Network Security Essentials, Fifth Edition PDF

Network Security Essentials Fifth Edition by William Stallings Chapter 1 Introduction The combination of space, time, and strength that must be considered as the basic elements of this theory of defense makes this a fairly complicated matter. Consequently, it is not easy to find a fixed point of departure. — On War, Carl Von Clausewitz The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu Computer Security Concepts Before the widespread use of data processing equipment, the security of information valuable to an organization was provided primarily by physical and administrative means With the introduction of the computer, the need for automated tools for protecting files and other information stored on the computer became evident Another major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer Computer security The generic name for the collection of tools designed to protect data and to thwart hackers internet security (lower case “i” refers to any interconnected collection of network) Consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information Computer Security “The protection afforded to an automated information system in order to attain the applicable The NIST Computer Security objectives of preserving the Handbook defines the term integrity, availability, and computer security as: confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)” Computer Security Objectives Confidentiality Data confidentiality Assures that private or confidential information is not made available or disclosed to unauthorized individuals Privacy Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed Computer Security Objectives Integrity Data integrity Assures that information and programs are changed only in a specified and authorized manner System integrity Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system Computer Security Objectives Availability Assures that systems work promptly and service is not denied to authorized users CIA Triad Possible additional concepts: Authenticity Accountability Verifying that users are The security goal that who they say they are and generates the that each input arriving at requirement for actions of the system came from a an entity to be traced trusted source uniquely to that entity Breach of Security Levels of Impact The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational High assets, or individuals The loss could be expected to have a serious adverse effect on organizational operations, Moderate organizational assets, or individuals The loss could be expected to have a limited adverse effect on organizational operations, Low organizational assets, or individuals Examples of Security Requirements Confidentiality Integrity Availability Patient information stored in Student grade information is an The more critical a component asset whose confidentiality is a database – inaccurate or service, the higher the level of considered to be highly information could result in availability required important by students serious harm or death to a patient and expose the hospital to massive liability A moderate availability Regulated by the Family requirement is a public Web A Web site that offers a forum to site for a university Educational Rights and registered users to discuss some Privacy Act (FERPA) specific topic would be assigned a moderate level of integrity An online telephone directory lookup application would be An example of a low-integrity classified as a low-availability requirement is an anonymous requirement online poll Computer Security Challenges Security is not simple Security mechanisms typically involve Potential attacks on the security more than a particular algorithm or features need to be considered protocol Procedures used to provide particular Security is essentially a battle of wits services are often counter-intuitive between a perpetrator and the designer It is necessary to decide where to use Little benefit from security investment is the various security mechanisms perceived until a security failure occurs Requires constant monitoring Strong security is often viewed as an Is too often an afterthought impediment to efficient and user-friendly operation OSI Security Architecture Security attack Any action that compromises the security of information owned by an organization Security mechanism A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack Security service A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization Intended to counter security attacks, and they make use of one or more security mechanisms to provide the service Table 1.1 Threats and Attacks (RFC 4949) Threats A potential for violation of security, which exists when there is a circumstances, capability, action, or event that would breach security and cause harm. Security Attacks A means of classifying security attacks, used both in X.800 and RFC 4949, is in terms of passive attacks and active attacks A passive attack attempts to learn or make use of information from the system but does not affect system resources An active attack attempts to alter system resources or affect their operation Passive Attacks Are in the nature of eavesdropping on, or monitoring of, transmissions The goal of the opponent is to obtain information that is being transmitted Two types of passive attacks are: - The release of message contents - Traffic analysis Active Attacks Masquerade Takes place when one entity pretends to be a different entity Usually includes one of the other Involve some modification of the forms of active attack data stream or the creation of a false stream Involves the passive capture of a data Difficult to prevent because of the unit and its subsequent Replay retransmission to produce an wide variety of potential physical, software, and network unauthorized effect vulnerabilities Goal is to detect attacks and to Some portion of a legitimate message recover from any disruption or Modification is altered, or messages are delayed or delays caused by them of messages reordered to produce an unauthorized effect Prevents or inhibits the normal use or Denial of management of communications service facilities Security Services Defined by X.800 as: A service provided by a protocol layer of communicating open systems and that ensures adequate security of the systems or of data transfers Defined by RFC 4949 as: A processing or communication service provided by a system to give a specific kind of protection to system resources X.800 Service Categories Authentication Access control Data confidentiality Data integrity Nonrepudiation Table 1.2 Security Services (X.800) (This table is found on page 12 in the textbook) Authentication Concerned with assuring that a communication is authentic - In the case of a single message, assures the recipient that the message is from the source that it claims to be from - In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties Two specific authentication services are defined in X.800: Peer entity authentication Data origin authentication Access Control The ability to limit and control the access to host systems and applications via communications links To achieve this, each entity trying to gain access must first be indentified, or authenticated, so that access rights can be tailored to the individual Data Confidentiality The protection of transmitted data from passive attacks Broadest service protects all user data transmitted between two users over a period of time Narrower forms of service include the protection of a single message or even specific fields within a message The protection of traffic flow from analysis This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility Data Integrity Can apply to a stream of messages, a single message, or selected fields within a message Connection-oriented integrity service deals with a stream of messages and assures that messages are received as sent with no duplication, insertion, modification, reordering, or replays A connectionless integrity service deals with individual messages without regard to any larger context and generally provides protection against message modification only Nonrepudiation Prevents either sender or receiver from denying a transmitted message When a message is sent, the receiver can prove that the alleged sender in fact sent the message When a message is received, the sender can prove that the alleged receiver in fact received the message Availability service Availability The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system Availability service One that protects a system to ensure its availability Addresses the security concerns raised by denial-of-service attacks Depends on proper management and control of system resources Table 1.3 Security Mechanisms (X.800) (This table is found on page 15 in the textbook) Model for Network Security Network Access Security Model Unwanted Access Programs can present Placement in a computer two kinds of threats: system of logic that exploits vulnerabilities in the system and that can affect application Information access Service threats threats programs as well as utility programs Intercept or modify Exploit service flaws data on behalf of in computers to users who should not inhibit use by have access to that legitimate users data standards NIST National Institute of Standards and Technology U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact ISOC Internet Society Professional membership society with worldwide organizational and individual membership Provides leadership in addressing issues that confront the future of the Internet Is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB) Internet standards and related specifications are published as Requests for Comments (RFCs) Summary Computer security concepts Security services Definition Authentication Examples Access control Challenges Data confidentiality Data integrity The OSI security architecture Nonrepudiation Availability service Security attacks Security mechanisms Passive attacks Active attacks Model for network security Standards

Network Security Essentials, Fifth Edition PDF

Document Details

Tags

Related

Summary

Full Transcript