Ch01 NetSec5e.pptx

8/10/2019 Ch01 NetSec5e.pptx

1/31

Network SecurityEssentials

Fifth Edition

by William Stallings


2/31

Chapter 1Introduction


3/31

The combination of space, time, and strength that must beconsidered as the basic elements of this theory ofdefense makes this a fairly complicated matter.Consequently, it is not easy to find a fixed point of

departure.

On War, Carl Von Clausewitz

The art of war teaches us to rely not on the likelihood of theenemy's not coming, but on our own readiness to receivehim; not on the chance of his not attacking, but rather onthe fact that we have made our position unassailable.

The Art of War, Sun Tzu


4/31

Computer Security Concepts

Before the widespread use of data processing equipment, the security ofinformation valuable to an organization was provided primarily by physicaland administrative means

With the introduction of the computer, the need for automated tools forprotecting files and other information stored on the computer became

evident

Another major change that affected security is the introduction ofdistributed systems and the use of networks and communications facilitiesfor carrying data between terminal user and computer and betweencomputer and computer

Computer security The generic name for the collection of tools designed to protect data and to

thwart hackers

internet security (lower case i refers to any interconnected collection ofnetwork)

Consists of measures to deter, prevent, detect, and correct security violations

that involve the transmission of information


5/31

Computer

Security

The protection afforded

to an automated

information system inorder to attain the

applicable objectives of

preserving the integrity,

availability, andconfidentiality of

information system

resources (includes

hardware, software,

firmware,

information/data, and

telecommunications)

The NIST Computer

Security Handbookdefines

the term computer security

as:


6/31

Computer Security

Objectives

Data confidentiality Assures that private or confidential information is not made available or

disclosed to unauthorized individuals

Privacy Assures that individuals control or influence what information related to them

may be collected and stored and by whom and to whom that information maybe disclosed

Confidentiality

Data integrity Assures that information and programs are changed only in a specified and

authorized manner

System integrity Assures that a system performs its intended function in an unimpaired manner,

free from deliberate or inadvertent unauthorized manipulation of the system

Integrity

Assures that systems work promptly and service is not denied to

authorized users

Availability


7/31

CIA Triad


8/31

Possible additional concepts:

Authenticity Verifying that users

are who they saythey are and thateach input arriving atthe system camefrom a trusted source

Accountability The security goal

that generates therequirement foractions of an entity tobe traced uniquely tothat entity


9/31

Breach of Security

Levels of Impact

The loss could be expected to have a severe orcatastrophic adverse effect on organizationaloperations, organizational assets, or individuals

High

The loss could be expected to have aserious adverse effect onorganizational operations,organizational assets, or individuals

Moderate

The loss could beexpected to have a limitedadverse effect onorganizational operations,organizational assets, orindividuals

Low


10/31

Examples of Security

Requirements

Confidentiality

Student gradeinformation is an assetwhose confidentiality isconsidered to be highlyimportant by students

Regulated by the FamilyEducational Rights and

Privacy Act (FERPA)

Integrity

Patient informationstored in a databaseinaccurate informationcould result in serious

harm or death to apatient and expose the

hospital to massiveliability

A Web site that offers aforum to registered usersto discuss some specifictopic would be assigned

a moderate level ofintegrity

An example of a low-integrity requirement is an

anonymous online poll

Availability

The more critical acomponent or service,the higher the level ofavailability required

A moderate availability

requirement is a publicWeb site for a university

An online telephonedirectory lookup

application would beclassified as a low-

availability requirement


11/31

Computer Security

Challenges

Security is not simple

Potential attacks on thesecurity features need to beconsidered

Procedures used to provideparticular services are oftencounter-intuitive

It is necessary to decidewhere to use the various

security mechanisms

Requires constantmonitoring

Is too often an afterthought

Security mechanismstypically involve more than aparticular algorithm orprotocol

Security is essentially abattle of wits between aperpetrator and the designer

Little benefit from securityinvestment is perceived untila security failure occurs

Strong security is oftenviewed as an impediment toefficient and user-friendlyoperation


12/31

OSI Security Architecture

Security attack

Any action that compromises the security of informationowned by an organization

Security mechanism A process (or a device incorporating such a process) that is

designed to detect, prevent, or recover from a security attack

Security service

A processing or communication service that enhances thesecurity of the data processing systems and the informationtransfers of an organization

Intended to counter security attacks, and they make use ofone or more security mechanisms to provide the service


13/31

Table 1.1Threats and Attacks (RFC 4949)


14/31

Security Attacks

A means of classifying securityattacks, used both in X.800 and RFC

4949, is in terms ofpassive attacks

and active attacks

Apassive attack attempts to learnor make use of information from the

system but does not affect system

resources

An active attack attempts to altersystem resources or affect their

operation


15/31

Passive Attacks

Two types of passive

attacks are:

The release of messagecontents

Traffic analysis

Are in the nature ofeavesdropping on, or

monitoring of,

transmissions

Goal of the opponent is to

obtain information that isbeing transmitted


16/31

Active Attacks

Involve some modification of the

data stream or the creation of a

false stream

Difficult to prevent because of

the wide variety of potential

physical, software, and network

vulnerabilities

Goal is to detect attacks and to

recover from any disruption or

delays caused by them

Takes place when one entitypretends to be a different entity

Usually includes one of the otherforms of active attack

Masquerade

Involves the passive capture of adata unit and its subsequentretransmission to produce anunauthorized effect

Replay

Some portion of a legitimatemessage is altered, or messages

are delayed or reordered toproduce an unauthorized effect

Modification

of messages

Prevents or inhibits the normal useor management ofcommunications facilities

Denial ofservice


17/31

Security Services

Defined by X.800 as:A service provided by a protocol layer of communicatingopen systems and that ensures adequate security of the

systems or of data transfers

Defined by RFC 4949 as:

A processing or communication service provided by asystem to give a specific kind of protection to systemresources


18/31

X.800 Service Categories

Authentication

Access control

Data confidentiality

Data integrity

Nonrepudiation


19/31

Table 1.2

Security

Services(X.800)

(This table is found on

page 12 in the textbook)


20/31


21/31

Access Control

The ability to limit and control the access to host

systems and applications via communications links

To achieve this, each entity trying to gain accessmust first be indentified, or authenticated, so that

access rights can be tailored to the individual


22/31

Data Confidentiality

The protection of transmitted data from passive attacks

Broadest service protects all user data transmitted between

two users over a period of time

Narrower forms of service include the protection of a singlemessage or even specific fields within a message

The protection of traffic flow from analysis

This requires that an attacker not be able to observe the

source and destination, frequency, length, or othercharacteristics of the traffic on a communications facility


23/31

Data Integrity

Can apply to a stream of messages, a singlemessage, or selected fields within a message

Connection-oriented integrity service deals with astream of messages and assures that messages

are received as sent with no duplication,insertion, modification, reordering, or replays

A connectionless integrity service deals withindividual messages without regard to any largercontext and generally provides protection against

message modification only


24/31

Nonrepudiation

Prevents either sender or receiver from denying a

transmitted message

When a message is sent, the receiver can prove that

the alleged sender in fact sent the message

When a message is received, the sender can prove

that the alleged receiver in fact received the

message


25/31

Availability service

Availability

The property of a system or a system resource beingaccessible and usable upon demand by an authorizedsystem entity, according to performance specifications

for the system


One that protects a system to ensure its availability

Addresses the security concerns raised by denial-of-service attacks

Depends on proper management and control ofsystem resources


26/31

Table 1.3

Security

Mechanisms(X.800)

(This table is found on

page 15 in the textbook)


27/31

Model for Network Security

N t k A S it


28/31

Network Access Security

Model


29/31

Unwanted Access

Placement in a computersystem of logic that exploits

vulnerabilities in the system

and that can affect

application programs aswell as utility programs

Programs canpresent two kinds of

threats:

Information accessthreats

Intercept or modifydata on behalf ofusers who shouldnot have access to

that data

Service threats

Exploit serviceflaws in computers

to inhibit use bylegitimate users


30/31

standards

NIST

National Institute of Standards

and Technology

U.S. federal agency that dealswith measurement science,

standards, and technology related

to U.S. government use and to the

promotion of U.S. private-sector

innovation

NIST Federal Information

Processing Standards (FIPS) and

Special Publications (SP) have a

worldwide impact

ISOC

Internet Society

Professional membership society

with worldwide organizational andindividual membership

Provides leadership in addressingissues that confront the future ofthe Internet

Is the organization home for the

groups responsible for Internetinfrastructure standards, includingthe Internet Engineering TaskForce (IETF) and the Internet

Architecture Board (IAB)

Internet standards and relatedspecifications are published as

Requests for Comments (RFCs)


31/31

Summary

Computer security

concepts

Definition

Examples

Challenges

The OSI security

architecture

Security attacks Passive attacks

Active attacks

Security services

Authentication

Access control

Data confidentiality

Data integrity

Nonrepudiation


Security mechanisms

Model for network security

Standards

Date post:	02-Jun-2018
Category:	Documents
Upload:	sukthanapongma
View:	242 times
Download:	0 times

Ch01 NetSec5e.pptx

Documents