Network Management Session 1 Network Basics

Download Report

Transcript Network Management Session 1 Network Basics 

COMP1321
Networks in Organisations
Richard Henson
April 2013
Protecting
Organisational Data

By the end of this session you should be
able to:
– explain why the internal network user is
potentially a threat
– explain the importance of protecting entry to
the network by outsiders
– suggest ways to identify vulnerabilities of
the network, so action can be taken to
reduce the risk
Network Management

A network manager has two (conflicting?)
responsibilities
– provide facilities and services that users need to
do their jobs
– protect the network against abuse by naïve or
malign users

General perception (by users!)…
– network managers are more concerned with
“protecting the network” than servicing the needs
of its users
The “good insider”.. Threat (?)



Users: employees, who (generally) want to do
their job, and do it well…
Possible conflict with the “security-orientated”
or “nanny-state” approach to network
management
Personal opinion: needs balance
– the network IS there for the benefit of the users…
» fulfill business objectives
– the network MUST be as secure as reasonably
possible
» protect valuable company data
“unthinking” insiders

Employees who do stupid things on the
network
– bring in viruses
– spread passwords around
– forward email inappropriately
– engage with phishing emails…
– etc…
Bad Insiders

Could be disillusioned
– just plain corrupt
– maybe a temp?

Could cause real damage
– bring network down
– put company out of business…
What to do about the
Insider Threat?
A
matter for organisational
management
– Establish policy
» negotiated with users…
– Educate/train users
– Enable breaches of policy to be detected…
– Enforce policy!
What about Outsiders?

Two types:
– employees working “in the field”
– the rest of the world…

Organisational management can’t
enforce policy on the latter…
– network only protected through good, wellresourced network management
Firewalls: checking/blocking
data coming in and out…
INTERNET
Firewall
Internal
Network
...
Do we have a problem?

Perceptions “from the inside” quite
different from “outside looking in”
Should we find out…?

Almost impossible to tell if the network
is secure from within…
– could just hope so (!)
– could go outside, and try to penetrate
defences
– better still, the organisation could get a
benign expert to do it for them…
One such expert will be
presenting on Thursday…

Name: Campbell Murray
– Technical Director
– Encription Ltd
Location: BY1150
 Time: 1015

Assuming no security…

Data cannot be made completely
secure if it uses a public network
– naïve to think so

Also (especially…) true on a wireless
public network
– necessary to have a system that ensures
data that is hacked en route is unintelligible
Authentication
had better be good…

Generally means control via the
desktop or application layer
– Browser/Windows desktop

If Internet-based, should use PKI
» public-key encrypted email

user digital certificate tied to computer & email
address
» public-key encrypted web pages


use https protocol
server has an SSL certificate
End-device
controlled security

Two types of identification (as in
previous e.g.):
– via computer (device) ID
– via user ID

Either/both can (should?) have a
password to control access
Security & Privacy

Closely related technologies
– important differences

Privacy
– about informational self-determination
» ability to decide what information about you goes
where

Security
– offers the ability to be confident that
privacy decisions are respected
Privacy, Security and
Mobile Networks

Mobile voice privacy
– can someone listen in on my call?
» privacy goal: allow user to say no
» security technology, e.g. encryption: allows user to
enforce it

Sometimes goals of security and
privacy are the same
– other times orthogonal, or even in conflict
Security/Privacy v Availability

“I want it all, and I want it now…”
– http://www.youtube.com/watch?v=1pm4fQ
Rl72k

“Only if your request conforms with the
rules…”
– society: bad for other people
– organisational: confidentiality
– personal: human rights
Balancing Rules on
Privacy/Security

Ideal:
– keeps the data secure…
– allows the user freedom to do their
job, participate in legitimate leisure
activity, etc.

Unnecessarily restrictive or
unexplained rules…
– users get frustrated…
NOT Getting the balance right…




Worrying survey & report (BBC, 19/11/10):
http://www.bbc.co.uk/news/business11793436
BBC’s own network users so frustrated
about IT restrictions stopping them doing
their jobs that many (typically 41% according
to a CISCO survey) ignored the rules!
Is it the same everywhere?
Is it any better today?