Network

Security

Chapter 1
Introduction
 Quotations
The combination of space, time, and strength that must be considered
as the basic elements of this theory of defense makes this a fairly
complicated matter. Consequently, it is not easy to find a fixed point
of departure.
— On War, Carl Von Clausewitz

The art of war teaches us to rely not on the likelihood of the enemy's
not coming, but on our own readiness to receive him; not on the
chance of his not attacking, but rather on the fact that we have
made our position unassailable.
—The Art of War, Sun Tzu
2 2/12/2022
 Computer Security
Concepts
• Before the widespread use of data processing equipment, the security of
information valuable to an organization was provided primarily by physical
and administrative means

• With the introduction of the computer, the need for automated tools for
protecting files and other information stored on the computer became evident

• Another major change that affected security is the introduction of distributed

systems and the use of networks and communications facilities for carrying
data between terminal user and computer and between computer and
computer

• Computer security
• The generic name for the collection of tools designed to protect data and to thwart
hackers

• internet security (lower case “i” refers to any interconnected collection of

network)
• Consists of measures to deter, prevent, detect, and correct security violations that
involve the transmission of information

3 2/12/2022
 “The protection afforded to
Computer an automated information
Security system in order to attain
the applicable objectives of
preserving the integrity,
availability, and
The NIST Computer Security confidentiality of
Handbook defines the term information system
computer security as: resources (includes
hardware, software,
firmware,
information/data, and
telecommunications)”

4 2/12/2022
 Computer Security
Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or disclosed
to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them may
be collected and stored and by whom and to whom that information may be
disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to authorized
users
5 2/12/2022
 CIA Triad

6 2/12/2022
 Possible additional
concepts:

Authenticity Accountability
• Verifying that users • The security goal
are who they say that generates the
they are and that requirement for
each input arriving at actions of an entity
the system came to be traced uniquely
from a trusted source to that entity

7 2/12/2022
Breach of Security
Levels of Impact
• The loss could be expected to have a severe or
High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

• The loss could be expected to have a

Moderate serious adverse effect on organizational

operations, organizational assets, or
individuals

• The loss could be expected

to have a limited adverse

Low effect on organizational

operations, organizational
assets, or individuals
8 2/12/2022
 Examples of Security
Requirements

Confidentiality Integrity Availability

Patient information The more critical a

Student grade information stored in a database – component or service, the
is an asset whose inaccurate information higher the level of
confidentiality is could result in serious availability required
considered to be highly harm or death to a patient
important by students and expose the hospital to
massive liability
A moderate availability
requirement is a public
A Web site that offers a
Web site for a university
forum to registered users
to discuss some specific
Regulated by the Family topic would be assigned a
moderate level of integrity An online telephone
Educational Rights and directory lookup
Privacy Act (FERPA) application would be
An example of a low-
integrity requirement is an classified as a low-
anonymous online poll availability requirement
9 2/12/2022
 Computer Security
Challenges
• Security is not simple • Security mechanisms typically
involve more than a particular
• Potential attacks on the algorithm or protocol
security features need to be
considered • Security is essentially a battle
of wits between a perpetrator
• Procedures used to provide and the designer
particular services are often
counter-intuitive • Little benefit from security
investment is perceived until a
• It is necessary to decide where security failure occurs
to use the various security
mechanisms • Strong security is often
viewed as an impediment to
• Requires constant monitoring efficient and user-friendly
operation
• Is too often an afterthought

2/12/2022 10
 OSI Security
Architecture
• Security attack
• Any action that compromises the security of information
owned by an organization

• Security mechanism
• A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack

• Security service
• A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
• Intended to counter security attacks, and they make use of one
or more security mechanisms to provide the service

11 2/12/2022
 Table 1.1
Threats and Attacks (RFC 4949)

12 2/12/2022
 Security
Attacks
•A means of classifying security
attacks, used both in X.800 and RFC
4949, is in terms of passive attacks and
active attacks

•A passive attack attempts to learn or

make use of information from the
system but does not affect system
resources

•An active attack attempts to alter

system resources or affect their
operation

2/12/2022 13
 Passive
Attacks

• Are in the nature of

eavesdropping on, or
monitoring of, transmissions

• Goal of the opponent is to • Two types of passive

obtain information that is attacks are:
being transmitted
• The release of message
contents
• Traffic analysis

2/12/2022 14
 Active Attacks
• Involve some modification of the
data stream or the creation of a • Takes place when one entity
pretends to be a different entity
false stream Masquerade • Usually includes one of the other
forms of active attack
• Difficult to prevent because of the
wide variety of potential physical,
• Involves the passive capture of a
software, and network data unit and its subsequent
vulnerabilities Replay retransmission to produce an
unauthorized effect
• Goal is to detect attacks and to
recover from any disruption or
• Some portion of a legitimate
delays caused by them Modification message is altered, or messages
of messages are delayed or reordered to
produce an unauthorized effect

Denial of • Prevents or inhibits the normal

use or management of
service communications facilities
15 2/12/2022
 Security Services

• Defined by X.800 as:

• A service provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of
data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a system
to give a specific kind of protection to system resources

16 2/12/2022
X.800 Service Categories

• Authentication

• Access control

• Data confidentiality

• Data integrity

• Nonrepudiation

17 2/12/2022
 Table 1.2

Security
Services
(X.800)

(This table is found on

page 28 in the textbook)
18 2/12/2022
 Authentication

• Concerned with assuring that a communication is

authentic
• In the case of a single message, assures the recipient that
the message is from the source that it claims to be from
• In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties

Two specific authentication services are defined in X.800:

• Peer entity authentication

• Data origin authentication
19 2/12/2022
 Access Control

• The ability to limit and control the access to host

systems and applications via communications links

• To achieve this, each entity trying to gain access must

first be indentified, or authenticated, so that access
rights can be tailored to the individual

20 2/12/2022
 Data Confidentiality
• The protection of transmitted data from passive attacks
• Broadest service protects all user data transmitted between
two users over a period of time
• Narrower forms of service include the protection of a single
message or even specific fields within a message

• The protection of traffic flow from analysis

• This requires that an attacker not be able to observe the source
and destination, frequency, length, or other characteristics of
the traffic on a communications facility

21 2/12/2022
Data Integrity

Can apply to a stream of messages, a single

message, or selected fields within a message

Connection-oriented integrity service deals with a

stream of messages and assures that messages are
received as sent with no duplication, insertion,
modification, reordering, or replays

A connectionless integrity service deals with

individual messages without regard to any larger
context and generally provides protection against
message modification only

22 2/12/2022
 Nonrepudiation

• Prevents either sender or receiver from denying a

transmitted message

• When a message is sent, the receiver can prove that the

alleged sender in fact sent the message

• When a message is received, the sender can prove that

the alleged receiver in fact received the message

23 2/12/2022
 Availability service
• Availability
• The property of a system or a system resource being
accessible and usable upon demand by an authorized
system entity, according to performance specifications for
the system

• Availability service
• One that protects a system to ensure its availability
• Addresses the security concerns raised by denial-of-
service attacks
• Depends on proper management and control of system
resources

24 2/12/2022
 Table 1.3

Security
Mechanisms
(X.800)

(This table is found on

page 31 in the textbook)
25 2/12/2022
 Model for Network
Security

26 2/12/2022
 Network Access
Security Model

27 2/12/2022
 Unwanted Access
• Placement in a computer
system of logic that exploits Programs can
present two kinds of
vulnerabilities in the system threats:
and that can affect
application programs as well
as utility programs
Information access
Service threats
threats

Intercept or modify
Exploit service flaws
data on behalf of
in computers to
users who should
inhibit use by
not have access to
legitimate users
that data
28 2/12/2022
 standards
NIST ISOC
• National Institute of Standards and • Internet Society
Technology
• Professional membership society
with worldwide organizational and
• U.S. federal agency that deals with individual membership
measurement science, standards,
and technology related to U.S. • Provides leadership in addressing
government use and to the issues that confront the future of
promotion of U.S. private-sector the Internet
innovation
• Is the organization home for the
groups responsible for Internet
• NIST Federal Information infrastructure standards, including
Processing Standards (FIPS) and the Internet Engineering Task
Special Publications (SP) have a Force (IETF) and the Internet
Architecture Board (IAB)
worldwide impact
• Internet standards and related
specifications are published as
29 Requests for Comments (RFCs) 2/12/2022
 Summary
• Computer security concepts • Security services
• Definition • Authentication
• Examples • Access control
• Challenges • Data confidentiality
• Data integrity
• The OSI security
• Nonrepudiation
architecture
• Availability service
• Security attacks
• Security mechanisms
• Passive attacks
• Active attacks • Model for network security

• Standards

30 2/12/2022