12-1 Network Security. 12-2 Physical Protection of Assets and Security u PPA is done using the following means: Locks Barriers Guards u Security is provided

12-1

Network Security

12-2

Physical Protection of Assetsand Security

PPA is done using the following means:• Locks• Barriers• Guards

Security is provided for the following:• Computer processing• Large databases• Communication networks• Preventing a hacker from breaking into your

computer

12-3

3-things to know in security Why networks need security? How to provide security! Types of security threats Network (NW)-Controls

Primary goal of the NW-Security To protect the data and application-SW

12-4

Introduction

For many people, security means preventing unauthorized access, such as preventing a hacker from breaking into

your computer.

Security is more than that, it also includes being able to recover

from temporary service problems, or from natural disasters.

12-5

Security Threats to -----! Software(SW) Hardware(HW) Files and database Data communication circuits

Threats are from different sources: External and internal hacking External—disaster, vandalism, fraud, theft Personal errors, dishonesty, incompetence

12-6

Introduction

12-7

Why Networks Need Security

In recent years, organizations have become increasingly dependent on the data communication networks for their daily business communications, database retrieval, distributed data processing, and the internetworking of LANs.

The losses associated with security failures can be huge.

More important than direct theft losses are the potential losses from the disruption of applications systems that run on computer networks.

12-8

2-Types of Security Threats Category-1: 3-Ds

--due to fire, flood, power-loss,circuit failure & virus--• Disruption• Destruction• Disaster

Category-2: Unauthorized access• Refers to intruders• External hackers• Internal hackers

12-9

What an intruder will achieve! Gain knowledge and Change files

• To Commit fraud, threat• To destroy information• To injure the organization• To sadistic thrill for his misadventure

12-10

Types of Security ThreatsCategory-1: 3-Ds!

Disruptions (means what!)• are the loss or reduction in NW-service. • Could be minor, temporary and due to• Switch-failure or circuit-cut

Destructions (of data):• are caused by and/or result in the disruption• could be due to virus or else• Could be due to crash of hard-disk

Disasters (of network): destroy host computers, sections of the NW Could be manmade or natural

12-11

Natural and Man-made disastersPrincipal causes which are responsible for the

Category-1: 3-D Threats: Fires Floods Earthquakes Mudslides Storms Tornadoes Terrorist attacks --All these can destroy buildings and networks---

12-12

What the 3-Ds do! Give rise to interruptions in the NW-Service Cause loss of data due to NW-failureFTS = Fault Tolerant Server Contains many redundant components (which) help prevent the NW-failureDisk-Duplexing

• Is a disk-mirroring concept• Provides backup against NW-failure• (so that) even if the disk-controller fails, the

server continues to operate

12-13

What are the 3-S! Smaller Smarter Simpler, Sophisticated

The NW-HW/SW being produced now always keep these 3-things in mind when developing their products.

12-14

Types of Security ThreatsCategory-2: UA

Category-2: Unauthorized Access is often viewed as hackers

gaining access to organizational data files and resources.• External intruders• Internal intruders• Eavesdropping

---(I.e, listening secretly to a private conversation---

Keep in mind, however, that most unauthorized access incidents involve employees.

12-15

Network ControlsDeveloping a secure network means developing

controls---i.e, mechanisms that reduce or eliminate both Cat-1 and Cat-2 threats to network security.

There are 3-types of controls:• Preventative controls---restrain, stop a person

from acting or hinder an event from occurring.• Detective controls---reveal or discover any kind

of unwanted events.• Corrective controls---rectify an unwanted event

or a trespass. PDC-controls should be periodically verified & tested

12-16

Network Controls 6- areas need NW-Controls in a network

Data Communication• Client computers• Host/server computers (mini/mainframe/LANs)• Communication circuits• NW-devices and components• NW-Software• Application-Software

12-17

Network Controls It is important to remember that it is not enough to

just establish a series of controls; someone or some department must be accountable for the control and security of the network.

PDC-Controls must be reviewed periodically to be sure that they are still useful, and should be:• Verified - ensuring that the control is still present • Tested - determining whether the control is

working as originally specified.

(PDC = Preventive, Detective and Corrective)

12-18

RISK ASSESSMENT

12-19

Risk Assessment

One key step in developing a secure-NW is to conduct a risk assessment: • This assigns a level of risk to various threats

to the network security by comparing the nature of the threats to the controls designed to reduce them.

Threat could mean:• Theft of data• Destruction of data• Damage to NW-HW, NW-SW and NW-Circuits

12-20

7 Most Common Threats to NW

Virus-----------------------87% Device failure------------52% Internal hacker-----------51% Equipment theft----------48% External hacker----------30% Natural disaster----------28% Industrial espionage----10%

12-21

About Computer Viruses Cause destruction of data Cause unwanted events/nuisances Attach themselves to some programs (and as a result) the viruses spreadHow to prevent the spread of Viruses Don’t share diskettes (37% due to sharing) Don’t copy files or disks of unknown origin Be careful about downloading files from the Web Install ant-virus SW in your computer

12-22

Developing a Control Spreadsheet

To be sure that the data communications network and microcomputer workstations have the necessary controls and that these controls offer adequate protection, it is best to build a control spreadsheet.

12-23

Developing a Control Spreadsheet

Threats Disruption, Destruction, Disaster Unauthorized Access Power Circuit External Internal

Components Fire Flood Loss Failure Virus Intruder Intruder Eavesdrop

Host Computers

Client Computers

Communication Circuits

Network Devices

Network Software

People

12-24

Threats

A threat to the data communications network is any potential adverse occurrence that can do harm, interrupt the systems using the network, or cause a momentary loss to the organizations.

Once the threats are identified they must be ranked on their importance.

12-25

Threats

12-26

Network ComponentsThe next step is to identify the network components. A

network component is one of the individual pieces that compose the data communications network. They include:• Servers• Client computers• Communications circuits• Network devices• Network software• Application software

12-27

Identify and Document the Controls

Once the specific network threats and controls have been identified, you can begin working on the network controls.

Begin by considering the network component and the specific threat, and then describe each control that prevents, detects or corrects that threat.

12-28

Threats Disruption, Destruction, Disaster Unauthorized Access Power Circuit External Internal

Components Fire Flood Loss Failure Virus Intruder Intruder Eavesdrop

Host Computers

Client Computers

Communication Circuits

Network Devices

Network Software

People

Identify and Document the Controls

1,2 1,3 4 1,5,6 7,8 9,10,11,12 9,10

1. Disaster recovery plan2. Halon fire system/sprinklers3. Host computer room on 5th floor4. UPS on servers5. Contract guarantees from IXCs6. Extra backbone fiber laid between servers

7. Virus checking software present8. Extensive user training on viruses9. Strong password software10. Extensive user training on security11. Call-back modem system12. Application Layer firewall

12-29

Evaluate the Network’s Security

The last step in designing a control spreadsheet is to evaluate the adequacy of the existing controls, and the resulting degree of risk associated with each threat.

The assessment can be done by the network manager, but it is better done by a team of experts chosen for their in-depth knowledge about the network and environment being reviewed.

12-30

CONTROLLING DISRUPTION,

DESTRUCTION, AND DISASTER

12-31

Preventing Disruption, Destruction and Disaster

The key principle in preventing disruption, destruction and disaster - or at least reducing their impact - is redundancy.• Disk mirroring• Disk duplexing• Fault-tolerant servers• Uninterruptible power supplies (UPS)

Redundancy can be built into other network components as well.

12-32


Disasters are different, the best solution is to have a complete redundant network that duplicates every network component, but in a different location.

Generally speaking, preventing disasters is difficult. The most fundamental principle is to decentralize the network resources.

Other steps depend on the type of disaster to be prevented.

12-33


In some cases, the disruption is intentional (i.e. theft).

Another special case is the denial-of-service attack, in which the hacker attempts to disrupt the network by sending messages to the network that prevent other’s messages from being processed.

12-34


Special attention also must be paid to preventing computer viruses - software designed to produce unwanted events. Most viruses attach themselves to other programs to special parts on disks.

How to prevent the spread of viruses Do not to copy files or disks of unknown origin. Use/Install anti-virus software packages that are

available to check disks and files to ensure that they are virus-free.

12-35

NW-Monitoring Software and other means for Detecting 3-Ds

NWM-software alerts network managers to problems so that they can be corrected.

Some intelligent NW-servers can be programmed to send an alarm to pager, if necessary!

On going monitoring for damaged cables which could result from hungry squirrels and rats eating the cables

12-36

Other means for Detecting 3-Ds!

Detecting minor disruptions can be more difficult. The network should routinely log fault information to enable network managers to recognize minor service problems. In addition, there should be a clear procedure by which network users can report problems.

12-37

Correcting Disruption, Destruction and Disaster

A critical control is the disaster recovery plan, which should address various levels of response to a number of possible disasters and should provide for partial or complete recovery of all data, application software, network components, and physical facilities.

The most important element of the disaster recovery plan are backup and recovery controls that enable the organization to recover its data and restart its application software should some portion of the network fail.

12-38

Elements of a Disaster Recovery Plan

Names of responsible individuals Staff assignments and responsibilities List of priorities of “fix-firsts” Location of alternative facilities. Recovery procedures for data communications

facilities, servers and application systems. Actions to be taken under various contingencies. Manual processes Updating and Testing procedures Safe storage of data, software and the disaster

recovery plan itself.

12-39


Backups ensure that important data is safe. However it does not guarantee the data can be used.

Most large organizations have a two-level disaster recovery plan.

LVL 1: When they build networks they build enough capacity and have enough spare equipment to recover from a minor disaster, such as loss of a major server or portion of the network.

12-40


LVL2: most large organizations rely on professional disaster recovery firms to provide second level support for major disasters.

Disaster recovery firms provide a full range of services from secure storage for backups, to a complete networked data center that clients can use when they experience a disaster.

12-41

CONTROLLING UNAUTHORIZED ACCESS

12-42

Controlling Unauthorized Access

Four types of intruders attempt to gain unauthorized access to computer networks.1. Casual computer users who only have limited

knowledge of computer security.

2. Experts in security, but whose motivation is the thrill of the hunt.

3. Professional hackers who break into corporate or government computer for specific purposes.

4. Organization employees who have legitimate access to the network but who gain access to information they are not authorized to use.

12-43

Preventing Unauthorized Access

The key principle in preventing unauthorized access is to be proactive. This means routinely testing your security systems before an intruder does.

Approaches to preventing unauthorized access:• Developing a security policy• Developing user profiles• Plugging known security holes• Securing network access points• Preventing eavesdropping• Using encryption

A combination of all techniques is best to ensure strong security.

12-44

Developing a Security Policy

The security policy should clearly define the important network components to be safeguarded and the important controls needed to do that.

The most common way for a hacker to break into a system, is through some social engineering (breaking security simply by asking).

12-45

Elements of a Security Policy Name of responsible individuals Incident reporting system and response team Risk assessment with priorities Controls on access points to prevent or deter unauthorized

external access. Controls within the network to ensure internal users cannot

exceed their authorized access. An acceptable use policy User training plan on security Testing and updating plans.

12-46

Developing User Profiles

The basis of network access is the user profile for each user’s account that is assigned by the network manager.

More and more systems are requiring users to enter a password in conjunction with something they have, such as a smart card.

In high-security applications, a user may be required to present something they are, such as a finger, hand or the retina of their eye for scanning by the system (biometric scanning).

12-47


User profiles can limit the allowable log-in days, time of day, physical locations, and the allowable number of incorrect log-in attempts.

Creating accounts and profiles is simple, as they are created when new personnel arrive. One security problem is the removal of user accounts when someone leaves an organization.

12-48


It is important to screen and classify both users and data (need to know).

The effect of any security software packages that restrict or control access to files, records, or data items should be reviewed.

Adequate user training on network security should be provided through self-teaching manuals, newsletters, policy statements, and short courses.

12-49

Plugging Known Security Holes

Many commonly used operating systems have major security problems well known to potential users (security holes), many of which are highly technical.

Some security holes are not really holes, but simply policies adopted by computer vendors that open the door for security problems, such as computer systems that come with a variety of preinstalled user accounts.

12-50

Plugging Known Security Holes

The U.S. Government requires certain levels of security in the operating systems and network operating systems it uses for certain applications.

12-51

Securing Network Access Points

There are three major ways of gaining access:• Using a terminal or computer located in the

organization’s offices• Dialing into the network via modem• Accessing the network from another network to which

it is connected (e.g. Internet)

The physical security of the building or buildings that house any of the hardware, software or communications circuits must be evaluated.

12-52


The network components themselves also have a level of physical security.

Any organization that permits staff members to access its networks via dial-in modems opens itself to a broader range of intruders.

One strategy is to routinely change modem numbers, another is to use a call-back modem.

One-time passwords is another strategy for traveling employees for who call-back modems and automatic number identifications are inappropriate.

12-53


With the increasing use of the Internet, and information superhighway, it becomes important to prevent unauthorized access to your network from intruders on other networks. For this, we have to use a Firewall!

What is a firewall?

12-54

What is a Firewall! A firewall is a router, gateway, or special purpose

computer that examines packets flowing into and out of a network and restricts access to the organization’s network.

FW is designed so that it is placed on every NW-connection between the organization and the Internet and

No access is permitted except thru the firewall 2-Types of firewall:

• PLF = packet level firewall• ALF = application level firewall

12-55


A packet-level firewall examines the source and destination address of every network packet that passes through it and only allows packets that have acceptable source and destination addresses to pass.

Some packet-level firewalls are vulnerable to IP-level spoofing, accomplished by changing the source address on incoming packets from their real address to an address inside the organization’s network. Many firewalls have had their security strengthened since the first documented case of IP spoofing in December 1994.

12-56


An application-level firewall acts as an intermediate host computer or gateway between the Internet and the rest of the organization’s network.

In many cases, special programming code must be written to permit the use of application software unique to the organization.

A proxy server is a new type of application-level firewall that addresses some of the compatibility problems with traditional application-level firewalls.

12-57


The proxy server uses an address table to translate network addresses inside the organizations into fake addresses for use on the Internet (network address translation or address mapping).

This way systems outside the organization never see the actual internal IP addresses.

Proxy servers work very well and are becoming the application-level firewall of choice.

Many organizations use a combination of packet-level and application-level firewalls.

12-58

12-59

What is a Smartcard! It is a card about the size of a credit card that

contains a small processing chip and also a memory chip that can be read by a smart-device

To gain access to a NW: The user must present both smart card and also

password The intruder must have access to both before

they can breakin

12-60

Example of a Smartcard!

ATM-NW = automated teller machine NW is a best, practical, example of a smart card

Before you can gain access to your account you must have both:• ATM-card• Access number

12-61

Eavesdropping on Network!

It is way to gain unauthorized access on network traffic (where)

the intruder inserts a listening device or computer into the organization’s network to record messages.

Two areas vulnerable to this type of unauthorized access:• Network cabling• Network devices

12-62

Preventing Eavesdropping

Network cables are the easiest target because they often run long distances and usually are not regularly checked for tampering.

Certain types of cable can impair or increase security by making eavesdropping easier (i.e. wireless) or more difficult (i.e. fiber optic).

Physical security of the network’s local loop and interexchange telephone circuits is the responsibility of the common carrier.

12-63

Preventing Eavesdropping

Network devices such as controllers, hubs, and bridges should be secured in a locked wiring closets.

A secure hub for Ethernet networks makes sniffer program eavesdropping more difficult, by requiring a special authorization code before new computers can be added to the hub.

A review of software controls that can be programmed into remote network devices is also needed.

12-64

What is IP-Spoofing! IPS means sending packets to a target

computer IPS is done by changing the source

address on the incoming packets from their real address inside the organization’s NW

12-65

Sniffer Program Is a spy-software/program (which is) installed in a computer (which is subsequently) plugged into an

unattended hub or bridge or router (and as a result) it eavesdrop on all kinds

of message trafficSniff (means what!) To smell (forcibly thru the nose) To inhale (forcibly thru the nose)

12-66

Using Encryption

One of the best ways to prevent unauthorized access is encryption, which is a means of disguising information by the use of mathematical rules known as algorithms.

An encryption system has two parts: the algorithm itself and the key, which personalizes the algorithm by making the transformation of the data unique.

12-67

What is Encryption! It’s the best way to prevent any attempt to

gain unauthorized access It means disguising info by the use of

mathematical rules known as algorithms Actually, it’s the CRYPTION!

• Encryption• Decryption

Cryptic (means what!) Secret and/or mystifying

12-68

Plaintext and Hypertext

Plaintext:• It means the information is in a readable

form or format! This means that the info is in a decrypted form.

Ciphertext:• It means the information is in an encrypted

(i.e, disguised) form or format!

12-69

Using Encryption

Good encryption systems do not depend on keeping the algorithm secret, only the keys.

Today, the U.S. government considers encryption to be a weapon, and regulates its export in the same way it regulates the export of machine guns or bombs. The government is also trying to develop a policy called key escrow, requiring key registration with the government.

12-70

Using EncryptionOne commonly used encryption algorithm is the data

encryption standard (DES). DES is a symmetric algorithm, which means the key used to decrypt a particular bit stream is the same one used to encrypt it.

Symmetric algorithms can cause problem with key management; keys must be dispersed and stored carefully.

A 56-bit version of DES is the most commonly used encryption technique today.

12-71

Using Encryption

A second popular technique is public key encryption, the most popular of which is RSA.

Public key encryption is inherently different from secret key systems like DES, because it is an asymmetric algorithms; there are two keys. The public key is used to encrypt the message, and the private key is used to decrypt it. Public key encryption greatly reduces the key management problem.

12-72

Using Encryption

Private Key

12-73

Using EncryptionPublic key encryption also permits authentications (digital

signatures), using a process of encrypting with the private key, and decrypting with the public key providing irrefutable proof of origin.

A certificate authority is a trusted organization that can vouch for the authenticity of the person of organization using authentication. For higher level security certification, the CA requires that a unique “fingerprint” (key) be issued by the CA for each message sent by the user.

12-74

Using Encryption

12-75

Detecting Unauthorized AccessDetecting unauthorized access means looking for

anything out of the ordinary. It means logging all messages sent and received by the network, all software used, and all logins (or attempted logins) to the network.• Increases in the number of logins• Unusual number of unsuccessful login attempts to a

user’s or several users’ accounts.

Regular monitoring should also be extended to network hardware.

12-76

Correcting Unauthorized Access

Once an unauthorized access is detected, the next step is to identify how the security breach occurred and fix it so that it will not reoccur.

Many organizations have taken their own steps to detect intruders by using entrapment techniques.

In recent years, there has been a stiffening of computer security laws and in the legal interpretation of other laws that pertain to computer networks.

Documents

12-1 Network Security. 12-2 Physical Protection of Assets and Security u PPA is done using the following means: Locks Barriers Guards u Security is provided