Download Network Security Overview

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
Document related concepts

Next-Generation Secure Computing Base wikipedia , lookup

Unix security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Authentication wikipedia , lookup

Airport security wikipedia , lookup

Information privacy law wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Wireless security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Mobile security wikipedia , lookup

Social engineering (security) wikipedia , lookup

Information security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Network Security Overview
Cryptographic algorithms and protocols can be
grouped into four main areas:
Symmetric encryption: Used to conceal the contents of
blocks or streams of data of any size, including messages, files,
encryption keys, and passwords.
Asymmetric encryption: Used to conceal small blocks of
data, such as encryption keys and hash function values, which
are used in digital signatures.
Data integrity algorithms: Used to protect blocks of data,
such as messages, from alteration.
Authentication protocols: These are schemes based on the
use of cryptographic algorithms designed to authenticate the
identity of entities.
Computer Security: Is the generic name for the collection of
tools designed to protect data and to thwart hackers.
Network and Internet security consists of measures to
deter, prevent, detect, and correct security violations that
involve the transmission of information.
Examples of Security Violation:
•
•
•
•
•
Monitoring and capturing
Altering the content to add or delete entries
Replacing the file
Delaying the transmission
Denying
Computer Security [NIST Computer Security Handbook]:
The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the
integrity, availability, and confidentiality of information
system resources (includes hardware, software, firmware,
information/data, and telecommunications).
Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom that
information may be disclosed.
Integrity: This term covers two related concepts:
Data integrity: Assures that information and programs are changed only
in a specified and authorized manner.
System integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
Availability: Assures that systems work promptly and service is not
denied to authorized users.
CIA Triad
(A group or set of three related people or things)
The three concepts embody the fundamental security objectives
for both data and for information and computing services.
Additional concepts with CIA triad
Authenticity (trustworthy, or genuine ): The property of being genuine
and being able to be verified and trusted; confidence in the validity of a
transmission, a message, or message originator. This means verifying that
users are who they say they are and that each input arriving at the system
came from a trusted source.
Accountability (responsibility, liability, answerability ): The security
goal that generates the requirement for actions of an entity to be traced
uniquely to that entity. This supports non-repudiation, deterrence, fault
isolation, intrusion detection and prevention, and after-action recovery and
legal action. Because truly secure systems are not yet an achievable goal,
we must be able to trace a security breach to a responsible party. Systems
must keep records of their activities to permit later forensic analysis to
trace security breaches or to aid in transaction disputes.
Three levels of impact from a security breach :
Low: The loss could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals. A limited
adverse effect means that, for example, the loss of confidentiality, integrity,
or availability might
(i) cause a degradation in mission capability to an
extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably reduced;
(ii) result in minor damage to organizational assets;
(iii) result in minor financial loss; or
(iv) result in minor harm to individuals.
Moderate: The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. A serious
adverse effect means that, for example, the loss might
(i) cause a significant degradation in mission capability to an extent and
duration that the organization is able to perform its primary functions, but
the effectiveness of the functions is significantly reduced;
(ii) result in significant damage to organizational assets;
(iii) result in significant financial loss; or
(iv) result in significant harm to individuals that does not involve loss of life
or serious, life-threatening injuries.
High: The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals.
A severe or catastrophic adverse effect means that, for example, the loss
might
(i) cause a severe degradation in or loss of mission capability to an
extent and duration that the organization is not able to perform one or
more of its primary functions;
(ii) result in major damage to organizational assets;
(iii) result in major financial loss; or
(iv) result in severe or catastrophic harm to individuals involving loss of life
or serious, life-threatening injuries.
• Confidentiality:
For example, information confidentiality is more important
than integrity or availability in the case of proprietary
information of a company.
Also, confidentiality is the most important when the
information is a record of people’s personal activities.
To guarantee confidentiality under the CIA triad,
communications channels must be properly monitored and
controlled to prevent unauthorized access.
• Integrity:
For example, banks are more concerned about the integrity
of financial records, with confidentiality having only second
priority.
Some bank account holders or depositors leave ATM receipts
unchecked and hanging around after withdrawing cash. This
shows that confidentiality does not have the highest priority.
Instead, the goal of integrity is the most important in
information security in the banking system.
To guarantee integrity under the CIA triad, information
must be protected from unauthorized modification.
•
Availability:
The CIA triad goal of availability is more important than the
other goals when government-generated online press
releases are involved. Press releases are generally for public
consumption. For them to be effective, the information they
contain should be available to the public.
Thus, confidentiality is not of concern. Integrity has only
second priority.
In the CIA triad, to guarantee availability of information in
press releases, governments ensure that their websites and
systems have minimal or insignificant downtime. Backups
are also used to ensure availability of public information.
Implications of the CIA Triad
• The CIA triad has the goals of confidentiality, integrity and
availability, which are basic factors in information security.
• Information security protects valuable information from
unauthorized access, modification and distribution.
• The CIA triad guides information security efforts to ensure
success.
• There are instances when one of the goals of the CIA triad is
more important than the others. It is up to the IT team, the
information security personnel, or the individual user to
decide on which goal should be prioritized based on actual
needs.
• Thus, the CIA triad requires that organizations and
individual users must always take caution in maintaining
confidentiality, integrity and availability of information.
The OSI Security Architecture
• To assess effectively the security needs of an organization
and to evaluate and choose various security products and
policies, the manager responsible for security needs some
systematic way of defining the requirements for security and
characterizing the approaches to satisfying those
requirements.
• Provides a systematic framework for defining security
attacks, mechanisms, and services. [ITU-T, X.800]
Security attack: Any action that compromises the security of
information owned by an organization.
Security mechanism: A process (or a device incorporating such a
process) that is designed to detect, prevent, or recover from a security
attack. Examples of mechanisms are encryption algorithms, digital
signatures, and authentication protocols.
Security service: A processing or communication service that
enhances the security of the data processing systems and the information
transfers of an organization. The services are intended to counter security
attacks, and they make use of one or more security mechanisms to provide
the service. It include authentication, access control, data confidentiality,
data integrity, nonrepudiation, and availability.
[RFC 2828, Internet Security Glossary]
Threat: A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that could
breach security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability. (It can be either
intentional or unintentional)
Attack: An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a
system. (attack is intentional)
Vulnerability: It is an inherent weakness in the design,
configuration, implementation, or management of a network or
system that renders it susceptible to a threat.
Security attacks are classified as either passive attacks, which
include unauthorized reading of a message of file and traffic analysis or
active attacks, such as modification of messages or files, and denial of
service.
Passive Attack:
a. Release of message content
b. Traffic analysis
Active Attack:
a. Masquerade: when one entity pretends to be a different entity
b. Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect
c. Modification of message: some portion of a legitimate message is
altered, or that messages are delayed or reordered, to produce an
unauthorized effect
d. Denial of service: prevents or inhibits the normal use or management
of communications facilities
Security Services
X.800 defines a security service as a service that is provided by a protocol
layer of communicating open systems and that ensures adequate security of
the systems or of data transfers.
RFC 2828:
A processing or communication service that is provided by a system to give
a specific kind of protection to system resources; security services
implement security policies and are implemented by security mechanisms.
Security
Services
Security Mechanisms
• The mechanisms are divided into those that are
implemented in a specific protocol layer, such as TCP or an
application-layer protocol, and those that are not specific to
any particular protocol layer or security service.
Security
Mechanism
Relationship Between Security Services and Mechanisms
Relationship between Security Services and Security Attacks
Relationship between Security Mechanisms and Attacks.
Positioning of Security Services in Network
Physical layer
• Available Services
– Connection Confidentiality
– Traffic Flow Confidentiality
• Full
• Limited
These services are restricted to passive threats and are
applicable to point-to-point or multi-peer
communications.
• Available Mechanisms
– Total encipherment
– Transmission security (specific form of encipherment
applicable to physical layer only)
Data link layer
• Available Services
– Connection Confidentiality
– Connectionless Confidentiality
• Available Mechanisms
– Encipherment
Network layer
• Available Services
May be provided by the protocol that performs sub-network access
functions or by the protocol that performs relaying and routing
– Peer Entity Authentication
– Data Origin Authentication
– Access Control service
– Connection Confidentiality
– Connectionless Confidentiality
– Traffic Flow Confidentiality
– Connection Integrity without recovery
– Connectionless Integrity
These services may be provided alone or in combination.
• Available Mechanisms
– Peer Entity Authentication: appropriate combination of
cryptographically-derived
or
protected
authentication
exchanges, protected password exchange and signature
mechanisms
– Data Origin Authentication: encipherment or signature mechs
– Access Control service: appropriate use of specific access
control mechs
– Connection Confidentiality: encipherment and/or routing
control
– Connectionless Confidentiality: encipherment and/or routing
control
– Traffic Flow Confidentiality: traffic padding mech, in
conjunction with a confidentiality service at or below the
network layer and/or routing protocol
– Connection Integrity without recovery: data integrity
mechanism, sometimes in conjunction with an encipherment
mechanism
– Connectionless Integrity: same as above
Transport layer
• Available Services
– Peer Entity Authentication
– Data Origin Authentication
– Access Control service
– Connection Confidentiality
– Connectionless Confidentiality
– Connection Integrity with recovery
– Connection Integrity without recovery
– Connectionless Integrity
These services may be provided alone or in combination.
• Available Mechanisms
– Peer Entity Authentication: appropriate combination of
cryptographically-derived or protected authentication exchanges,
protected password exchange and signature mechanisms
– Data Origin Authentication: encipherment or signature mechs
– Access Control service: appropriate use of specific access control
mechs
– Connection Confidentiality: encipherment
– Connectionless Confidentiality: encipherment
– Connection Integrity with recovery: data integrity mechanism,
sometimes in conjunction with an encipherment mechanism
– Connection Integrity without recovery: same as above
– Connectionless Integrity: same as above
These mechanisms will operate in such a manner that individual
transport connections can be isolated from each other
Application layer
• Available Services
– Peer Entity Authentication
– Data Origin Authentication
– Access Control Service
– Connection Confidentiality
– Connectionless Confidentiality
– Selective Field Confidentiality
– Traffic Flow Confidentiality
– Connection Integrity with Recovery
– Connection Integrity without Recovery
– Selective Field Connection Integrity
– Connectionless Integrity
– Selective Field Connectionless Integrity
– Non-repudiation with Proof of Origin
– Non-repudiation with Proof of Delivery
• Available Mechanisms
– Peer Entity Authentication: auth info transferred between application
entities, protected by lower layer encipherment
– Data Origin Authentication: signature or loewr layer mechs
– Access Control Service: combination of access control mechs in the
application or lower layers
– Connection Confidentiality: lower layer encipherment
– Connectionless Confidentiality: lower layer encipherment
– Selective Field Confidentiality: encipherment at presentation layer
– Traffic Flow Confidentiality: traffic padding, plus confidentiality at a
lower level
– Connection Integrity with Recovery: lower layer data integrity
– Connection Integrity without Recovery: lower layer data integrity
– Selective Field Connection Integrity: data integrity
– Connectionless Integrity: lower layer data integrity
– Selective Field Connectionless Integrity: data integrity
– Non-repudiation with Proof of Origin: combination of signature and lower
layer data integrity (possibly in conjunction with 3rd party notaries)
– Non-repudiation with Proof of Delivery: combination of signature and
lower layer data integrity (possibly in conjunction with 3rd party
notaries)
Model for Network Security
This general model shows that there are four basic tasks in
designing a particular security service:
1. Design an algorithm for performing the security-related
transformation. The algorithm should be such that an
opponent cannot defeat its purpose.
2. Generate the secret information to be used with the
algorithm.
3. Develop methods for the distribution and sharing of the
secret information.
4. Specify a protocol to be used by the two principals that
makes use of the security algorithm and the secret
information to achieve a particular security service.
Options for Mini-Project
• Data link Layer: ARP, RARP, NDP, OSPF, MAC, Wireless
• Network Layer: IPv4, IPv6, ICMP, ICMPv6, IPSec, Mobile
IP
• Transport Layer: TCP, UDP, RSVP
• Application Layer: DNS, DHCP, SNMP, RIP, HTTP,
HTTPS, FTP
Related documents
Week 1: Course Notes
Week 1: Course Notes
Confidentiality Protocol - patient data
Confidentiality Protocol - patient data
Communicating effectively
Communicating effectively
Ethics and Educational Research
Ethics and Educational Research
University of Texas at Brownsville Student Health Services Patient Satisfaction Survey Results
University of Texas at Brownsville Student Health Services Patient Satisfaction Survey Results
Prof_Assessment_08_09
Prof_Assessment_08_09
Communication - Creative Support
Communication - Creative Support
Presentation on Communication
Presentation on Communication
Chapter 1
Chapter 1
Introduction to network security
Introduction to network security