Network Security Chapter 1 Background Information Security requirements

Network Security Chapter 1

Background Information Security requirements have changed in recent times Ø traditionally provided by physical and administrative mechanisms Ø computer use requires automated tools to protect files and other stored information Ø use of networks and communications links requires measures to protect data during transmission Ø

Definitions Computer Security - generic name for the collection of tools designed to protect data and Computer systems Ø Network Security - measures to protect data during their transmission Ø Internet Security - measures to protect data during their transmission over a collection of interconnected networks Ø

Aim of Course Ø our focus is on Internet Security Ø which consists of measures to deter, prevent, detect, and correct security violations that involve the transmission & storage of information

Security Trends

OSI Security Architecture Ø ITU-T X. 800 “Security Architecture for OSI” Ø defines a systematic way of defining and providing security requirements Ø for us it provides a useful, if abstract, overview of concepts we will study

What is security Architecture x. 800 Ø An international and systematic standard of defining and providing security requirements. Ø Useful to managers as a way of organizing the task of providing security. Ø Proposed by ITU-T in recommendations X. 800 as “Security Architecture for OSI” Ø Computer and communications vendors have developed security features for their products and services under the definition

Definations Ø 1. Security attack Ø Any action that compromises the security of information owned by an organization. Ø 2. Security mechanism (control) Ø A process (or a device incorporating sucha a process) that is designed to detect, prevent, or recover from a security attack. Ø 3. Security service Ø The service are intended to counter

Principles of Security Ø 1. Confidentially Ø 2. Authentication Ø 3. Integrity Ø 4. Availability

Confidentially Ø It states that only the sender and the receiver should have an access to the information. Also known as privacy or secrecy of information

Attack on confidentiality Ø Snooping refers to unauthorized access to or interception of data. Ø Traffic analysis monitoring online traffic and collecting sensitive data.

Authentication Ø The assurance that the communicating entity is the one that it claims to be. It identifies who is sender and who is receiver

Data Integrity Ø The assurance that data received are exactly as sent by an authorized entity (i. e. , contain no modification, insertion, deletion or replay) Ø Any changes done to the message must either be prevented or detected.

Attack on Data integrity Ø Modification : altering of messages Ø Masquerading / spoofing: attacker impersonates somebody else. Ø Replaying: replaying the old captured messages Ø Repudiation means that sender of the message might later deny that she has send the message; the receiver of the message might later deny that he has received the message.

Availability Ø Resources / applications must be available to authentic users all the time. If not available It is also known as Denial of Service attack

Attacks on various principles Ø Normal flow Ø Interruption Ø Interception Ø Modification Ø Fabrication

Threats Ø Confidentially l Interception • Unauthorized access • Wiretapping Ø Integrity l Modification • Change or Delete : Data, Messages, Programs Ø Availability l Interruption • Hardware destruction

Attacks Ø Passive Attacks Ø Active Attacks

Passive Attacks Ø Nature of eavesdropping on, or monitoring of transmissions. The goal of the opponent is to obtain information that is being transmitted. Ø Two types Ø 1. Release of message contents Ø 2. Traffic analysis

Passive Attacks

Release of Message contents Ø Prevent an opponent from learning the contents of telephone conversation, an electronic mail message, and a transferred file transmissions.

Traffic Analysis Ø Attacker Observe the pattern of the messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged.

Active Attacks Ø Masquerade Ø Replay Ø Modification of messages Ø Denial of service

Active Attacks

Masquerade Ø A masquerade takes place when one entity pretends to be a different entity. Ø Example: Authentication sequences can be captured and replayed after a valid authentication sequence has taken place

Replay Ø It involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

Modification of Messages Ø Modification of messages simply means that some portion of a legitimate message is altered or that messages are delayed or reordered to produce an unauthorized effect.

Denial of Service Ø Prevents or inhibits the normal use or management of communications facilities. Flooding the network or system with bogus messages.

Comparison Ø Passive attacks – focus on Prevention l l Easy to stop Hard to detect Ø Active attacks – focus on Detection and Recovery l l Hard to stop Easy to detect

Security Services Ø Authentication Ø Confidentiality Ø Integrity Ø Availability Ø Access control Ø Non Repudiation

Security Services Ø 1. Access control Ø The Prevention of unauthorized use of a resource Ø A) who can have access to a resource Ø B) under what conditions access can occur Ø C) What those accessing the resource are allowed to do.

Non repodiation Ø Assurance that someone cannot deny the validity of something. Ø Non repudiation prevents either sender or receiver from denying a transmitted message Ø Non repudiation origin Ø No repudiation destination

Security Mechanisms Ø 1. Specific security mechanisms: may be incorporated into the appropriate protocol layer in order to provide some of the osi security services Ø 2. Pervasive security Mechanisms: not specific to any particular osi security service or protocol layer

Specific Security Mechanisms Ø Encipherment Ø Digital signature Ø Access control Ø Data integrity Ø Authentication exchange Ø Traffic padding Ø Routing control

pervasive security mechanisms l trusted functionality, security labels, event detection, security audit trails, security recovery

Relation Between Services and mechanisms Security Service Security Mechanism Data confidentiality Encipherment and routing control Data integrity Encipherment, digital signature, data integrity Authentication Encipherment, digital signature, authentication exchanges Nonrepudiation Digital signature, data integrity and notarization Access control mechanism

Security Mechanism Ø feature designed to detect, prevent, or recover from a security attack Ø no single mechanism that will support all services required Ø however one particular element underlies many of the security mechanisms in use: l cryptographic techniques Ø hence our focus on this topic

Security Mechanisms (X. 800) Ø specific security mechanisms: l encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization Ø pervasive security mechanisms: l trusted functionality, security labels, event detection, security audit trails, security recovery

Model for Network Security

Model of Network Security

Model for Network Security Ø using this model requires us to: 1. 2. 3. 4. design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service

Model for Network Access Security

Model for Network Access Security Ø using this model requires us to: 1. 2. Ø select appropriate gatekeeper functions to identify users implement security controls to ensure only authorised users access designated information or resources trusted computer systems may be useful to help implement this model

Summary Ø have considered: l definitions for: • computer, network, internet security Ø X. 800 standard Ø security attacks, services, mechanisms Ø models for network (access) security