and reliable access to and use ofinformation
Authenticity The property of being genuine and being able to
be verified and trusted
Accountability
The security goal that requires for actions of anentity to be traced uniquely to that entity
Dai Tho Nguyen Network Security 11
-
7/28/2019 Network Security2011 Ver02
12/41
Information Security Terms (1)
Asset
Something that has a value
Threat
An potential for violation of security, which exists
when there is a circumstance, capability, action, or
event that could breach security and cause harm
A threat is a possible danger that might exploit avulnerability
Dai Tho Nguyen Network Security 12
-
7/28/2019 Network Security2011 Ver02
13/41
Information Security Terms (2)
Threat agent
A person or thing that has the power to carry out
a threat
Attack
An assault on system security that derives from an
intelligent threat or act
A deliberate attempt to evade security services andviolate the security policy of a system
Often means the same thing as threat
Dai Tho Nguyen Network Security 13
-
7/28/2019 Network Security2011 Ver02
14/41
Information Security Terms (3)
Vulnerability
Weakness that allows a threat agent to bypass
security
Risk
The likelihood that a threat agent will exploit a
vulnerability
Realistically risk cannot ever be entirely eliminated
Three options when dealing with risks
Accept the risk, diminish the risk, or transfer the risk
Dai Tho Nguyen Network Security 14
-
7/28/2019 Network Security2011 Ver02
15/41
Example of Security Terms
Dai Tho Nguyen Network Security 15
-
7/28/2019 Network Security2011 Ver02
16/41
Security Definitions
Computer Security
Generic name for the collection of tools designed
to protect data and to thwart hackers
Network Security
Measures to protect data during their transmission
Internet Security
Measures to protect data during their transmission
over a collection of interconnected networks
Dai Tho Nguyen Network Security 16
-
7/28/2019 Network Security2011 Ver02
17/41
Computer Security Challenges (1)
Not as simple as it might first appear
Must always consider potential attacks on
security features to develop
Security procedures often counterintuitive
Must decide where to deploy security
mechanisms
Involve more than an algorithm or protocol
and require secret information
Dai Tho Nguyen Network Security 17
-
7/28/2019 Network Security2011 Ver02
18/41
Computer Security Challenges (2)
Battle of wits between attacker and designer
or administrator
Not perceived as benefit until fails
Requires regular, even constant, monitoring
Too often an afterthought to be incorporated
after design is complete
Regarded as impediment to efficient and user-
friendly use of system or information
Dai Tho Nguyen Network Security 18
-
7/28/2019 Network Security2011 Ver02
19/41
Attacker Profiles (1)
Hackers
People with special knowledge of computer
systems
Black-hat hackers
Hack computing systems for their own benefit
White-hat hackers
Hack for finding loopholes and developing solutions
Grey-hat hackers
Often wear a white hat but may also wear a black hat
Dai Tho Nguyen Network Security 19
-
7/28/2019 Network Security2011 Ver02
20/41
Attacker Profiles (2)
Script kiddies
People who use scripts and programs developed
by black-hat hackers to attack computing systems
They dont know how to write hacking tools or
understand how an existing hacking tool works,
but could inflict a lot of damage
Cyber spies Collecting intelligence through intercepted
network communications
Dai Tho Nguyen Network Security 20
-
7/28/2019 Network Security2011 Ver02
21/41
Attacker Profiles (3)
Vicious employees
People who intentionally breach security to harmtheir employers
Cyber terrorists Terrorists who use computer and network
technologies to carry out attacks and producepublic fear
Hypothetical attackers
All attackers except cyber terrorists
Dai Tho Nguyen Network Security 21
-
7/28/2019 Network Security2011 Ver02
22/41
OSI Security Architecture
Goals
Assess effectively the security needs of anorganization
Evaluate and choose security products and policies
ITU-T X.800 Security Architecture for OSI
A systematic way of defining and satisfying
security requirements Provides a useful, if abstract, overview of
concepts we will study
Dai Tho Nguyen Network Security 22
-
7/28/2019 Network Security2011 Ver02
23/41
Aspects of Security
Security attack
Action that compromises the security ofinformation
Security mechanism Process that is designed to detect, prevent, or
recover from a security attack
Security service
Service that enhances the security of dataprocessing systems and information transfers
Dai Tho Nguyen Network Security 23
-
7/28/2019 Network Security2011 Ver02
24/41
Passive Attacks
Attempt to learn or make use of information
but does not affect system resources
Do not involve any alteration of the data
Two types
Release of message contents
Traffic analysis
Emphasis on prevention rather than detection
Usually by means of encryption
Dai Tho Nguyen Network Security 24
-
7/28/2019 Network Security2011 Ver02
25/41
Release of Message Contents
Dai Tho Nguyen Network Security 25
-
7/28/2019 Network Security2011 Ver02
26/41
Traffic Analysis
Dai Tho Nguyen Network Security 26
-
7/28/2019 Network Security2011 Ver02
27/41
Active Attacks
Involve some modification of the data stream
or the creation of a false stream
Four types
Masquerade Modification of messages
Replay Denial of service
The goal is to detect active attacks and to
recover from disruption or delays
Detection may contribute to prevention
Dai Tho Nguyen Network Security 27
-
7/28/2019 Network Security2011 Ver02
28/41
Masquerade
Dai Tho Nguyen Network Security 28
-
7/28/2019 Network Security2011 Ver02
29/41
Replay
Dai Tho Nguyen Network Security 29
-
7/28/2019 Network Security2011 Ver02
30/41
Modification of Messages
Dai Tho Nguyen Network Security 30
-
7/28/2019 Network Security2011 Ver02
31/41
Denial of Service
Dai Tho Nguyen Network Security 31
-
7/28/2019 Network Security2011 Ver02
32/41
Security Services
X.800
Services provided by a protocol layer of
communicating open systems, ensuring adequate
security of the systems or of data transfers
RFC 2828
Processing or communication services provided by
a system to give a specific kind of protection tosystem resources
Intended to counter security attacks
Dai Tho Nguyen Network Security 32
-
7/28/2019 Network Security2011 Ver02
33/41
Security Services (X.800) (1)
Authentication
Assurance that communicating entity is the one
that it claims to be
Access control
Prevention of unauthorized use of a resource
Data confidentiality
Protection of data from unauthorized disclosure
Dai Tho Nguyen Network Security 33
-
7/28/2019 Network Security2011 Ver02
34/41
Security Services (X.800) (2)
Data integrity
Assurance that data received are exactly as sent
by an authorized entity
Non-repudation
Protection against denial by one of the entities
involved in a communication
Availability Assurance that a resource is accessible and usable
Dai Tho Nguyen Network Security 34
-
7/28/2019 Network Security2011 Ver02
35/41
Security Mechanisms
A security service makes use of one or more
security mechanisms
No single mechanism that will support all
security services
One particular element underlies many of the
security mechanisms in use
Cryptographic techniques
Dai Tho Nguyen Network Security 35
-
7/28/2019 Network Security2011 Ver02
36/41
Security Mechanisms (X.800)
Specific security mechanisms
Implemented in a specific protocol layer
Encipherment, digital signature, access control,
data integrity, authentication exchange, trafficpadding, routing control, notarization
Pervasive security mechanisms
Trusted functionality, security labels, event
detection, security audit trails, security recovery
Not specific to any particular security service orprotocol layer
Dai Tho Nguyen Network Security 36
-
7/28/2019 Network Security2011 Ver02
37/41
Model for Network Security
Dai Tho Nguyen Network Security 37
-
7/28/2019 Network Security2011 Ver02
38/41
Tasks in Network Security Model
Design an algorithm for performing thesecurity-related transformation
Generate the secret information to be used
with the algorithm Develop methods for the distribution and
sharing of the secret information
Specify a protocol enabling the principals touse the security algorithm and secretinformation for a security service
Dai Tho Nguyen Network Security 38
-
7/28/2019 Network Security2011 Ver02
39/41
Model for Network Access Security
Dai Tho Nguyen Network Security 39
-
7/28/2019 Network Security2011 Ver02
40/41
Tasks in Network Access Security
Gatekeeper function
Password-based login procedures designed to
deny access to all but authorized users
Screening logic designed to detect and rejectworms, viruses, and other similar attacks
Internal security controls
Monitor activity and analyze stored information todetect the presence of unwanted intruders
Dai Tho Nguyen Network Security 40
-
7/28/2019 Network Security2011 Ver02
41/41
Summary
Motivations
Security definitions, concepts, and terms
Computer security challenges
Attacker profiles
X.800 security architecture
Security attacks, services, mechanisms Models for network (access) security
i h k i