View
241
Download
0
Category
Preview:
Citation preview
8/10/2019 Ch01 NetSec5e.pptx
1/31
Network SecurityEssentials
Fifth Edition
by William Stallings
8/10/2019 Ch01 NetSec5e.pptx
2/31
Chapter 1Introduction
8/10/2019 Ch01 NetSec5e.pptx
3/31
The combination of space, time, and strength that must beconsidered as the basic elements of this theory ofdefense makes this a fairly complicated matter.Consequently, it is not easy to find a fixed point of
departure.
On War, Carl Von Clausewitz
The art of war teaches us to rely not on the likelihood of theenemy's not coming, but on our own readiness to receivehim; not on the chance of his not attacking, but rather onthe fact that we have made our position unassailable.
The Art of War, Sun Tzu
8/10/2019 Ch01 NetSec5e.pptx
4/31
Computer Security Concepts
Before the widespread use of data processing equipment, the security ofinformation valuable to an organization was provided primarily by physicaland administrative means
With the introduction of the computer, the need for automated tools forprotecting files and other information stored on the computer became
evident
Another major change that affected security is the introduction ofdistributed systems and the use of networks and communications facilitiesfor carrying data between terminal user and computer and betweencomputer and computer
Computer security The generic name for the collection of tools designed to protect data and to
thwart hackers
internet security (lower case i refers to any interconnected collection ofnetwork)
Consists of measures to deter, prevent, detect, and correct security violations
that involve the transmission of information
8/10/2019 Ch01 NetSec5e.pptx
5/31
Computer
Security
The protection afforded
to an automated
information system inorder to attain the
applicable objectives of
preserving the integrity,
availability, andconfidentiality of
information system
resources (includes
hardware, software,
firmware,
information/data, and
telecommunications)
The NIST Computer
Security Handbookdefines
the term computer security
as:
8/10/2019 Ch01 NetSec5e.pptx
6/31
Computer Security
Objectives
Data confidentiality Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
Privacy Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information maybe disclosed
Confidentiality
Data integrity Assures that information and programs are changed only in a specified and
authorized manner
System integrity Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system
Integrity
Assures that systems work promptly and service is not denied to
authorized users
Availability
8/10/2019 Ch01 NetSec5e.pptx
7/31
CIA Triad
8/10/2019 Ch01 NetSec5e.pptx
8/31
Possible additional concepts:
Authenticity Verifying that users
are who they saythey are and thateach input arriving atthe system camefrom a trusted source
Accountability The security goal
that generates therequirement foractions of an entity tobe traced uniquely tothat entity
8/10/2019 Ch01 NetSec5e.pptx
9/31
Breach of Security
Levels of Impact
The loss could be expected to have a severe orcatastrophic adverse effect on organizationaloperations, organizational assets, or individuals
High
The loss could be expected to have aserious adverse effect onorganizational operations,organizational assets, or individuals
Moderate
The loss could beexpected to have a limitedadverse effect onorganizational operations,organizational assets, orindividuals
Low
8/10/2019 Ch01 NetSec5e.pptx
10/31
Examples of Security
Requirements
Confidentiality
Student gradeinformation is an assetwhose confidentiality isconsidered to be highlyimportant by students
Regulated by the FamilyEducational Rights and
Privacy Act (FERPA)
Integrity
Patient informationstored in a databaseinaccurate informationcould result in serious
harm or death to apatient and expose the
hospital to massiveliability
A Web site that offers aforum to registered usersto discuss some specifictopic would be assigned
a moderate level ofintegrity
An example of a low-integrity requirement is an
anonymous online poll
Availability
The more critical acomponent or service,the higher the level ofavailability required
A moderate availability
requirement is a publicWeb site for a university
An online telephonedirectory lookup
application would beclassified as a low-
availability requirement
8/10/2019 Ch01 NetSec5e.pptx
11/31
Computer Security
Challenges
Security is not simple
Potential attacks on thesecurity features need to beconsidered
Procedures used to provideparticular services are oftencounter-intuitive
It is necessary to decidewhere to use the various
security mechanisms
Requires constantmonitoring
Is too often an afterthought
Security mechanismstypically involve more than aparticular algorithm orprotocol
Security is essentially abattle of wits between aperpetrator and the designer
Little benefit from securityinvestment is perceived untila security failure occurs
Strong security is oftenviewed as an impediment toefficient and user-friendlyoperation
8/10/2019 Ch01 NetSec5e.pptx
12/31
OSI Security Architecture
Security attack
Any action that compromises the security of informationowned by an organization
Security mechanism A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack
Security service
A processing or communication service that enhances thesecurity of the data processing systems and the informationtransfers of an organization
Intended to counter security attacks, and they make use ofone or more security mechanisms to provide the service
8/10/2019 Ch01 NetSec5e.pptx
13/31
Table 1.1Threats and Attacks (RFC 4949)
8/10/2019 Ch01 NetSec5e.pptx
14/31
Security Attacks
A means of classifying securityattacks, used both in X.800 and RFC
4949, is in terms ofpassive attacks
and active attacks
Apassive attack attempts to learnor make use of information from the
system but does not affect system
resources
An active attack attempts to altersystem resources or affect their
operation
8/10/2019 Ch01 NetSec5e.pptx
15/31
Passive Attacks
Two types of passive
attacks are:
The release of messagecontents
Traffic analysis
Are in the nature ofeavesdropping on, or
monitoring of,
transmissions
Goal of the opponent is to
obtain information that isbeing transmitted
8/10/2019 Ch01 NetSec5e.pptx
16/31
Active Attacks
Involve some modification of the
data stream or the creation of a
false stream
Difficult to prevent because of
the wide variety of potential
physical, software, and network
vulnerabilities
Goal is to detect attacks and to
recover from any disruption or
delays caused by them
Takes place when one entitypretends to be a different entity
Usually includes one of the otherforms of active attack
Masquerade
Involves the passive capture of adata unit and its subsequentretransmission to produce anunauthorized effect
Replay
Some portion of a legitimatemessage is altered, or messages
are delayed or reordered toproduce an unauthorized effect
Modification
of messages
Prevents or inhibits the normal useor management ofcommunications facilities
Denial ofservice
8/10/2019 Ch01 NetSec5e.pptx
17/31
Security Services
Defined by X.800 as:A service provided by a protocol layer of communicatingopen systems and that ensures adequate security of the
systems or of data transfers
Defined by RFC 4949 as:
A processing or communication service provided by asystem to give a specific kind of protection to systemresources
8/10/2019 Ch01 NetSec5e.pptx
18/31
X.800 Service Categories
Authentication
Access control
Data confidentiality
Data integrity
Nonrepudiation
8/10/2019 Ch01 NetSec5e.pptx
19/31
Table 1.2
Security
Services(X.800)
(This table is found on
page 12 in the textbook)
8/10/2019 Ch01 NetSec5e.pptx
20/31
8/10/2019 Ch01 NetSec5e.pptx
21/31
Access Control
The ability to limit and control the access to host
systems and applications via communications links
To achieve this, each entity trying to gain accessmust first be indentified, or authenticated, so that
access rights can be tailored to the individual
8/10/2019 Ch01 NetSec5e.pptx
22/31
Data Confidentiality
The protection of transmitted data from passive attacks
Broadest service protects all user data transmitted between
two users over a period of time
Narrower forms of service include the protection of a singlemessage or even specific fields within a message
The protection of traffic flow from analysis
This requires that an attacker not be able to observe the
source and destination, frequency, length, or othercharacteristics of the traffic on a communications facility
8/10/2019 Ch01 NetSec5e.pptx
23/31
Data Integrity
Can apply to a stream of messages, a singlemessage, or selected fields within a message
Connection-oriented integrity service deals with astream of messages and assures that messages
are received as sent with no duplication,insertion, modification, reordering, or replays
A connectionless integrity service deals withindividual messages without regard to any largercontext and generally provides protection against
message modification only
8/10/2019 Ch01 NetSec5e.pptx
24/31
Nonrepudiation
Prevents either sender or receiver from denying a
transmitted message
When a message is sent, the receiver can prove that
the alleged sender in fact sent the message
When a message is received, the sender can prove
that the alleged receiver in fact received the
message
8/10/2019 Ch01 NetSec5e.pptx
25/31
Availability service
Availability
The property of a system or a system resource beingaccessible and usable upon demand by an authorizedsystem entity, according to performance specifications
for the system
Availability service
One that protects a system to ensure its availability
Addresses the security concerns raised by denial-of-service attacks
Depends on proper management and control ofsystem resources
8/10/2019 Ch01 NetSec5e.pptx
26/31
Table 1.3
Security
Mechanisms(X.800)
(This table is found on
page 15 in the textbook)
8/10/2019 Ch01 NetSec5e.pptx
27/31
Model for Network Security
N t k A S it
8/10/2019 Ch01 NetSec5e.pptx
28/31
Network Access Security
Model
8/10/2019 Ch01 NetSec5e.pptx
29/31
Unwanted Access
Placement in a computersystem of logic that exploits
vulnerabilities in the system
and that can affect
application programs aswell as utility programs
Programs canpresent two kinds of
threats:
Information accessthreats
Intercept or modifydata on behalf ofusers who shouldnot have access to
that data
Service threats
Exploit serviceflaws in computers
to inhibit use bylegitimate users
8/10/2019 Ch01 NetSec5e.pptx
30/31
standards
NIST
National Institute of Standards
and Technology
U.S. federal agency that dealswith measurement science,
standards, and technology related
to U.S. government use and to the
promotion of U.S. private-sector
innovation
NIST Federal Information
Processing Standards (FIPS) and
Special Publications (SP) have a
worldwide impact
ISOC
Internet Society
Professional membership society
with worldwide organizational andindividual membership
Provides leadership in addressingissues that confront the future ofthe Internet
Is the organization home for the
groups responsible for Internetinfrastructure standards, includingthe Internet Engineering TaskForce (IETF) and the Internet
Architecture Board (IAB)
Internet standards and relatedspecifications are published as
Requests for Comments (RFCs)
8/10/2019 Ch01 NetSec5e.pptx
31/31
Summary
Computer security
concepts
Definition
Examples
Challenges
The OSI security
architecture
Security attacks Passive attacks
Active attacks
Security services
Authentication
Access control
Data confidentiality
Data integrity
Nonrepudiation
Availability service
Security mechanisms
Model for network security
Standards
Recommended