Network security - Pravin Shetty > Resume
Download
Report
Transcript Network security - Pravin Shetty > Resume
Network
security
Look at the
surroundings before
you leap
Lecturers
PRAVIN SHETTY – 990 31945,B3.35
[email protected]
Topics
Basic principles (Access Control /Authentication/Models of threat & Practical
Countermeasures).
Security issues over LANS & WANS[Earlier Models & Current Solutions].
Public key encryptions/ PKI/Digital signatures/Kerberos
Unix security [Internet=TCP/IP Security—VPNs/Firewalls.
Intrusion detection systems.
Security in E-Commerce and banking, Including WWW, EDI , EFT,ATM.
References:
Computer Security—Dieter Gollman
Network and Internetwork Security---William Stallings.
Open Systems Networking—David M Piscitello/ A Lyman Chapin.
Today’s lecture is
Domain of network security
Taxonomy of security attacks
Aims or services of security
Model of internetwork security
Methods of defence
Security
Human nature
physical, financial, mental,…, data and information
security
Information Security
1. Shift from the physical security to the
protection of data and to thwart hackers (by
means of automated software tools) – called
computer security
Network Security
2. With the widespread use of distributed
systems and the use of networks and
communications require protection of data
during transmission – called
network security
Internetwork security
The term Network Security may be misleading,
because virtually all business, govt, and academic
organisations interconnect their data processing
equipment with a collection of interconnected
networks – probably we should call it as
internetwork security
Aspects of information security
Security attack – any action that compromises
the security of information.
Security mechanism – to detect, prevent, or
recover from a security attack.
Security service – service that enhances and
counters security attacks.
Security mechanisms
No single mechanism that can provide the
services mentioned in the previous slide.
However one particular aspect that underlines
most (if not all) of the security mechanism is
the cryptographic techniques.
Encryption or encryption-like transformation of
information are the most common means of
providing security.
Why Internetwork Security?
Internetwork security is not simple as it might first
appear.
In developing a particular security measure one has to
consider potential countermeasures.
Because of the countermeasures the problem itself
becomes complex.
Once you have designed the security measure, it is
necessary to decide where to use them.
Security mechanisms usually involve more than a
particular algorithm or protocol.
Security Attacks - Taxonomy
Interruption – attack on availability
Interception – attack on confidentiality
Modification – attack on integrity
Fabrication – attack on authenticity
Property
that is
compromised
Interruption
also known as denial of services.
Information resources (hardware, software and
data) are deliberately made unavailable, lost or
unusable, usually through malicious destruction.
e.g: cutting a communication line, disabling a file
management system, etc.
Interception
also known as un-authorised access.
Difficult to trace as no traces of intrusion might
be left.
E.g: illegal eavesdropping or wiretapping or
sniffing, illegal copying.
Modification
also known as tampering a resource.
Resources can be data, programs, hardware
devices, etc.
Fabrication
also known as counterfeiting.
Allows to by pass the authenticity checks.
e.g: insertion of spurious messages in a
network, adding a record to a file, counterfeit
bank notes, fake cheques,…
Security Attacks - Taxonomy
Information
Source
Information
Destination
Normal
Information
Source
Information
Destination
Interruption
Information
Source
Information
Destination
Modification
Information
Source
Information
Destination
Interception
Information
Source
Information
Destination
Fabrication
Attacks – Passive types
Passive (interception) – eavesdropping on,
monitoring of, transmissions.
The goal is to obtain information that is being
transmitted.
Types here are: release of message contents and
traffic analysis.
Attacks – Active types
Involve modification of the data stream or
creation of a false stream and can be subdivided
into – masquerade, replay, modification of
messages and denial of service.
Attacks
Active
Passive
Interception
(confidentiality)
Release of
Message
contents
Interruption
(availability)
Traffic
analysis
Modification
(integrity)
Fabrication
(integrity)
Security services
Confidentiality
Authentication
Integrity
Non-repudiation
Access control
Availability
Model for internetwork security
Trusted
Third party
Principal
Principal
Message
Message
Information channel
Secret
information
Opponent
Gate
Keeper
Secret
information
Methods of defence (1)
Modern cryptology
Encryption, authentication code, digital signature,etc.
Software controls
Standard development tools (design, code, test,
maintain,etc)
Operating systems controls
Internal program controls (e.g: access controls to
data in a database)
Fire walls
Methods of defence (2)
Hardware controls
Physical controls
Security devices, smart cards, …
Lock, guards, backup of data and software, thick
walls, ….
Security polices and procedures
User education
Law