Security

Information is an asset and needs to be secured from attacks:

It needs to be hidden from unauthorized access (confidentiality)

protected from unauthorized change (integrity) and

available to an authorized entity when needed (availability)

These are the three Security goals and can be threatened by attacks.

Attacks

Attacks threatening confidentiality: snooping and traffic analysis

Attacks threatening integrity: modification, masquerading or spoofing,

replaying and repudiation

Attacks threatening availability: denial of service

People who cause security problems

Student, Hacker, Sales rep, Businessman, Ex-employee, Accountant

Stockbroker, Con man, Spy, Terrorist

Internet Security

Security services are provided in the Internet at the network, transport and
application layers, through several protocols based on cryptography and other
techniques. We study here the protocols and other techniques at the Network
Layer. Security is needed at the network layer for three reasons:

1. Not all client/server programs are protected at application layer

2. Not all client/server programs at the application layer use TCP, to be

protected by TL security, and

3. Many applications such as routing protocols, directly use the service of

IP; they need security service at IP layer
IPSec

IPSec is a collection of protocols designed by the IETF to provide security for a

packet at the network layer. It operates in two different modes: transport mode
and tunnel mode.

Transport mode: this mode protects what is delivered from the TL to the NL,
i.e., only the payload, not the IP header. IPSec header and Trailer are added to
the data coming from TL. IP header is added later.

This mode is normally used for host-to-host (end-to-end) protection of data. The
sending host uses IPSec to authenticate/encrypt the payload delivered by the
TL. The receiving host uses IPSec to check the authentication/decrypt the IP
packet and deliver it to the TL.

Tunnel Mode: in this mode, IPSec protects the entire IP packet. It takes the
entire IP packet including the IP header, applies IPSec security methods to the
entire packet 9IPSec H and T) and then adds a new IP header.

This mode is normally used between two routers, between a host and a router or
between a router and a host. The entire original packet is protected from
intrusion between sender and receiver, as if the whole packet goes through an
imaginary tunnel.

Firewalls

Openness of Internet is a mixed blessing- company LANs have to be

safeguarded.

To safeguard confidential information from leaking out trade secrets, product

development plans, marketing strategies, financial analyses, etc.

Also information leaking in viruses, worms, digital pests which destroy

valuable data and waste a lot of administrators time

Firewall: modern adaption of medieval security standby- digging a deep moat

around the castle, so that everybody entering must pass through a single
drawbridge and inspected electronic drawbridge- a router or computer

Firewall acts a packet filter- inspects every incoming and outgoing packet- those
that meet the criteria set by the network administrator are forwarded normally,
others are dropped
Criteria- as Rules or tables that list sources and destinations that are blocked or
acceptable, default rules about what to do with packets going to or coming from
other machines- some sites may be blocked

Some ports cannot be blocked

Security is needed, but cannot cut off communication with the outside world

Hence we have the De Militarised Zone or DMZ- the part of the network that
lies outside the security perimeter

For example, the web server and the email server: Rules to permit connections
between internal machines and web server (port 80).

Firewalls may be stateful these map packets to connections and use TCP-IP
header fields to keep track of connections. This can be done by a Rule which
says that an external web server can send packets to an internal host, but only if
the internal host has first established a connection to it.

Firewall can also implement Application-level Gateways (or proxy firewall) -

here a firewall can look inside packets, beyond even the TCP header, so see
what the application is doing. Rules can be written to prevent, for example,
sensitive inside documents from being emailed outside of the company. Here
the firewall acts as a proxy server between the internal client and the outside
real server (at TCP port 80).

Thus firewall may violate the standard layering of protocols. They are
network-layer devices, but they peek at the transport and application layers to
do their filtering.

Intrusion Detection Systems

Intrusion - To compromise a computer system by breaking the security of such a
system or causing it to enter into an insecure state. The act of intrudingor
gaining unauthorized access to a systemtypically leaves traces that can be
discovered by intrusion detection systems. ID uses vulnerability assessment
(sometimes referred to as scanning), which is a technology developed to assess
the security of a computer system or network.

The act of detecting actions that attempt to compromise the confidentiality,

integrity or availability of a resource. More specifically, the goal of intrusion
detection is to identify entities attempting to subvert in-place security controls.

An intrusion detection system (IDS) inspects all inbound and outbound network
activity and identifies suspicious patterns that may indicate a network or system
attack from someone attempting to break into or compromise a system.

Common non-intrusion attacks

Non-intrusion attacks are those in which the goal is not to destroy or steal your
data but to crash your server or clog your network to prevent access. These are
also referred to as denial of service (DoS) attacks.

Common intrusion types

Intrusion attacks are those in which an attacker enters your network to read,
damage, and/or steal your data. These attacks can be divided into two
subcategories: pre-intrusion activities and intrusions.

Pre-intrusion activities

Pre-intrusion activities are used to prepare for intruding into a network. These
include port scanning to find a way to get into the network and IP spoofing to
disguise the identity of the attacker or intruder.

Ways of intruding into your network to do damage include the following: Trojan
attacks, password hijacking attack, etc.

Protecting your network from intruders and attackers

To be effective, network security should be multilayered. As we protect our

homes from burglars by installing fencing at the property line (perimeter),
putting locks on the doors and windows, installing a motion detector inside the
house, and finally putting very valuable items in a safe concealed in the wall.
Likewise, a network needs its own levels of protection: perimeter protection (a
firewall) at the point it connects to the Internet, access controls (user accounts
and permissions) to restrict access to data if someone does get into the network
and encryption of particularly sensitive data.
7