common network environments, connectivity and

Download Report

Transcript common network environments, connectivity and

TOPIC 10
COMMON NETWORK
ENVIRONMENTS, CONNECTIVITY
AND SECUTRITY ISSUES
CONTENT:
10.1 DATA TRANSMISSION
10.2 NETWORK COMPONENTS
10.3 USE OFNETWORKS TO SUPPORT HYPER-LINKING SYSTEMS SUCH AS
WORLD WIDE WEB (WWW)
10.4 COMMON NETWORK ENVIRONMENTS
10.5 ISSUES OF CONFIDENTIALITY
10.6 ENCRYPTION AND AUTHENTICATION TECHNIQUES
Data transmission is, very generally speaking, the conveyance of
any kind of information from one space to another. Historically this
could be done by courier, a chain of bonfires or semaphores, and
later by Morse code over copper wires.
In recent computer terms, it means sending a stream of bits or bytes
from one location to another using any number of technologies to
do so. Among them are copper wire, optical fibre, radio-link, laser,
radio or infra-red light.
A related concept to data transmission is the data transmission
protocol used to make the data transfer legible. Current protocols
favor packet based communication.
A computer network is a system for communication between
computers. These networks may be fixed (cabled, permanent)
or temporary (as via modems or null modems).
The public switched telephone network (PSTN) is the
concentration of the world's public circuit-switched telephone
networks, in much the same way that the Internet is the
concentration of the world's public IP-based packet-switched
networks. Originally a network of fixed-line analog telephone
systems, the PSTN is now almost entirely digital, and now
includes mobile as well as fixed telephones.
WHAT IS ENCRYPTION ?
Encryption refers to algorithmic schemes that encode plain text into non-readable form
or cyphertext, providing privacy. The receiver of the encrypted text uses a “key” to
decrypt the message, returning it to its original plain text form. The key is the trigger
mechanism to the algorithm.
Until the advent of the Internet, encryption was rarely used by the public, but was
largely a military tool. Today, with online marketing, banking, healthcare and other
services, even the average householder is aware of encryption.
Web browsers will encrypt text automatically when connected to a secure server,
evidenced by an address beginning with https. The server decrypts the text upon its
arrival, but as the information travels between computers, interception of the
transmission will not be fruitful to anyone “listening in.” They would only see
unreadable gibberish.
There are many types of encryption and not all of it is reliable. The same computer
power that yields strong encryption can be used to break weak encryption schemes.
Initially, 64-bit encryption was thought to be quite strong, but today 128-bit encryption
is the standard, and this will undoubtedly change again in the future.
Though browsers automatically encrypt information when
connected to a secure website, many people choose to use
encryption in their email correspondence as well. This can easily
be accomplished with encryption programs that feature plug-ins or
interfaces for popular email clients. The most longstanding of
these is called PGP (Pretty Good Privacy), a humble name for
very strong military-grade encryption program. PGP allows one to
not only encrypt email messages, but personal files and folders as
well.
Encryption can also be applied to an entire volume or drive. To
use the drive, it is “mounted” using a special decryption key. In
this state the drive can be used and read normally. When finished,
the drive is dismounted and returns to an encrypted state,
unreadable by interlopers, Trojan horses, spyware or snoops.
Some people choose to keep financial programs or other sensitive
data on encrypted drives.
Encryption schemes are categorized as being symmetric or asymmetric. Symmetric
key algorithms such as Blowfish, AES and DES, work with a single, prearranged key
that is shared between sender and receiver. This key both encrypts and decrypts text.
In asymmetric encryption schemes, such as RSA and Diffie-Hellman, the scheme
creates a “key pair” for the user: a public key and a private key. The public key can
be published online for senders to use to encrypt text that will be sent to the owner of
the public key. Once encrypted, the cyphertext cannot be decrypted except by the one
who holds the private key of that key pair. This algorithm is based around the two
keys working in conjunction with each other. Asymmetric encryption is considered
one step more secure than symmetric encryption, because the decryption key can be
kept private.
Strong encryption makes data private, but not necessarily secure. To be secure, the
recipient of the data -- often a server -- must be positively identified as being the
approved party. This is usually accomplished online using digital signatures or
certificates.
As more people realize the open nature of the Internet, email and instant messaging,
encryption will undoubtedly become more popular. Without encryption, information
passed on the Internet is not only available for virtually anyone to snag and read, but
is often stored for years on servers that can change hands or become compromised in
any number of ways. For all of these reasons encryption is a goal worth pursuing.
SECURITY ISSUES FOR TELECOMMUTING
Information and telecommunications technologies make telecommuting an
option for many organizations and workers. Organizations promote
telecommuting to allow their employees to work from home, while on travel, at a
client site, or in a telecommuting center. While offering potential benefits,
telecommuting introduces new risks to the organization. This bulletin highlights
security issues related to telecommuting and proposes solutions that may help
organizations manage the telecommuting environment more effectively.
Telecommuting is the use of telecommunications to create an "office" away
from the established (physical) office. The telecommuting office can be in an
employee's home, a hotel room or conference center, an employee's travel site,
or a telecommuting center. The telecommuter's office may or may not have the
full computer functionality of the established office. For example, an employee
on travel may read email. On the other side of the spectrum, an employee's
home may be equipped with Integrated Services Digital Network (ISDN) access
to provide the employee full computer capability at high speeds.
The Risk of Telecommuting
One of the popular buzz words for management in the '90s, telecommuting is becoming
accepted as the way to do business. However, opening up an organization's information
systems to dial-in and other forms of access presents significant security risks.
One risk is that intruders will be able to access corporate systems without having to be on
site. Hackers, electronic eavesdroppers at conference sites, or shoulder surfers watching
employees enter IDs and passwords, present very real threats. In addition to intruders
whose goal may be mischief, hacking is attractive to people trying to steal or misuse
corporate information. Electronic access to records may be difficult to trace and thus
more appealing than trying to bribe employees or gain physical access.
Another risk of telecommuting is that corporate information can be read, and potentially
modified, while it is in transit. Telecommuting also presents organizations with more
commonplace risks. These include the risk of losing corporate information and resources
when they are outside the protective shell of the organization.
Security Issues for Telecommuting Centers
Telecommuting centers, normally located in outlying suburbs, offer another
choice for organizations. From a security perspective, they may provide
hardware for encryption, removable hard drives, and increased availability.
However, by concentrating telecommuters, the centers may make themselves a
more attractive target for eavesdropping. At a minimum, organizations should
require robust authentication from telecommuting centers. If communications
encryption is supported by the center, organizations should be aware that data
may not be encrypted while it is inside the center. The encryption may occur at a
modem pool.
Home System Availability
In addition to the possibility of failure or theft of a home computer, it may not be
compatible with office configurations. For example, the home computer may use a different
operating system. This and other circumstances may complicate set up, software support,
troubleshooting, or repair. Organizations should ensure that policies are in place to cover all
of these situations.
Security Issues for Telecommuting from Home
In addition to risks to internal corporate systems and data in transit, telecommuting from home
raises other concerns related to whether employees are using their own computers or using
computers supplied to them by the organization.
Security Issues for Data Transfer
In addition to gaining access to internal systems, intruders can also eavesdrop on an entire
session. Eavesdropping is not technically difficult if there is physical access to cable or wire
used for communication or logical access to switching equipment. If a telecommuting
employee is transferring data that an eavesdropper would want, encryption may be necessary.
Eavesdropping is more likely if an employee is at a large conference or other location where
an eavesdropper may set up equipment in hopes of hearing something useful. Some
conferences offer equipment to attendees to use to check email, transfer files, etc. Attendees
find this useful, since they do not need to provide laptops; however, this could be a target for
electronic eavesdropping.
Software- or hardware-based encryption provides strong protection against electronic
eavesdropping. However, encryption is more expensive (in initial and operating costs) than
robust authentication. It is most useful if highly confidential data needs to be transmitted or if
moderately confidential data is transmitted in a high-threat area. Since employees do not
always know when they are in a high-threat area, management must train employees to
consider this potential threat.
Security Technologies
With the rapid growth of interest in the Internet, network security has become a major
concern to companies throughout the world. The fact that the information and tools
needed to penetrate the security of corporate networks are widely available has increased
that concern.
Because of this increased focus on network security, network administrators often spend
more effort protecting their networks than on actual network setup and administration.
Tools that probe for system vulnerabilities, such as the Security Administrator Tool for
Analyzing Networks (SATAN), and some of the newly available scanning and intrusion
detection packages and appliances, assist in these efforts, but these tools only point out
areas of weakness and may not provide a means to protect networks from all possible
attacks. Thus, as a network administrator, you must constantly try to keep abreast of the
large number of security issues confronting you in today's world.
Security Issues When Connecting to the Internet
When you connect your private network to the Internet, you are physically connecting
your network to more than 50,000 unknown networks and all their users. Although
such connections open the door to many useful applications and provide great
opportunities for information sharing, most private networks contain some
information that should not be shared with outside users on the Internet. In addition,
not all Internet users are involved in lawful activities.
Protecting Confidential Information :
Confidential information can reside in two states on a network. It can reside on physical
storage media, such as a hard drive or memory, or it can reside in transit across the
physical network wire in the form of packets. These two information states present
multiple opportunities for attacks from users on your internal network, as well as those
users on the Internet. We are primarily concerned with the second state, which involves
network security issues.
The following are five common methods of attack that present opportunities to
compromise the information on your network:
Network packet sniffers
IP spoofing
Password attacks
Distribution of sensitive internal information to external
sources
Man-in-the-middle attacks
When protecting your information from these attacks, your concern is to prevent the
theft, destruction, corruption, and introduction of information that can cause
irreparable damage to sensitive and confidential data. This section describes these
common methods of attack and provides examples of how your information can be
compromised.
Summary
When defining a security policy for your organization, it is important to strike a balance
between keeping your network and resources immune from attack and making the system
so difficult to negotiate for legitimate purposes that it hinders productivity.
You must walk a fine line between closing as many doors as possible without encouraging
trusted users to try to circumvent the policy because it is too complex and time-consuming
to use.
Allowing Internet access from an organization poses the most risk to that organization.
This chapter has outlined the types of attacks that may be possible without a suitable level
of protection. If a compromise occurs, tools and applications are available to help flag
possible vulnerabilities before they occur—or to at least help the network administrator
monitor the state of the network and its resources.
It is important to stress that attacks may not be restricted to outside, unknown parties, but
may be initiated by internal users as well. Knowing how the components of your network
function and interact is the first step to knowing how to protect them.
Security Technologies.htm