Network and Security Management Chapter 4 Panko and
- Slides: 69
Network and Security Management Chapter 4 Panko and Panko Business Data Networks and Security, 10 th Edition, Global Edition Copyright © 2015 Pearson Education, Ltd.
Failure in the Target Breach Cost Matters Network Quality of Service Qo. S Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.
Kill Chain • Ignored Explicit Warnings 資料非法滲出 • Contractor with weak security • Spear phishing attack • free antivirus program Figure 3. 1 Copyright © 2015 Pearson Education, Ltd.
Kill Chain Analysis � For a weapon to succeed, a number of steps must go correctly. � This is called the kill chain � Security attacks also have kill chains � Companies must look for evidence of kill chain patterns and end the chain before the end. Copyright © 2015 Pearson Education, Ltd.
Failure in the Target Breach Cost Matters Network Quality of Service Qo. S Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.
4. 2 Quality-of-Service (Qo. S) Metrics Qo. S Metrics: Quantitative measures of network performance Copyright © 2015 Pearson Education, Ltd.
Transmission Speed Ø Rated Speed vs Throughput Ø Aggregate Throughput vs Individual Throughput � Rated Speed ◦ The speed a system should achieve ◦ According to vendor claims or to the standard that defines the technology � Throughput ◦ The data transmission speed a system actually provides to users Copyright © 2015 Pearson Education, Ltd.
Aggregate Throughput vs Individual Throughput � Aggregate versus Rated Throughput on Shared Lines ◦ The aggregate throughput is the total throughput available to all users in part of a network � Individual Throughput ◦ The individual throughput is an individual’s share of the aggregate throughput Copyright © 2015 Pearson Education, Ltd.
Rated Speed, Throughput, Aggregate Throughput, and Individual Throughput Individual throughput Aggregate throughput Rated speed
Speed Knowledge Check � You are in a Wi-Fi hot spot with 20 other people. The access point router is rated as following the 802. 11 ac standard with options providing 300 Mbps. Throughput is about 50%. At a certain moment, you and four others are sending and receiving. What individual throughput are you likely to receive? Copyright © 2015 Pearson Education, Ltd.
CNET News: Steve Jobs' demo fail https: //www. youtube. com/watch? v=znx. QOPFg 2 mo Copyright © 2015 Pearson Education, Ltd.
Other Qo. S Metrics • • Availability Error Rates Latency Jitter PSTN: availability ~= 99. 999% Public Switched Telephone Network Copyright © 2015 Pearson Education, Ltd. 1 ms = 0. 001 sec 1 s = 10 -6 sec
Jitter • Jitter is variability in latency. • In traditional applications, e. g. e-mail, latency was slightly important, and jitter was not important at all. • Makes voice (Vo. IP), video, and interactive applications seem “jittery”. Copyright © 2015 Pearson Education, Ltd.
4. 5 Service Level Agreements (SLAs) � Service Level Agreements (SLAs) ◦ Contracts that guarantee levels of performance for various Qo. S metrics. ◦ Guarantees for performance ◦ Penalties if the network does not meet its service metrics guarantees Copyright © 2015 Pearson Education, Ltd.
4. 5 Service Level Agreements (SLAs) � Worst-Case � Qo. S Specification guarantees are expressed as worst cases. ◦ Lowest speed (e. g. , no worse than 1 Mbps) ◦ Maximum latency (e. g. , no more than 125 ms) Copyright © 2015 Pearson Education, Ltd.
4. 5 Service Level Agreements (SLAs) � Percentage-of-Time � Often Elements in SLAs written on a percentage basis ◦ No worse than 100 Mbps 99. 5% of the time ◦ Because as the percentage increases, additional engineering raises network costs ◦ 100% compliance would be prohibitively expensive Copyright © 2015 Pearson Education, Ltd.
4. 5 Service Level Agreements (SLAs) � Residential guarantees services are rarely sold with SLA ◦ It would be expensive to engineer the network for high-percentage guarantees for residential customers ◦ This would make prices unacceptable ◦ Businesses require high-percentage guarantees and so are willing to pay higher prices Copyright © 2015 Pearson Education, Ltd.
Failure in the Target Breach Cost Matters Network Quality of Service Qo. S Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.
4. 6 Two-Site Traffic Analysis • • Network design is based on speed requirements These may be different in the two directions Most transmission lines are symmetric in speed In such cases, the higher-speed dictates line speed Copyright © 2015 Pearson Education, Ltd.
4. 7 Three-Site Traffic Analysis There are three sites connected by two links Copyright © 2015 Pearson Education, Ltd.
4. 7 Three-Site Traffic Analysis Link QR must carry the traffic flowing between Q and R and the traffic flowing between R and S Copyright © 2015 Pearson Education, Ltd.
4. 7 Three-Site Traffic Analysis Copyright © 2015 Pearson Education, Ltd.
4. 7 Three-Site Traffic Analysis Copyright © 2015 Pearson Education, Ltd.
Three-Site Traffic Analysis with Redundancy Each pair of sites is connected Lines only carry traffic between site pairs Copyright © 2015 Pearson Education, Ltd.
Three-Site Traffic Analysis with Redundancy How can traffic get from Q to R? Copyright © 2015 Pearson Education, Ltd.
Momentary Traffic Peaks � Normally, network capacity is higher than the traffic. � Sometimes, however, there will be momentary traffic peaks above the network’s capacity—usually for a fraction of a second to a few seconds. Copyright © 2015 Pearson Education, Ltd.
Momentary Traffic Peaks � Congestion causes latency because switches and routers must store frames and packets while waiting to send them out again. � Buffers are limited, so some packets may be lost. Copyright © 2015 Pearson Education, Ltd.
Overprovisioning - Momentary Traffic Peaks is providing far more capacity than the network normally needs. � Overprovisioning � This avoids nearly all momentary traffic peaks wasteful of transmission line capacity. Copyright © 2015 Pearson Education, Ltd.
Priority - Momentary Traffic Peaks � With priority, latency-intolerant traffic, such as voice, is given high priority and will go first. � Latency-tolerant traffic, such as e-mail, must wait. � More efficient than overprovisioning; also more labor-intensive. Copyright © 2015 Pearson Education, Ltd.
Reserved Capacity - Momentary Traffic Peaks � Qo. S guarantees reserved capacity for some traffic, so this traffic always gets through. � Other traffic, however, must fight for the remaining capacity. Copyright © 2015 Pearson Education, Ltd.
Failure in the Target Breach Cost Matters Network Quality of Service Qo. S Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.
Strategic Security Planning Principles � Security is a management issue, not a technology issue. � The Plan-Protect-Respond Cycle Copyright © 2015 Pearson Education, Ltd.
Threat Environment You cannot defend yourself unless you know the threat environment you face. Copyright © 2015 Pearson Education, Ltd.
Plan-Protect-Respond Cycle Companies defend themselves with a process called the Plan-Protect-Respond Cycle. Copyright © 2015 Pearson Education, Ltd.
Planning The Plan-Protect-Respond Cycle starts with Planning. We will look at important planning principles. Copyright © 2015 Pearson Education, Ltd.
Protecting Companies spend most of their security effort on the protection phase, in which they apply planned protections on a daily basis. We covered this phase in Chapter 3. Copyright © 2015 Pearson Education, Ltd.
Responding Even with great planning and protection, incidents will happen, and a company must have a well-rehearsed plan for responding to them. Copyright © 2015 Pearson Education, Ltd.
Security Planning Principles � Six Security Planning Principles 1. Risk analysis 2. Comprehensive security 3. Defense in depth 4. Weakest link analysis 5. Single points of takeover 6. Least permissions in access control Copyright © 2015 Pearson Education, Ltd.
(1) Risk Analysis 4. 11 Risk Analysis � The goal is not to eliminate all risk � You would not pay a million dollars for a countermeasure to protect an asset costing ten dollars � You should reduce risk to the degree that it is economically reasonable � You must compare countermeasure benefits with countermeasure costs Copyright © 2015 Pearson Education, Ltd.
4. 12: Risk Analysis Calculation Countermeasure (對策) 對策 Damage per successful attack Annual probability of a successful attack Annual probability of damage Annual cost of countermeasure None A $1, 000 $500, 000 20% $200, 000 $100, 000 $0 $20, 000 Net annual probable outlay $120, 000 Countermeasure A$200, 000 cuts the damage per successful attack in half, Annual value of countermeasure $80, 000 but does not change the annual probability of occurrence. Adopt the countermeasure? Yes Copyright © 2015 Pearson Education, Ltd.
3. 10 Risk Analysis Calculation Countermeasure Damage per successful attack None A $1, 000 $500, 000 Countermeasure A Annual probability of asavings successful Will have a net of $80, 000 20% per year. attack Annual probability of damage Annual cost of countermeasure Net annual probable outlay Annual value of countermeasure Adopt the countermeasure? Copyright © 2015 Pearson Education, Ltd. 20% $200, 000 $100, 000 $0 $20, 000 $200, 000 $120, 000 $80, 000 Yes
3. 10 Risk Analysis Calculation Countermeasure Damage per successful attack Annual probability of a successful attack Annual probability of damage Annual cost of countermeasure None B $1, 000, 000 20% 15% $200, 000 $150, 000 $0 $60, 000 Net annual probable outlay $210, 000 Countermeasure$200, 000 B frequency of occurrence in half, Annual cuts value the of countermeasure -$10, 000 but does not change the damage per occurrence. Adopt the countermeasure? Copyright © 2015 Pearson Education, Ltd. No
3. 10 Risk Analysis Calculation Countermeasure Damage per successful attack None B $1, 000, 000 Annual a successful This probability time, the of countermeasure attack is too 20% expensive. 15% Annual probability of damage $200, 000 $150, 000 $0 $60, 000 $200, 000 $210, 000 Annual cost of countermeasure Net annual probable outlay Annual value of countermeasure Adopt the countermeasure? Copyright © 2015 Pearson Education, Ltd. -$10, 000 No
(2) Comprehensive Security 4. 13 Comprehensive Security Copyright © 2015 Pearson Education, Ltd.
(3) Defense in Depth 4. 14 Defense in Depth Copyright © 2015 Pearson Education, Ltd.
(4) Identifying Weakest Links 4. 15 Identifying Weakest Links Copyright © 2015 Pearson Education, Ltd.
Weakest Link versus Defense in Depth Weakest Link Countermeasures Several One Criterion One must succeed All components must succeed Copyright © 2015 Pearson Education, Ltd.
(5) Protecting Single Points of Takeover Central control is crucial to reducing labor costs and implementation speed Copyright © 2015 Pearson Education, Ltd.
Protecting Single Points of Take-Over Copyright © 2015 Pearson Education, Ltd.
(6) Least Permissions in Access Control Assigning Least Permissions in Access Control � Access Control ◦ If attackers cannot get access to a resource, they cannot exploit it ◦ Access control is limiting who may have access to each resource ◦ And limiting his or her permissions when using the resource Copyright © 2015 Pearson Education, Ltd.
Least Permissions in Access Control � Authentication (Permissions) versus Authorizations ◦ Authentication: Proof of identity ◦ Authorizations (Permissions): The actions that an authenticated user is allowed to take on the resource. ◦ Just because a user is authenticated does not mean that he or she will be permitted to do everything. Copyright © 2015 Pearson Education, Ltd.
4. 17 Least Permissions in Access Control � Principle of Least Permissions ◦ Give each authenticated user only the minimum permissions he or she needs to do his or her job ◦ Cannot do unauthorized things that will compromise security Copyright © 2015 Pearson Education, Ltd.
Least Permissions in Access Control � Examples of Limited Permissions ◦ Create files but not delete files ◦ Cannot see files above a certain level of sensitivity ◦ Read files but not write (edit) them ◦ See files in own folders but not all folders ◦ Connect to the person’s department server but not to the Finance server ◦ Do certain things but cannot give others permission to do them Copyright © 2015 Pearson Education, Ltd.
Failure in the Target Breach Cost Matters Network Quality of Service Qo. S Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.
4. 19 Ping Copyright © 2015 Pearson Education, Ltd.
Copyright © 2015 Pearson Education, Ltd.
Copyright © 2015 Pearson Education, Ltd.
4. 20: Simple Network Management Protocol (SNMP) � It is desirable to have network visibility—to know the status of all devices at all times. � Ping can determine if a host or router is reachable. � The simple network management protocol (SNMP) is designed to collect extensive information needed for network visibility. Copyright © 2015 Pearson Education, Ltd.
4. 20: SNMP � Central manager program communicates with each managed device. � Actually, the manager communicates with a network management agent on each device. Copyright © 2015 Pearson Education, Ltd.
4. 20: SNMP � The manager sends SNMP commands and gets SNMP responses. � Agents can send SNMP traps (alarms) if there are problems. Copyright © 2015 Pearson Education, Ltd.
4. 20: SNMP � Information from agents is stored in the SNMP management information base. MIB Copyright © 2015 Pearson Education, Ltd. Management Information Base
Configuring SNMP Support https: //www. cisco. com/c/en/us/td/docs/optical/15000 r/dwdm/conf iguration/guide/b_snmp. html Copyright © 2015 Pearson Education, Ltd.
4. 20: SNMP � Network visualization programs analyze information from the MIB to portray the network, do troubleshooting, and answer specific questions. Copyright © 2015 Pearson Education, Ltd.
4. 20: SNMP � SNMP interactions are standardized, but network visualization program functionality is not, in order not to constrain developers of visualization tools. Copyright © 2015 Pearson Education, Ltd.
http: //noc. twaren. net/ http: //mrtg. twaren. net/weathermap/twaren. html
Traditional Device Control in Networking � Firewall Forwarding ◦ How the firewall deals with incoming packets ◦ What interface (port) to send them out � Firewall Control ◦ Creates the rules for firewall forwarding ◦ In comparison, firewall forwarding is comparatively simple Copyright © 2015 Pearson Education, Ltd.
Traditional Device Control in Networking Copyright © 2015 Pearson Education, Ltd.
Software-Defined Networking (SDN) Copyright © 2015 Pearson Education, Ltd.
Centralized Firewall Management Copyright © 2015 Pearson Education, Ltd.
- Mary panko
- Wireless security in cryptography and network security
- Provate security
- Osi model security architecture
- Security guide to network security fundamentals
- Electronic mail security in network security
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Chapter 9 information management and security
- Security policy and integrated security in e-commerce
- Performance management in network management
- Accounting management in network management
- Public switched telephone network notes
- Network management definition
- 5g americas
- Network security design and implementation
- Module 3: information and network security
- Cryptography and network security 6th edition
- Security mechanisms in cryptography
- Number theory in cryptography and network security
- Firewall in cryptography and network security
- Authentication in cryptography and network security
- Three classes of intruders in network security
- Primitive root of a number in cryptography
- Cryptography and network security 6th edition pdf
- Cryptography and network security pearson
- Source
- Cryptography and network security 4th edition
- Euler's theorem in cryptography and network security
- Finite fields in cryptography and network security
- Dsa in network security
- Modular arithmetic in cryptography and network security
- Pgp in cryptography and network security
- Top-down network design
- It network and security greensboro
- Euler's theorem in cryptography and network security
- Malicious software in cryptography
- Introduction to cryptography and network security
- Computer and network security
- Rsa algorithm in cryptography and network security
- Introduction to cryptography and network security
- Visa international security model in information security
- Cnss model
- Software security touchpoints
- Virtual circuit vs datagram
- Features of peer to peer network and client server network
- Network centric computing
- Wlan network
- Palo alto certified network security engineer
- Network security protocols
- Network security essentials 5th edition pdf
- Cipher based message authentication code
- Playfair cipher
- Network security monitoring nsm open systems
- Gfi languard network security scanner
- Triple des attack
- Aes in network security
- Modern network security threats
- Remote network security services
- Network security topologies
- Interesting topics in network security
- Kr
- Ic chip 74190
- Ec-council network security administrator
- 819 mod 26
- Bro network security monitor
- Interruption threat
- Bro network security
- Literature review on network security
- Computer & network security