Network Security Introduction
William Stallings Network Security Index Network Security Definitions information security computer security network security
Security of your information or data computer security Protect data in local time-shared computers network security protect data during their transmission Network Security THE OSI Security Architecture
ITU-T2 Recommendation X.800, Security Architecture for OSI Security attack: Any action compromises security of information owned by an organization. Security mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. . Security service: A service that enhances the security of the data processing systems and the information transfers of an organization. they make use of one or more security mechanisms Network Security THE OSI Security Architecture
Vulnerability Threat Attack Network Security Security Attacks passive attacks active attacks
attempts to learn or make use of information from the system but does not affect system resources. active attacks attempts to alter system resources or affect their operation Network Security Security Attacks Passive Attacks
release of message contents Listening to telephone conversation, sniffing file transferring Traffic analysis Traffics are encrypted , but guess content of message based on identity of peers , frequency of messages or lengthof messages Passive attacks are very difficult to detect However, it is feasible to prevent the success of these attacks, usually by means of encryption Network Security Security Attacks Passive Attacks
Network Security Security Attacks Passive Attacks
Network Security Security Attacks Active Attacks
Masquerade one entity pretends to be a different entity to escalate privileges Replay passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect Modification of messages some portion of a Legitimate message is altered messages are delayed or reordered, to produce an unauthorized effect denial of service prevents or inhibits the normal use of a service in specific target or communications facilities usually through overloading Active attacks are very difficult to Prevent However, it is feasible to Detect the success of these attacks, usually by means of Monitoring Network Security Security Attacks Active Attacks
Network Security Security Attacks Active Attacks
Network Security Security Attacks Active Attacks
Network Security Security Attacks Active Attacks
Network Security Security Services Authentication Access Control Data Confidentiality
Peer entity authentication Data origin authentication Access Control Data Confidentiality Data Integrity Non repudiation Availability Service Network Security Security Services Authentication
Peer entity authentication: Authenticate identity of a peer entity at the establishment of a connection at times during the data transfer Applicable in connection-oriented services Prevent masquerade and unauthorized replay Data origin authentication: Authenticate the source of a data unit Applicable in connection-less services like does not provide protection againstduplication or modification of data units Network Security Security Services Access Control
control the access to host systems and applications via communications links Access is based on Authentication Network Security Security Services Data Confidentiality
protection of transmitted data from passive attacks Protection of service messages protection of traffic flow from analysis Attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic Network Security Security Services Data Confidentiality
Network Security Security Services Data Integrity
connection-oriented integrity service: assures that messages are received as sent, with no duplication, insertion, modification, reordering, or replays addresses both message stream modification and denial of service a connectionless integrity service: provides protection against message modification only Network Security Security Services Data Integrity
Network Security Security Services Nonrepudiation
prevents either sender or receiver from denying a transmitted message. receiver can prove that alleged sender sent the message (source Nonrepudation) sender can prove that alleged receiver received the message (destination Nonrepudation) Network Security Security Services Availability Service
system is available if it provides services according to the system design whenever users request them addresses the security concerns raised by denial-of-service attacks Network Security Attacks and Security Services
Network Security Security Mechanism Incorporated in protocol layer
Network Security Security Mechanism not specific to any protocol layer
Network Security Security Mechanism and Services
Network Security Security Models Network Security Model (Part2 of the Book)
Confidentiality, Authentication, Data Integrity, Nonrepudation,AvavilabilityServices Network Access Security Model (Part3 of the Book) Access Control Service Information access threats Service threats Network Security Network Security Model
Encrypted and signed message is transfered Network Security Network Security Model
1. security-related algorithm (encryption, Authentication and integrity) 2. secret information used with the algorithm 3. methods for distribution of secret information 4. protocol to be used by the two principals (parties) , makes use of the security algorithm and the secret information to achieve a particular security service Network Security Network Access Security Model
Network Security Network Access Security Model
Gatekeeper Function password-based login and Resource Access detect and reject worms, viruses, and other similar attacks. Internal controls monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders Network Security