Internet Security

Internet Security

Main Menu 1 of 38
Internet Security

Objective
At the end of this chapter, students will be able to
appreciate the cost and value of information stored
on a network, and will also understand the concept
of network security and the various measures/tools
that can be used to enhance network security.

Main Menu 2 of 38
Internet Security

Scope
 Price for Data Loss
 Introduction to Network Security
 Basic Network Security Concepts
 Security Policy
 Authentication
 Non-Repudiation
 Integrity
 Confidentiality and Access Control
 Two Approaches to security
Main Menu 3 of 38
Internet Security

Scope
 Tools for different layers
 Risk Management
 Internet Security Toolkit
 Encryption
 Some Elementary Security Tips
 Conclusion-What should I do

Main Menu 4 of 38
Internet Security

The Price of Data Loss

 Whenever there is a successful malicious attack on a
computer system valuable data is either lost and/or
compromised.
 Loss of data also occurs during system failures and
disk crashes and the precautions to be taken against
them have already been covered in an earlier section.
 The consequences of lost data are at best, lost time,
and at worst, the disappearance of irrecoverable and
valuable mission critical data .

Main Menu 5 of 38
Internet Security

The Price of Data Loss

 The consequence of a data loss can be measured in
many other ways, including :
 Lost Intelligence -- Some key data, such as the data
elements and results of an extensive research project
are priceless and the loss is irreplaceable.
 Lost Revenue -- The loss of desktop systems
supporting on line transactions can easily translate
into lost business revenue, as agents are unable to
fulfill customer orders or requests.
 Lost Productivity and Worker Inefficiency --
Employees who need to spend frustrating time
recovering or recreating lost data are treading old
ground in a highly unproductive effort.
Main Menu 6 of 38
Internet Security

The Price of Data Loss

 Lost Opportunity -- Lost productivity translates into
lost opportunity as workers fail to capitalize on
business possibilities because they are tied up
recovering from system failures.
 Unanticipated Expense -- One great frustration on
the part of management is incurring unexpected
costs due to system failures. These often result in
delays to important system upgrades or other
sidetracking of important projects put on hold for
lack of budget.

Main Menu 7 of 38
Internet Security

Introduction to N/W Security

 Network security is a contradiction in terms, like the
classic references to Jumbo Shrimp and Military
Intelligence .
 True security can only be achieved when the
information is isolated, locked in a safe, surrounded
by guards, dogs and fences, and rendered inaccessible.
 Some would argue that even then, there is not absolute
security .

Main Menu 8 of 38
Internet Security

Basic Network Security Concepts

 A good place to begin is by defining the basic
concepts involved in securing any object. The key
words in the security lexicon are vulnerability, threat,
attack, and countermeasure.
 Vulnerability is the susceptibility of a situation to
being compromised. It is a potential, a possibility, a
weakness, an opening.
 A Threat is an action or tool, which can exploit and
expose vulnerability and therefore compromise the
integrity of a given system.
Main Menu 9 of 38
Internet Security

Basic Network Security Concepts

 An Attack defines the details of how a particular
threat could be used to exploit vulnerability. It is
entirely possible that situations could exist where
vulnerabilities are known and threats are developed .
 Countermeasures are those actions taken to protect
systems from attacks, which threaten specific
vulnerabilitie.

Main Menu 10 of 38
Internet Security

Security Policy
 Develop security requirements based on an analysis
of the organization's mission, the information at risk,
the threats to that information and the implications
of any successful attacks.
 Appoint a security officer and delineate clearly the
required job responsibilities and skills.
 Define appropriate security services and
mechanisms and allocate them to components of the
company's IT systems.

Main Menu 11 of 38
Internet Security

Security Policy
 Identify different measures of security appropriate
for each level.
 Remember that security is not only technology;
physical security and procedural security are as
important as the technology used.
 Identify users who should have access to each level
of security.

Main Menu 12 of 38
Internet Security

Authentication
 A primary tool in securing any computer system is
the ability to recognize and verify the identity of
users. This security feature is known as
authentication.
 Traditionally, special names and secret passwords
have been used to authenticate users, but as the
anecdote above demonstrates, the password is only
as good as the users' ability to keep it secret and
protect it from being abused by unauthorized users.
 There are three generally accepted techniques for
authenticating users to host machines.

Main Menu 13 of 38
Internet Security

Authentication
 Authentication by something the user knows.
This is the password/username concept described
above. There are two common approaches to
password authentication, known as PAP and
CHAP .
 Authentication by something the user has. In this
technique, the user is given some kind of token,
such as a magnetic stripe card, key, or in
sophisticated cases the user has a smart card
equipped with a computer chip which can generate
an encrypted code back to the computer system.
Main Menu 14 of 38
Internet Security

Authentication
 Authentication by physical characteristics. Here,
the mechanism is to recognize some measure of the
individual, which ostensibly cannot be duplicated.
Biometric techniques such as fingerprint ID, palm
print ID, retinal scan, manual and digital signature,
or voice recognition are used to validate the identity
of the potential user.

Main Menu 15 of 38
Internet Security

Non-Repudiation
 This security concept protects against the sender or
receiver denying that they sent or received certain
communications .
 For example, when a person sends a certified or
registered letter via the United States Postal Service
(USPS), the recipient is supposed to prove his or her
identity to the delivery person, and then confirm
their receipt by signing a form.
 The signed form is then returned to the sender,
which proves to the sender that their correspondence
was delivered. Main Menu 16 of 38
Internet Security

Non-Repudiation
 This prevents the recipient (for example a debtor)
from claiming that they never received the
correspondence (for example a demand note) and
therefore using that as an excuse for their actions
(not paying the debt).
 In computer networks, these kinds of services are
also available, and are becoming increasingly
valuable as commerce on the Internet continues to
gain in popularity.

Main Menu 17 of 38
Internet Security

Non-Repudiation
 There are three different types of non-repudiation
services that are applicable in computer network
messaging:
 Non-repudiation of Delivery Service,
 Non-repudiation of Origin Service, and
 Non-repudiation of Submission Service.

Main Menu 18 of 38
Internet Security

Integrity
 Integrity refers to the completeness and fidelity of
the message as it passes through the network.
 The key here is making sure that the data passes
from the source to the destination without
undetected alteration. Note the use of the word
"undetected" .
 We may not be able to thwart someone from
tapping out messages and attempting to modify them
as they move through the network .

Main Menu 19 of 38
Internet Security

Integrity
 If the order of transmitted data also is ensured, the
service is termed connection-oriented integrity. The
term anti-replay refers to a minimal form of
connection-oriented integrity designed to detect and
reject duplicated or very old data units.

Main Menu 20 of 38
Internet Security

Confidentiality and Access Control

 Confidentiality is a security property that ensures
that data is disclosed only to those authorized to use
it, and that it is not disclosed to unauthorized parties.
 The key point behind ensuring the confidentiality of
information on the network is to deny information to
anyone who is not specifically authorized to see it or
use it .
 Encryption is a frequently used mechanism for
guaranteeing confidentiality, since only those
recipients who have access to the decrypting key are
able to decode the messages

Main Menu 21 of 38
Internet Security

Approaches to Security
 Over time, two distinct approaches have evolved to
applying security countermeasures: network coupled
security and application coupled security .
 As the names imply, the first philosophy favors the
use of securing the network infrastructure, while the
second builds security into the applications
themselves.
Network Coupled Security
 In a Network coupled scheme, the focus is to make
the network itself a trusted and secure subsystem so
that the applications can assume the data being
transmitted is safe .
Main Menu 22 of 38
Internet Security

Approaches to Security
Application Coupled Security
 Proponents of this scheme argue that the application
knows best what kind of security is required for that
application. Therefore, control of the security
aspects should rest in the application layer .
 To these proponents, the need to create security
aware applications is not a disadvantage, but rather a
natural and reasonable consequence of the need to
apply security at that level .
 Similarly, the potential for interoperability issues is
seen as a flexibility advantage to the proponents of
application- coupled security .
Main Menu 23 of 38
Internet Security

Tools for Different Layers

 There is no shortage of technology available to
secure an organization's Internet connections. More
appropriate questions have to do with which tools to
use at which layers to effect the secure
communications .
 Early on, router manufacturers recognized the key
role they could play in this endeavor, and have
placed filtering capabilities in their products to
establish a primary front line of defense. A router's
ability to examine and discriminate network traffic
based on the IP packet addresses is known as a
"screening router”. Main Menu 24 of 38
Internet Security

Tools for Different Layers

 Some advanced routers provide the capability to
screen packets based upon other criteria such as the
type of protocol (http, ftp, udp), the source address,
and the destination address fields for a particular
type of protocol.
 This way, a communications manager can build
"profiles" of users who are allowed access to
different applications based on the protocols.

Main Menu 25 of 38
Internet Security

Risk Management
 Network security is all about managing risks and
using this risk management analysis to provide
appropriate security at an affordable price.
Assessment of Major Threats to a Network
 Risks can be characterized by two criteria: the

likelihood that a particular attack will be successful,

and the consequences of the results if the attack is
successful .
 Security costs money, and therefore we must use

that money wisely and only spend it where there is a

real likelihood of significant damage.
Main Menu 26 of 38
Internet Security

Internet Security Toolkit

Firewalls
 A firewall is a device or software application, which
serves as a flexible barrier which sits between the
computers on your internal network and the outside
world (i.e. the Internet).
 Firewalls apply a set of rules to decide who gets to
connect to which machines and what services they
are authorized to use .
 A firewall, when set up properly, provides an
excellent means for protecting your network and the
machines connected to it from intrusion.
Main Menu 27 of 38
Internet Security

Internet Security Toolkit

 A firewall's primary purpose is to prevent outside
users from accessing machines other than those set
up for public access (i.e. your webserver, FTP
servers, etc).
 They do this using several different tools like packet
filtering, client access lists, server access lists, user
authentication, address obfuscation etc.

Main Menu 28 of 38
Internet Security

Internet Security Toolkit

Packet Filtering
 here the firewall discards data before it ever reaches
a particular machine. For example, you might want
to deny access to a specific machine from outside
your local area network .
 Using packet filtering, you tell the firewall to discard
all packets destined to a specific machine .

Main Menu 29 of 38
Internet Security

Internet Security Toolkit

 Packet filtering is probably the easiest way to secure
your Internet connection. What you do here is to
permit certain services to cross your LAN Internet
connection (i.e. email, HTTP/worldwide web, IP
phone calls, etc), while blocking connections to
services such as FTP, TFTP, Telnet, etc .
 The general rule of thumb used is to deny access to
everything except for common services such as web
access, email, etc, and then allow other types of
traffic to pass through upon request.

Main Menu 30 of 38
Internet Security

Internet Security Toolkit

Client Access Lists
 here the firewall is given a list of client PCs (outside
IP addresses) which may access machines) on your
LAN.
 This is a useful tool for securing a network. This
technique allows you to grant restricted or
unrestricted access to all or part of your LAN based
on the IP address of the outside party .

Main Menu 31 of 38
Internet Security

Internet Security Toolkit

Server Access Lists
 here the firewall is given a list of servers which can

be accessed from outside your LAN This is a

variation of packet filtering. Here you are defining a
list of servers which can be accessed from outside
your office.
 This makes it relatively easy to declare certain

workstations verboten, and even to conceal their

existence from the outside network.

Main Menu 32 of 38
Internet Security

Internet Security Toolkit

User Authentication
 here the firewall prompts outside users for a user

name and password, and has an opportunity to grant

or deny access to services on your network.
 User authentication is a useful tool in environments

where it is not practical to globally block access to

specific workstations or services.

Main Menu 33 of 38
Internet Security

Internet Security Toolkit

Address Obfuscation
 here the firewall masks the IP addresses of your
internal machines and makes them appear to outside
users to be on different IP addresses.
 This makes it very difficult for hackers to access
these machines without knowing what their real IP
addresses are. This is a great example of the premise
of "security through obscurity." If an intruder has no
idea where a particular resource is located, it will be
difficult to compromise .

Main Menu 34 of 38
Internet Security

Encryption
 Encryption is a technique as old as the Romans. It is
simply the scrambling of the transmitted text using a
set of rules (algorithms, which in today's world
means mathematical manipulations) which is known
to the recipient, but hopefully to no one else.
 The recipient can then use the same set of rules in
reverse to unscramble the coded text and read the
intended message.
 The majority of the data transmitted across the
Internet is not encrypted, it is sent as clear text. This
means that if somebody is able to monitor the raw
data coming in and out of your network, they will be
able to see quite a bit.
Main Menu 35 of 38
Internet Security

Some Elementary Security Tips

 Besides installing a firewall there are a number of
simple things you can do which will further enhance
the security of your network .
 Put sensitive data on a machine, which cannot be
accessed via TCP/IP - most PC operating systems
support multiple networking protocols, such as
NetBEUI, IPX/SPX, TCP/IP and others .
 One technique for sequestering sensitive data is to
put it on a machine, which has no TCP/IP
connectivity, and instead talks to other machines
using a local area network protocol such as
NetBEUI .
Main Menu 36 of 38
Internet Security

Summary
 Any security scheme must identify vulnerabilities
and threats, anticipate potential attacks, assess
whether they are likely to succeed or not, assess
what the potential damage might be from successful
attacks .
 A primary tool in securing any computer system is
the ability to recognize and verify the identity of
users. This security feature is known as
authentication. This security concept of Non
Repudiation protects against the sender or receiver
denying that they sent or received certain
communications .
Main Menu 37 of 38
Internet Security

Summary
 Integrity refers to the completeness and fidelity of
the message as it passes through the network .
 Risks can be characterized by two criteria: the
likelihood that a particular attack will be successful,
and the consequences of the results if the attack is
successful.

Main Menu 38 of 38