COURSE TITLE: NETWORK SECURITY

Module: TCS 407

COURSE CODE: TCS 407(3 Units) Compulsory course (PRE T0 408)

COURSE CONTENT

Network security and cryptographic protocols. Network vulnerabilities, attacks on TCP/IP, network
monitoring, security at the link, network and transport layers. Cryptography eg secret and public key
schemes; message authentication codes and key management. WLAN security, IPSec, SSL and VPNs.
Email security (PGP, S/MIME), Kerberos,X.509 certificates, AAA and mobile IP, SNMP security, firewalls,
filters and gateways. Policies and implementation of firewall policies, stateful firewalls, firewall
appliances. Network – related physical security, risk management and disaster recovery/contingency
planning issues and house keeping procedures.

ASSESSMENT

These include lectures, library and internet research etc

Assessments include coursework/assignment, test, presentations, essays and examinations.

Coursework/Assignment/written lab (10%)

Assessment Test (20%)

Exams (70%)

Three hours paper (four questions answer three(3) only, one compulsory.

Topics

 Network security fundamentals

 Network vulnerabilities
 attacks on TCP/IP, network monitoring, security at the link, network and transport layers
 basic cryptography
 modern cryptography
 cryptography Applications
 WLAN security, IPSec, SSL and VPNs
 Email security (PGP, S/MIME),
 Kerberos,X.509 certificates, AAA and mobile IP, SNMP security
 Firewalls,
  Policies and implementation of firewall policies
 Network – related physical security
 Risk management and disaster recovery/contingency planning issues and house keeping
procedures.

References

 Charles P. Pleeger, Shari L. Pfleeger, Security in Computing, Fourth Edition, Prentice Hall, 2007
 William Stallings, Cryptography and Network Security, 4/E, Prentice Hall, 2006
 Forouzan, B., Cryptography and Network Security, 1st ed, MacGraw- Hill, 2007
 William Stallings, Network Security Essentials 2/3 Edition, , Prentice Hall, 2002/07
 E – books.
 Richard Conway, Code Hacking: A Developer’s Guide to Network Security, Charles River Media,
20004
 Eric Cole, Network Security Bible, 2005
 7 titles when you search for crytography

Week 1: an overview of the course

Today’s Agenda

 General introduction and grouping of students for coursework

 Network security fundamentals
 Growing acceptance of e- commerce by customers.
 Security is a hard task
 Security properties
 Security operations

Growing acceptance of e- commerce by customers

 E – society
 E-learning; e- commerce; e-health; e- government; e- election; e- banking etc

What are the benefits of e- commerce?

 24/7 opening time.

 No waiting: the customer is not forced to wait in long lines in stores or leave the comfort of
their homes.
 International shopping eg Konga, Amazon etc
 Match and compare for best prices and services.
 Low cost and low prices
According to Merriam-Webster’s online dictionary (www.m-w.com),
 Information is defined as:
Knowledge obtained from investigation, study, or instruction, intelligence, news, facts,
data, a signal or character (as in a communication system or computer) representing data,
something (as a message, experimental data, or a picture) which justifies change in a construct
(as a plan or theory) that represents physical or mental experience or another construct
 And security is defined as:
Freedom from danger, safety; freedom from fear or anxiety

 If we put these two definitions together we can come up with a definition of information
security:
“Measures adopted to prevent the unauthorized use, misuse, modification, or denial of use
of knowledge, facts, data, or capabilities”.

However, there are various concepts of security solutions and none of the solutions by
themselves solved all of the security problems.

In fact, good security actually is a mix of all of these solutions. Such as:

 Good physical security is necessary to protect physical assets like paper records and
systems.
 Communication security (COMSEC) is necessary to protect information in transit.
Emission security (EMSEC) is needed when the enemy has significant resources to
read the electronic emissions from our computer systems.
 Computer security (COMPUSEC) is necessary to control access on our computer
systems and
 Network security (NETSEC) is needed to control the security of our local area
networks.
Together, all of these concepts provide information security (INFOSEC).

 Therefore, Information security is the name given to the preventative steps we take to
guard our information and our capabilities. We guard these things against threats, and
we guard them from the exploitation of a vulnerability.

However, this definition of information security does not guarantee protection. Thus,Information
security cannot guarantee protection.

The Key Principles of Network Security

 Network security revolves around the three key principles of confidentiality, integrity,
and availability (C-I-A).
 One of these principles might be more important than the others, depending on the
application and context is being used.
Example,
 A government agency would “encrypt” an electronically transmitted classified document
to prevent an unauthorized person from reading its contents.
 Thus, confidentiality of the information is of paramount importance.
 “If” an individual succeeds in breaking the encryption cipher and, then, retransmits a
modified encrypted version, the integrity of the message is compromised.
  On the other hand, an organization such as Amazon.com would be severely damaged if
its network were out of commission for an extended period of time. Why?
 Thus, “availability” is a key concern of such e-commerce companies.

Security properties
In order to protect IT systems we need to ensure the following properties:

Confidentiality (Secrecy and Privacy)

 Keeping data and resources hidden

 Unauthorized users mustn’t have access to sensitive/vital
information

Availability

 Ability to have access to the network whenever needed

 Ensures that the system continues efficiently and also providing expected service to its users.

Integrity (accuracy, authenticity)

 Prevents unauthorized data modification.

 Information to be protected by the integrity service may exist in physical paper form, in
electronic form, or in transit.

Accountability

 The accountability service is often forgotten when we speak of security.

 The primary reason is that the accountability service does not protect against attacks by
itself.
 The accountability service is to properly identify individuals
 It must be used in conjunction with other services to make them more effective.
 Accountability by itself is the worst part of security; why? Because it adds complications
without adding value.
 Accountability adds cost and it reduces the usability of a system.
 However, without the accountability service, both integrity and confidentiality
mechanisms would fail.

Network security is a hard task

 1. Kevin Mitnick eWeek 28 Sep 2000 says “ it is naïve to assume that just installing a firewall is
going to protect you from all potential security threats”.

That assumption creates a false sense of security , and having a false sense of security is worse than
having no security at all.

2. Bruce Schneider in 1995 stated that * it is insufficient to protect ourselves with laws, we need
to protect ourselves with mathematics.
3. In 2000 he however stated that: it was naïve to consider the cryptography as alone providing
absolute protection.
4. Also he said” if you think technology can solve your security problems, then you don’t
understand the problems and you don’t understand the technology.”

FUNDAMENTALLY:

 There is no single definition/goal for security

 It means secrecy in systems such as military systems
 Privacy in health care systems
 Integrity in banking systems
 Availability in marketing systems

 Information Security is also a difficult balance

 Eg national security versus individual privacy,
 Confidentiality versus availability

 Computer systems are very complicated. How?

 Strong security mechanisms can cause security problems. Eg cryptography can be used to leak
sensitive data.

Therefore, it has to be a complete security solution otherwise worthless.

TECHNICALLY:

 Systems are vulnerable and hacking knowledge is easily available.

 In 2006 CERT documented 8,064 new vulnerabilities, an average of 22 new vulnerabilities per
day
 Causing harm does not need much skills or special techniques.
 Technology alone cannot prevent a number of attack classes.
 Security Problems are not about technology, they are rather about how to use the technology
 Last but not the least people- weakest link
 Information security is a mindset. It is a mindset of examining the threats and
vulnerabilities of your organization and managing them appropriately.
 CERT statistics on attacks over a period of 16 years (1988- 2003)

Remember

 Not all successful attacks are reported.

 Not all vulnerabilities are documented.

Goals of network security

 Prevention: Prevent attackers from violating security policy

 Detection :Detect attackers’ violation of security policy

 Recovery: Stop attack, assess and repair damage

Continue to function correctly even if attack succeeds

The Basic Components

Computer security rests on confidentiality, integrity, and availability. The interpretations of these
three aspects vary, as do the contexts in which they arise. The interpretation of an aspect in a
given environment is dictated by the needs of the individuals, customs, and laws of the particular
organization.
Confidentiality

Confidentiality is the concealment of information or resources. The need for keeping information
secret arises from the use of computers in sensitive fields such as government and industry.
Access control mechanisms support confidentiality.

One access control mechanism for preserving confidentiality is cryptography, which scrambles
data to make it incomprehensible.

Integrity

Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of
preventing improper or unauthorized change. Integrity includes data integrity (the content of the
information) and origin integrity (the source of the data, often called authentication). The source
of the information may bear on its accuracy and credibility and on the trust that people place in
the information.

EXAMPLE: A newspaper may print information obtained from a leak at the Aso Rock but
attribute it to the wrong source. The information is printed as received (preserving data integrity),
but its source is incorrect (corrupting origin integrity).

There are three goals of integrity:

✦ Prevention of the modification of information by unauthorized users
✦ Prevention of the unauthorized or unintentional modification of information by authorized
users
✦ Preservation of the internal and external consistency
 Internal consistency ensures that internal data is consistent.
For example,
In an organizational database, the total number of items owned by an organization must be equal
to the sum of the same items shown in the database of the organization.
 External consistency ensures that the data stored in the database is consistent
with the real world.
That is, the total number of items physically sitting on the shelf must equal the total number of
items indicated by the database.

Availability
Availability assures that a system’s authorized users have timely and uninterrupted access to the
information in the system and to the network.

Availability refers to the ability to use the information or resource desired. Availability is an
important aspect of reliability as well as of system design

Why? because an unavailable system is at least as bad as no system at all.

Therefore, the aspect of availability that is relevant to security is that someone may deliberately
arrange to deny access to data or to a service by making it unavailable.

Lecture 2

Vulnerability, Threats and Control Relationships

 A vulnerability is a weakness in the security system, for example, in procedures, design, or
implementation, that might be exploited to cause loss or harm. For instance, a particular system
may be vulnerable to unauthorized data manipulation because the system does not verify a
user's identity before allowing data access.

A vulnerability is a potential avenue of attack. Vulnerabilities may exist in computer

systems and networks (allowing the system to be open to a technical attack) or in
administrative procedures (allowing the environment to be open to a non-technical or
social engineering attack).

Vulnerabilities are not just related to computer systems and networks. Physical site
security, employee issues, and the security of information in transit must all be
examined.

 A threat to a network is a set of circumstances that has the potential to cause loss or harm.

A threat is an action or event that might violate the security of an information systems
environment.
There are three components of threat:
1. Targets The aspect of security that might be attacked.
2. Agents The people or organizations originating the threat.
An agent must have three characteristics:
Access The ability an agent has to get to the target.
Knowledge The level and type of information an agent has about the target.
Motivation The reasons an agent might have for posing a threat to the target.
3. Events The type of action that poses the threat.
To completely understand the threats to an organization, all three components must be
examined.

 The diagram below shows the difference between a threat and a vulnerability,
  Here, a wall is holding water back.

 The water to the left of the wall is a threat to the man on the right of the wall: The water could
rise, overflow, or it could stay beneath the height of the wall, causing the wall to collapse.

 the threat is the potential of the man to get wet, get hurt, or be drowned. For now, the wall is
intact, so the threat to the man is unrealized.

 However, the small crack in the wall is referred to as a vulnerability that threatens the man's
security.

 If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the
man.

 A human who exploits a vulnerability perpetrates an attack on the system

 How do we address these problems? We use a control as a protective measure. That is,
a control is an action, device, procedure, or technique that removes or reduces a
vulnerability

A threat is blocked by control of a vulnerability.


