Network Security:

An Overview

Presented By:

Dr. S. S. Bedi
Department of CSIT,
MJP Rohilkhsnd University, Bareilly

Dr. S. S. Bedi 1
 READER’S GUIDE
The art of war teaches us to rely not on the
likelihood of the enemy's not coming, but on
our own readiness to receive him; not on the
chance of his not attacking, but rather on the
fact that we have made our position
unassailable.

—The Art of War, Sun Tzu

Dr. S. S. Bedi 2
 READER’S GUIDE

Do not figure on opponents not attacking;

worry about your own lack of preparation.

-- Book of the Five Rings

Dr. S. S. Bedi 3
 WHAT IS SECURITY?
 “The quality or state of being secure--to be free from
danger”.
 To be protected from adversaries.
 A successful organization should have multiple layers of
security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security Dr. S. S. Bedi 4
 BACKGROUND

 Information Security requirements have changed in

recent times.
 Traditionally provided by physical and administrative
mechanisms.
 Computer use requires automated tools to protect files
and other stored information.
 Use of networks and communications links requires
measures to protect data during transmission.

Dr. S. S. Bedi 5
 DEFINITIONS

 Computer Security - generic name for the collection of

tools designed to protect data and to thwart hackers.
 Network Security - measures to protect data during
their transmission.
 Internet Security - measures to protect data during
their transmission over a collection of interconnected
networks.

Dr. S. S. Bedi 6
 WHAT IS INFORMATION SECURITY?

 The protection of information and its critical elements,

including the systems and hardware, software that use,
store, and transmit that information.
 Tools, such as policy, awareness, training, education,
and technology are necessary.
 The C.I.A. triangle was the standard based on
confidentiality, integrity, and availability.
 The C.I.A. triangle has expanded into a list of critical
characteristics of information.
Dr. S. S. Bedi 7
KEY SECURITY CONCEPTS

Dr. S. S. Bedi 8
Figure 1-3 – NSTISSC Security
Model

Dr. S. S. Bedi Slide 9

 LEVELS OF IMPACT

 Can define 3 levels of impact from a security breach

– Low

– Moderate

– High

Dr. S. S. Bedi 10
 LOW IMPACT
 The loss could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.
 A limited adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might.
– (i) cause a degradation in mission capability to an extent
and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is
noticeably reduced;
– (ii) result in minor damage to organizational assets;
– (iii) result in minor financial loss; or
– (iv) result in minor harm to individuals.
Dr. S. S. Bedi 11
 MODERATE IMPACT
 The loss could be expected to have a serious adverse effect
on organizational operations, organizational assets, or
individuals.
 A serious adverse effect means that, for example, the loss
might
– (i) cause a significant degradation in mission capability to
an extent and duration that the organization is able to
perform its primary functions, but the effectiveness of the
functions is significantly reduced;
– (ii) result in significant damage to organizational assets;
– (iii) result in significant financial loss; or
– (iv) result in significant harm to individuals that does not
involve loss of life or serious, life-threatening injuries.
Dr. S. S. Bedi 12
 HIGH IMPACT
 The loss could be expected to have a severe or catastrophic
(causing sudden great damage) adverse effect on organizational operations,

organizational assets, or individuals.

 A severe or catastrophic adverse effect means that, for
example, the loss might
– (i) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is
not able to perform one or more of its primary functions;
– (ii) result in major damage to organizational assets;
– (iii) result in major financial loss; or
– (iv) result in severe or catastrophic harm to individuals
involving loss of life or serious life threatening injuries.
Dr. S. S. Bedi 13
 COMPUTER SECURITY CHALLENGES
1. Not simple – easy to get it wrong.
2. Must consider potential attacks.
3. Procedures used counter instinctive.
4. Involve algorithms and secret information.
5. Must decide where to deploy mechanisms.
6. Battle of wits between attacker/administrator.
7. Not perceived on benefit until fails.
8. Requires regular monitoring a process, not an event.
9. Too often an after-thought.
10. Regarded as impediment (hindrance) to using system
“Unusable security is not secure”.
Dr. S. S. Bedi 14
 OSI SECURITY ARCHITECTURE
 ITU-T X.800 “Security Architecture for OSI”

 defines a systematic way of defining and providing

security requirements

 for us it provides a useful, if abstract, overview of

concepts we will study

Dr. S. S. Bedi 15
 ASPECTS OF SECURITY
 Need systematic way to define requirements.
 Consider 3 aspects of information security:
– Security attack
– Security mechanism (control)
– Security service
 note terms
– Threat: a potential for violation of security.
– Vulnerability: a way by which loss can happen.
– Attack: an assault on system security, a deliberate
attempt to evade (avoid something especially by trickery) security services.
Dr. S. S. Bedi 16
SECURITY ATTACKS

Dr. S. S. Bedi 17
 SECURITY ATTACK

 Any action that compromises the security of information

owned by an organization

 Information security is about how to prevent attacks, or

failing that, to detect attacks on information-based
systems.

 Have a wide range of attacks

 Can focus of generic types of attacks

 Note: often threat & attack mean same

Dr. S. S. Bedi 18
 TYPES OF SECURITY ATTACKS

 Passive attacks - eavesdropping (secretly listen to a conversation)

on, or monitoring of, transmissions to:

– obtain message contents, or
– monitor traffic flows
 Active attacks – modification of data stream
to:
– masquerade (false show) of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service Dr. S. S. Bedi 19
Types of Attacks

Dr. S. S. Bedi 20
Passive Attack - Interception

Dr. S. S. Bedi 21
Passive Attack: Traffic Analysis

Observe traffic pattern

Dr. S. S. Bedi 22
Active Attack: Interruption

Block delivery of message

Dr. S. S. Bedi 23
Active Attack: Fabrication

Fabricate message

Dr. S. S. Bedi 24
Active Attack: Replay

Dr. S. S. Bedi 25
Active Attack: Modification

Modify message

Dr. S. S. Bedi 26
 HANDLING ATTACKS

– Passive attacks – focus on Prevention

 Easy to stop

 Hard to detect

– Active attacks – focus on Detection and Recovery

 Hard to stop

 Easy to detect

Dr. S. S. Bedi 27
SECURITY MECHANISM

Dr. S. S. Bedi 28
 SECURITY MECHANISM

 A mechanism that is designed to detect, prevent, or

recover from a security attack.

 No single mechanism that will support all functions

required

 However one particular element underlies many of the

security mechanisms in use: cryptographic
techniques.
Dr. S. S. Bedi 29
 SECURITY MECHANISMS (X.800)

 specific security mechanisms:

– Encipherment, digital signatures, access controls,

data integrity, authentication exchange, traffic
padding, routing control, notarization

 pervasive security mechanisms:

– trusted functionality, security labels, event detection,

security audit trails, security recovery.

Dr. S. S. Bedi 30
SECURITY SERVICES

Dr. S. S. Bedi 31
 SECURITY SERVICE

– Is something that enhances the security of the data

processing systems and the information transfers of
an organization.
– Intended to counter security attacks.
– Make use of one or more security mechanisms to
provide the service.
– Replicate functions normally associated with physical
documents
 eg. have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarized
or witnessed; be recorded
Dr. S. S. Bedi or licensed. 32
 SECURITY SERVICES
 X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”.

 RFC 2828:
“a processing or communication service
provided by a system to give a specific kind of
protection to system resources”.

Dr. S. S. Bedi 33
 SECURITY SERVICES (X.800)
X.800 defines it in 5 major categories:

 Authentication - assurance that the communicating entity is

the one claimed.
 Access Control - prevention of the unauthorized use of a
resource.
 Data Confidentiality –protection of data from unauthorized
disclosure.
 Data Integrity - assurance that data received is as sent by
an authorized entity.
 Non-Repudiation - protection against denial by one of the
parties in a communication.
Dr. S. S. Bedi 34
 EXAMPLES OF SECURITY
REQUIREMENTS

 Confidentiality – student grades.

 Integrity – patient information.

 Availability – authentication service.

 Authenticity – admission ticket.

 Non-repudiation – stock sell order.

Dr. S. S. Bedi 35
MODEL FOR NETWORK
SECURITY

Dr. S. S. Bedi 36
Model for Network Security

Dr. S. S. Bedi 37
MODEL FOR NETWORK SECURITY

 using this model requires us to:

1. Design a suitable algorithm for the security
transformation.
2. Generate the secret information (keys) used by the
algorithm.
3. Develop methods to distribute and share the secret
information.
4. Specify a protocol enabling the principals to use the
transformation and secret information for a security
service. Dr. S. S. Bedi 38
 MODEL FOR NETWORK ACCESS
SECURITY
 using this model requires us to:
1. select appropriate gatekeeper functions to identify
users
2. implement security controls to ensure only
authorised users access designated information or
resources
 note that model does not include:
1. monitoring of system for successful penetration
2. monitoring of authorized users for misuse
3. audit logging for forensic uses, etc.

Dr. S. S. Bedi 39
Model for Network Access Security

Dr. S. S. Bedi 40
 SUMMARY

 Topic roadmap & standards organizations

 Security concepts:

– confidentiality, integrity, availability

 X.800 security architecture

 Security attacks, services, mechanisms

 Models for network (access) security

Dr. S. S. Bedi 41
 STANDARDS ORGANIZATIONS

 National Institute of Standards & Technology (NIST)

 Internet Society (ISOC)

 International Telecommunication Union

Telecommunication Standardization Sector (ITU-T)

 International Organization for Standardization (ISO)

 RSA Labs (de facto) Dr. S. S. Bedi 42

 REFERENCES
 Cryptography and Network Security, Principles and Practices; Third Edition, By:

William Stalling,

 Network Security, Private Communication in a Public Network, Second

Edition, By: Charlie Kaufman, R. Perlman, and Mike Speciner.

 Applied Cryptography, Second Edition, By: Bruce Schneier.

Dr. S. S. Bedi 43