Network Security

Assigned to:
Kinjal G. Khattar
Faculty of MCA
Bhagwan Mahavir College of Computer Applicati
on
Text Book: Network Security
Essentials

Applications and Standards

Third Edition
William Stallings
Chapter 1
Introduction
 Outline: Topics
1. Security Trends
2. The OSI Security Architecture
3. Security Attacks
4. Security Services
5. Security Mechanisms
6. A Model for Internetwork Security
7. Internet Standards and the Internet Society
 Information Security
• Requirements
– Computer Security (System Security)
– Network Security (Internet Security)
• Security Violations
 Introduction:
• This book focuses on internet security consi
sting of measures to deter, prevent, detect
& correct security violations that involve tr
ansmission of information.
Cases where security is needed:
1. AB, C who is unauthorized monitor & capture data d
uring transmission.
2. D(Mngr)  E(Comp), F(Intruder) adds/deletes/alters d
uring transmission.
3. F(Intruder) alter message before reaching from D to E.
4. Fired employee inserts delay on msgs of mngr to reach
system server to invalidate employee’s account.
5. Customer sends msg to broker for purchase & when s
hare value degrades, denies his prior transactions mad
e with broker.
 Internetwork Security is both,
Fascinating &
Complex
Reasons:
• Confidentiality, Authentication, Non-repudiation, Integrity.
• Develop security mechanism or algo which always consider pot
ential attacks or security features, exploiting unexpected weakn
ess in algo.
• Procedures providing particular services are counter intuitive.
• Imp to decide when & where to use designed algo or security m
echanism. i.e Physical or Logical layer.
• N no. of algo. Use encryption key at creation, distribution & pro
tection, time limits.
 1. Security Trends
• Internet Architecture Board (IAB)
– Issued report on “Security in the Internet Architecture” (RFC 163
6), in 1994.
– Report Stated: Internet needs more and better security in areas li
ke:
• Unauthorized monitoring of n/w infrastructure.
• Unauthorized control of n/w traffic over end users.
• Authentication Mechanism.
• Encryption Mechanism.
• Then Computer Emergency Response Team (CERT) Coordi
nation Center (CERT/CC) given Trends Report for 10 years.
– Figure 1.1(a): Vulnerabilities in CERT Statistics
– Figure 1.2(b): Incidents in CERT Statistics
– Figure 1.2: Trends in Attack Sophistication and Intruder Knowled
ge.
• Security related incidents reported include
– Denial of service attacks.
– IP spoofing (IP based security attack)
– Eavesdropping
– Packet sniffing (read packet info)
• Final analysis say that: Attacks have grown mor
e sophisticated while skill & knowledge require
d to mount an attack has declined.
• Thus, wide range of technologies and tools are
needed to counter the growing threat.
 High

(Back Orifice)

Low
 Conclusion:
• Over time, attacks have grown more sophis
ticated while skill and knowledge required t
o mount an attack has declined.
2. The OSI Security Architecture
• Requirement:
• To access effectively the security needs, choose &
evaluate security products & Policies, systematic
approach is needed.
• Solution? ITU-T2 Recommendation X.800, Security
Architecture for OSI.
• OSI Security Architecture focuses on
– Security Attacks
– Security Mechanisms
– Security Service
• Security Attack: Any action that compromises th
e security of information.
• Security Mechanism: A mechanism that is desig
ned to detect, prevent, or recover from a securit
y attack.
• Security Service: A service that enhances the sec
urity of data processing systems and information
transfers. A security service makes use of one or
more security mechanisms.

• RFC.2828: Threats & Attacks ……

 3. Security Attacks
• Use both, X.800 & RFC 2828
• Classified as:
– Passive Attacks (attempts to learn or make use of information
from the system but does not affect system resources)
– Active Attacks (attempts to alter system resources or affect their
operation)
• 1. Passive Attacks
– Are in the nature of eavesdropping on, or monitoring of transmissi
ons.
– Goal: Obtain Information from that is being transmitted.
– Types:
• Release of message contents (Fig 1.3 a)
• Traffic analysis (Fig 1.3 b)
 – Solution?
– Passive attacks are very difficult to detect because they do not in
volve any alteration of the data.
– Typically, the message traffic is sent and received in an apparentl
y normal fashion & neither the sender nor re receiver is aware of
the third party has read the messages or observed the traffic patt
ern.
– Mask content using encryption.
– How to deal with passive attacks?
– Emphasis should be on Prevention rather than detection.
• 2. Active Attacks
– Involve some modifications of the data stream or creation of fals
e stream.
– Categorized into:
• Masquerade
• Replay
• Modification of message
• Denial of service
Masquerade (1.4 a): One entity pretends to be a different entity. Thi
s attack usually includes one of the another forms of active attacks.
Obtain extra privileges by impersonating an entity.
Replay (1.4 b): Passive capture of a data unit & its Subsequent
Retransmission to produce unauthorized effect.
Modification of Messages (1.4 c): Some portion of message
is altered or that messages are delayed or reordered, to
Produce an unauthorized effect
eg: “Allow John Smith to read confidential a/cs”
altered to “Allow Darth”.
Denial of Service (1.4 d): Entity may suppress all messages
directed to particular destination.
• Conclusion:
• Prevention of active attacks is difficult.
• So, goal should be to deter them & to recov
er from any disruption or delays caused by
them.
• Deter needs detection, detection contribut
e to prevention indirectly.
Security Goals (CIA)

Confidentiality

Integrity Availability
 4. Security Services
• X.800 defines a security service that is provided by protoc
ol layer of communicating open system.
• Security Service implement security policies and are imple
mented by security mechanism.
• X.800 divides services into 5 categories and fourteen speci
fic services. (Table 1.2)
– Data Confidentiality (privacy)
– Authentication (who created or sent the data)
– Data Integrity (has not been altered)
– Non-repudiation (the order is final)
– Access Control (prevent misuse of resources)
– Availability (permanence, non-erasure)
• Denial of Service Attacks
• Virus that deletes files
Availability Service:
– Both X.800 & RFC2828 defined availability property of
system.
– System is available if it provides services according to t
he system design whenever user request them.
– Attacks results in loss of or reduction in availability.
– Can be associated with services property.
– Address security concerns raised by denial-of-services
attacks.
– Depends upon:
• Management & Control of system resources
• Access control service.
 5 Security Mechanisms
• Defined in X.800.
• Classification 1:
• 1. Reversible Encipherment Mechanism:
– Simply encryption algorithm.
– Allows data encryption & subsequent decryption.
• 2. Irreversible Encipherment Mechanism:
– Include hash algorithms.
– Include message authentication codes.
– Used in digital signature & message authentication app
lication.
• Classification 2:
• 1. Specific Security Mechanisms
– May be incorporated into the appropriate prot
ocol layer in order to provide some of the OSI s
ecurity services
• 2. Pervasive Security Mechanisms
– Mechanisms that are not specific to any partic
ular OSI security service or protocol layer
X.800 indicates relationship between security services and
security mechanisms given in the following table.
 6. A Model for Network Security:
• The sender and receivers are Principals in transaction and
they should co-operate.
• Logical channel using TCP/IP is developed between princip
als and needs security.
• Two components of technique providing security are:
– Encryption of the message.
– Encryption Key.
• General model shows that there are four basic tasks in des
igning a particular security service:
• Which four? Lets see...
• 1. Design an algorithm for performing the secu
rity-related transformation. The algorithm sho
uld be such that an opponent cannot defeat its
purpose.
• 2. Generate the secret information to be used
with the algorithm.
• 3. Develop methods for the distribution and sh
aring of the secret information.
• 4. Specify a protocol to be used by the two prin
cipals that makes use of the security algorithm
and the secret information to achieve a particu
lar security service.
• Need? Protect information system from unwante
d access like...
• Human Attack:
– Hacker: Someone who with no malign intent, simply ge
ts satisfaction from breaking and entering a computer
system.
– Intruder: seeks to exploit computer assets for financial
gain.
• Software Attack:
– Virus & Worms: attacks can be introduced into a syste
m by means of a disk that contains the unwanted logic
concealed in otherwise useful software.
• Solution? Defensive Methods
 Methods of Defense
• Gate-Keeper function: It includes password-based login pr
ocedures that are designed to deny access to all but autho
rized users and screening logic that is designed to detect a
nd reject worms, viruses, and other similar attacks. See ne
xt figure.
• System activity monitoring.
• Encryption
• Software Controls (access limitations in a data base, in op
erating system protect each user from other users)
• Hardware Controls (smartcard)
• Policies (frequent changes of passwords)
• Physical Controls
 7. Internet Standards and the Inter
net Society
• Protocols included in TCP/IP protocol suite are standardiz
ed.
• Who standardize the developed technology and publish?
• The Internet society.
• Is composed of
– Internet Architecture Board (IAB): Responsible far defining the ov
erall architecture of the Internet, providing guidance and broad di
rection to the IETF.
– Internet Engineering Task Force (IETF): The protocol engineering a
nd development arm of the Internet.
– Internet Engineering Steering Group (IESG): Responsible far techni
cal management of IETF activities and the Internet standards proc
ess
• IETF procedure:
– Working group will make a draft version of the document av
ailable as an Internet Draft, which is placed in the IETF's "Int
ernet Drafts" online directory.
– The document may remain as an Internet Draft for up to six
months, and interested parties may review and comment o
n the draft.
– The working-group may subsequently publish a revised versi
on of the draft as RFC (Request for Comment) which are the
working notes of the Internet research and development co
mmunity.
– The IETF is responsible for publishing the RFCs, with approva
I of the IESG.
– Table 1.6 shows the IETF areas and their focus.
 The Standardization Process:
• The decision of which RFCs become Internet standard
s is made by the IESG, on the recommendation of the
IETF.
• To become a standard, a specification must meet the
following criteria:
1. Be stable and well understood
2. Be technically competent
3. Have multiple, independent, and interoperable implement
ations with substantial operational experience.
4. Enjoy significant public support .
5. Be recognizably useful in some or all parts of the Internet
• The left-hand side of Figure shows the series of steps, called th
e standards track, that a specification goes through to become
a standard; this process is defined in RFC 2026.
• IETF must make a recommendation for advancement of the pr
otocol, and the IESG must ratify it.
• The white boxes in Figure 1.5 represent temporary states, used
for small duration like 6 months.
• The gray boxes represent long-term states that may be occupie
d for years.
• After significant implementation and operational experience h
as been obtained,
• a specification may be elevated to Internet Standard. At this po
int, the specification is assigned an STD number as well as an R
FC number.
• Finally, when a protocol becomes obsolete, it is assigned to the
Historic state.
 Internet Standards Categories
• All Internet standards fall into one of two categories:

1. Technical specification (TS): A TS defines a protocol, service, procedu

re, convention, or format. Most Internet standards are TSs.
2. Applicability statement (AS): An AS specifies how, and under what cir
cumstances, one or more TSs may be applied to support a particular I
nternet capability.

• An AS identifies one or more TSs that are relevant to the capability, a

nd may specify values or ranges for particular parameters associated
with a TS or functional subsets of a TS that are relevant for the capabi
lity.
 Other RFC Types
• There are numerous RFCs that are not destined to become Inte
rnet standards.
• Such RFCs are designated as Best Current Practice (BCP).
• Approval of BCPs follows essentially the same process for appro
val of Proposed Standards.
• A three-stage process for BCPs;
– A BCP goes from Internet draft status to approved BCP in one step
.
– A protocol or other specification that is not considered ready for s
tandardization may be published as an Experimental RFC. Specific
ation may be resubmitted.
– When research appears to enjoy enough community interest to b
e considered valuable, then the RFC will be designated a Propose
d Standard.
• Finally, an Informational Specification is published for the gener
al information of the Internet community.
 Chapter is over…
• Thank You….
• Be regular otherwise your tension is obviou
sly going to increase as time passes….

• Assignment Submission?????