CS457/557/MIS420/520 - Computer Networks: Chapter 13 - Network Security

Objectives

1. Understand the many processes involved with the development of a comprehensive security policy.
2. Understand the importance of a well developed and implemented security policy and associated people processes to effective security technology implementation.
3. Understand the concepts, protocols, standards, and technolgy related to virus protection.
4. Understand the concepts, protocols, standards, and technology related to firewalls.
5. Understand the concepts, protocols, standards, and technology related to authentication.
6. Understand the concepts, protocols, standards, and technology related to encryption.

Introduction

Business Impact

• More than $10 billion worth of data is stolen annually in the U.S.
• 60,000 credit / calling card numbers were stolen in a single incident.
• 50% of computer crimes are committed by a company's current or ex-employees.
• In a survey of 1320 companies in 1996, 78% lost money from security breaches, 63% suffered losses from viruses, and at least 20 lost over $1 million.

Security Policy Development

• The Security Policy Development Life Cycle
  • Identification of business-related security issues
  • Analysis of security risks, threats, and vulnerabilities
  • Architecture and process design
  • Security technology and process implementation
  • Audit impact of security technology and processes
  • Evaluation of effectiveness of current architecture and processes
• Security Requirements Assessment [Fig. 13-3]
• Scope Definition and Feasibility Studies [Fig. 13-5, 13-6]
  • Identification/authorization
  • Access control
  • Privacy
  • Data integrity
  • Nonrepudiation
• Assests, Threats, Vulnerabilities, and Risks
• Protective Measures (Virus protection, firewalls, authentication, and encryption)
• Management Role and Responsibilities [Fig. 13-9, 13-10]
• Policy Development Process [13-11: Acceptable Use Policies]
• Policy Implementation Process [13-12, 13-13]
• Auditing (Manual Audit, Automated Audit, Security Probes [SATAN]

Virus Protection

• Virus Categories
• Antivirus Strategies
• Antivirus Technology

Firewalls

• Firewall Architectures
  • Packet Filtering (use table of addresses) [can be circumvented by IP spoofing]
  • Application Gateways [filters by type of application]
  • Internal Firewalls [use for access control]
• Firewall Functionality and Technology Analysis
  • Encryption
  • VPN support
  • Application proxies supported
  • Proxy isolation
  • OSs supported
  • Virus scanning included
  • Web tracking
  • Violation notification
  • Authentication supported
  • Network interfaces supported
  • System monitoring
  • Auditing and logging
  • Attack protection
  • Adminstration interface

Authentication and Access Control

• Token Authentication
  • Challenge-response token authentication
  • Time-synchronous token authentication
• Biometric Authentication
• Authorization
• Kerbos

Encryption

• DES (data encryption standard) - Private Key Encryption
• RSA (Rivest-Shamir-Adelman) - Public Key Encryption
• Digital Signature Encryption
• Key Management Alternatives [public key certificates, Digital IDsissued by certificate authorities(CA)(Verisign)]

Applied Security Scenerios

• Integration with Information Systems and Application Development (authentication using APIs)
• Remote Access Security [remote authentication dial-in user service (RADIUS) - Fig. 13-25]
• E-mail, Web, and Internet/Intranet Security
  • S-HTTP (secure http) - based on public key encryption using digital signatures
  • SSL (secure sockets layer) - wraps an encrypted envelope around the service transmission
  • PAP/CHAP (password authentication protocol / challenge handshake authentication protocol)
  • Microsoft's PCT (private communications technology) - supports transmission across UDP connections
  • PEM (privacy enhanced mail) - historical
  • PGP (pretty good privacy) - e-mail specific encryption standard
  • SET (Secure Electronic Transactions) - series of standards to assure confidentiality of electronic commerce transactions
  • S/MIME (Secure Multipurpose Internet Mail Extension)
• Virtual Private Network Security
  • Microsoft's PPTP (point to point tunneling)
  • Cisco's L2F (layer 2 forwarding)
  • IPsec (used by firewall vendors)
  • IPv6 authentication & encapsulating security payload headers (RFCs 1825-1829)
• Enterprise Network Security
  • Single point registration
  • Single sign-on
  • Single access control view
  • Security auditing and intrusion detection

Government Impact

• Standards-Making Organizations
  • IAB - Internet Architecture Board & IEFT
  • ISO - International Standards Organization [ISO 7498/2 - OSI Security Architecture]
  • NSA - National Security Agency
  • NCSC - National Computer Security Center developed Trusted Computer System Evaluation Criteria (TCSEC)
  • Orange Book Certification
    • Security Policy
    • Marking (access control labels)
    • Identification
    • Accountability
    • Assurance
    • Continuous protection
• Encryption Export Policy and Key Recovery [Clipper Chip; key escrow agencies]

Slides

Review Questions:(due Dec. 1) 7

Activities: