This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Network security is In todays information society, where information has become a valuable asset and where the advancement of technologies and people's dependence on them have enabled easier access to information, this makes individuals, organizations and nations highly vulnerable to information security attacks. Threats to the Internet first began in the 1980s with the advent of ‘hackers' and malware developers who seek to produce damage with the intent of looking for notoriety or causing havoc. Macro and script viruses saw faster propagation leveraging the Internet. However, in the 21st century, we began to witness Spamming, Phishing and Botnets, where capital is the motivator.
In this paper, we will define computer security in general and network security in specific. Secondly, we will list and explain the security services. Thirdly, we will show the security mechanism for any network. Then, some of the security attacks will be mentioned. Finally, some security systems available will be listed.
2. Network Security
Computer networks is collection of computers and devices connected together that facilitates communications among users and allow them to share recourses with other users. In this field, there is a special field called network security. It consists of provisions made in an underlying computer network infrastructure, policies that is done by network administrations to protect the network and its resources from unauthorized access, and consistent and continues monitoring and measuring of its effectiveness combined together. These days, network security goes hand by hand with computer security. According to Schneier (2004, pp.176-179), everything from hotel doors looks to mobile phones to desktop computers are attached to a network. It is known that it is difficult to build a secure standalone machine, so what if we need to connect many machines in any network that combines thousands or millions of computers together.The networked world is very convenient but it is more insecure. The main aim for computer security in general and network security in specific is to provide confidentiality, integrity and availability. According to Schneier (2004, pp. 121-122) and Pfleeger (, p.5), confidentiality is simply the privacy of any user. Computer security has to stop any unauthorized user from reading sensitive information for other users. Integrity can be defined as “Every piece of data is as the last authorized modifier left it” (Schneier, p.122). Availability means that any computer system or a network service should be available when the authorized user requires the service. Availability is very wide concept and there are many approaches for achieving it.
3. Security Services
X.800 defines security services as “A service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers”. In other words, it is the communication service that is provided by a system to give a protection to any system resources. The security services can be divided into five main categories (X.800, 1991): Authentication, Access control, Data Confidentiality, Data Integrity and Nonrepudiation. In the following subsection, a brief description of these services will be provided.
The authentication service is mainly focus on assuring that the communication is authentic. There are two types of authentications: peer entity authentication and data origin authentication. Peer entry authentication, is provided for the use of establishing the data transfer phase of any connection to confirm the identity of one or more entity connected to a network. This service provides confident when it is used only since it will prove that there is no masquerade or unauthorized replay of a previous connection. Data origin authentication, on the other hand, provides corroboration of the source of a data unit. The main drawback of the service, it does not provide protection against modification of data units.
3.2. Access control
In network security field access control means preventing unauthorized entities from accessing any network resources, network applications and systems. This can be achieved by identifying the entity that is trying to access the resources and then the access right can be applied to that entity.
3.3. Data Confidentiality
Generally, the service will provide protection for the data from unauthorized disclosure. Data confidentiality has four ways to protect the data (x.800, 1991):
3.3.1. Connection confidentiality: This service provides confidentiality for N users data on N connections.
3.3.2. Connectionless confidentiality: This service provides confidentiality for N users data on a single connectionless N.
3.3.3. Selective field confidentiality: service provides confidentiality for N users data on N connections or on a single connectionless N.
3.3.4. Traffic Flow confidentiality: This service provides for the protection of the information which might be derived from observation of traffic.
3.4. Data Integrity
This service will counter any unauthorized modification, insertion or deletion to any resources. There are different types of data integrity and they are as follow (X.800, 1991):
3.4.1. Connection Integrity with recovery: This service provides integrity for N users data on N connections and detects any modification, deletion or insertion with recovery operation.
3.4.2. Connection Integrity without recovery: This service provides integrity for N users data on N connections and detects any modification, deletion or insertion without a recovery operation.
3.4.3. Connectionless Integrity: This service provides integrity for N users data on a single connectionless N.
3.4.4. Selective field Integrity: service provides integrity for N users data on N connections or on a single connectionless N.
3.4.5. Traffic Flow Integrity: This service provides for the protection of the information which might be derived from observation of traffic.
Nonrepudiation will prevent both the send and the receiver of the message from denying a transmitted message. When the sender sends the message the receiver can prove that the message was from the alleged sender. Similarly, when the receiver receives the message, the sender can prove that the message is received from alleged receiver.
4. Network Security mechanism
The security mechanism according to Stallings (2007, p.7), is the mechanism that is designed to detect, recover or prevent from any security attack. X.800 divided security mechanisms into those that are implemented in a specific protocol layer and mechanisms are not specific to particular protocol layer or any security service.
4.1. Specific Security Mechanisms
These mechanisms may be incorporated into the correct protocol layer to provide some of the OSI security services. There are eight mechanisms are defined by X.800 and they are: Encipherment, Digital Signature, Access Control, Data Integrity, Authentication Exchange, Traffic Padding, Routing Control and Notarization.
Stallings divided encipherment into two main categories: the fist category is reversible encipherment mechanism. The second one is the irreversible encipherment mechanism. The first category is simply an algorithm technique that allows data to be encrypted then decrypted. The reversible mechanism has two general classification algorithms:
- Symmetric key algorithm: where both parties have the same key. (e.g.: The secret key)
- Asymmetric Key algorithm: each party have a different key, one for encryption and the other for decryption. (e.g.: Public key and private key)
The irreversible encipherment mechanism may use a key. When this happens the key either be a public or secret.
4.1.2. Digital Signature
These mechanisms define two procedures: signing a data unit and verifying the signed data unit. The first procedure uses the information which is private and confidential to the signer. The second one, uses available public procedure but from where the signer private information cannot be deduced.
4.1.3. Access Control
Access control mechanism may be based on one or more of the following mechanisms:
- Access control information bases, where the access rights of peer entities are maintained.
- Authentication information. E.g.Passwords and possession.
- Capabilities, possession and subsequent presentation of which is evidence of the right to access the entity or resource defined by the capability.
- Security labels: usually they are associated with an entity may be used to grant or deny access and they are usually according to a security policy.
- Time of attempted access.
- Route of attempted access.
- Duration of access.
4.1.4. Data Integrity
According to X.800, there are two aspect of data integrity, firstly, the integrity of a single data unit and involves two processes, one at the sending entity and the other at receiving entity. The sending entity will append a data quantity which is a part of data itself. This quantity may be a block check code or cryptographic check value. The receiving entity also will generate a data quantity and compare it with sent data to check if the data has been modified or not.
The second aspect of data integrity is the integrity of stream data units. This requires more effort than the single data unit such as sequence numbering, time stamping and cryptographic chaining.
4.1.5. Authentication Exchange
This mechanism can be implemented to provide peer entity authentication. In case of rejection of any entity, the connection from the entity will be terminated and will cause an entry in the security log. There are some good authentication techniques that can be implemented such as:
- Use of authentication information that is given by the sending entity and checked by the receiver.
- Cryptographic techniques.
- Use of characteristics of the entity.
According to X.800, when the cryptographic technique is used, it can be combined with handshaking protocol to protect against replays.
4.1.6. Traffic Padding
Traffic padding simply the insertion of bits into gaps in data stream frustrates traffic analysis attempts. This can be affective only when the padding is protected by confidentiality service.
4.1.7. Routing Control
The mechanism enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. This happens either dynamically or by network administrators.
Any property of data exchange such as integrity, time, destination and origin can be assured by providing a third party notary which holds the needed information to deliver the required assurance in a certifiable manner. Each party instance of communication may use digital signature, encipherment and integrity mechanisms.
4.2. Pervasive Security Mechanisms
Pervasive security mechanisms are security mechanisms which are not specific to any particular OSI security service or protocol layer. There are five pervasive security mechanisms: Trusted functionality, Security label, Event detection, Security audit trail and security recovery.
4.2.1. Trusted functionality
This mechanism can be used to extend the functionality of other security mechanism. Implementing the trusted functionality mechanism is costly and difficult. The only way of implement this mechanism is to choose an infrastructure that permits the implementation of the function modules that can be separated from or provided from non security functions.
4.2.2. Security Label
The marking bound to a resource which may be a data unit that names or designates the security attributes of that data resource. This label can be implicit, usually by using specific key to encipher data or by context of the data.If explicit data label is used, it must be clearly identified in order to be checked correctly.
4.2.3. Event Detection
This mechanism includes the detection of security violations and sometimes the normal events such as successful access.
4.2.4. Security Audit Trail
Security audit trails gives a valuable security mechanism since it collects the data and investigate the breaches and changes by permitting security audit. The security audit is an independent review of system records and activities to test the sufficiency of a system control. The logging and recording is considered as a security mechanism.
4.2.5. Security Recovery
In general, security recovery deals with requests from mechanisms such as event handling and management functions and takes recovery actions. The result actions can be classified into three main kinds: Immediate, temporary and long term. The immediate action like disconnecting from the session, the temporary action can classify the entity as invalid and the long term action like adding the entity to the black list or changing the key.
5. Security Attacks
Stallings (2007, p.7),” defines security attacks as any action that compromises the security of information owned by an organization”. There are two kinds of attacks used in both X.800 and RFC 2828, passive attacks and active attacks. Passive attacks do not harm the system resources or attempt to alter them. On the other hand, active attacks focus on harming the system resources and effect their operation.
5.1. Passive Attacks
The main goal of the passive attack is to obtain any information that is being transmitted through the network. Stalling (2007, pp.7-8) divides passive attacks to two main categories: release of message contents and traffic analysis.
The release of message contents is very easy to understand. Host A wants to talk to Host B, Host A sends an email or transfers a file to Host B and the attacker can learn the contents of this communication.
The traffic analysis attack has the same procedure except that the message released is encrypted. Even the attacker captures the message, he cannot read it. The attacker then starts to analyse the messages that have been sent. He will focus on the pattern on the message and he also can determine the host location and identity.
Generally, passive attacks are very difficult to detect because these attacks do not involve any modification or deletion of the sent messages. Both parties either the sender or receiver will not notice that the communication has been compromised and the attacker has read the message.
In passive attacks, the most common way to prevent it is the use of encryption, since in these kinds of attacks the most important action is prevention rather than detection.
5.2. Active Attacks
Active attacks are attacks that involve modification of the data stream or creation of false stream. Active attacks can be divided according to Stallings into four categories: masquerade, replay, modification of the message and denial of service (DOS).
Masquerade attack can take place when an entity pretends to be another entity. Replay attack involves capturing the data unit and its sequence and replays it to have unauthorized effect. Modification of the message attack simply means that some portion of the original message is modified or delayed or recorded to produce unauthorized effect. A good example is when an entity send a message “Please give access to A” and the attacker modified the message to “Please give access to C”. DOS attacks prevent the normal use of any network by flooding the network with messages. DOS attacks may target a specific entity or the network as hole to degrade its performance.
Overall, passive attacks and active attacks have the opposite characteristics, where passive attacks are difficult to detect, but there many ways to prevent these attacks. On the other hand, active attacks are quite difficult to prevent them, but the main goal is to detect them and then recover from any delays or modification caused by them.
6. Network Security Systems
Network security systems are system either hardware or software that protect the network, clients, servers, routers and switches from unauthorized access or attacks. Depending on what was mentioned in the previous sections, we recommend the following for achieving a good security protection.
A firewall prevents unauthorized access to a host or a network. It acts as barrier between networks, blocking unwanted traffic and preventing unauthorized entities from accessing to a network. There are two kinds of firewalls: software firewall and hardware firewall. The software firewall usually comes with an operating system such as Windows, or with antivirus software such as Norton. The hardware firewall is a server that separates two networks from each other's and usually located between the internet and any company network. The hardware firewall is more powerful than the other. In either case, the firewall inspects all traffic, inbound and outbound, to see if it meets a certain criteria. If it does the firewall will allow the traffic otherwise the traffic will be blocked. The traffic can be filtered on basis of:
- Address filtering: the source and the destination address and ports numbers.
- Protocol filtering: The type of network traffic.
- The attribute or the state of the packets of the information sent.
6.2. Network Access Control (NAC)
The network access control (NAC), protects the network and the information on it from the threats posed by unauthorized entities inside or outside the network. There are three main aspects of NAC:
- Authentication: to check that they are who they say they are.
- Assessment: to make sure they are virus-free and meet the security policy of an organization.
- Enforcement: so each entity can access information appropriate to his/her role while preventing inappropriate access to other information.
A good example of using NAC is Active directory (AD) for Windows users and Access Control List (ACL) for routers. Both will provide a secure environment to the entities in any given network.
6.3. Intrusion Detection System (IDS)
IDS is a device that monitors the network and system activities, looking for policy violations and malicious activities and report it to the management device. There are two types of IDS systems: Network Intrusion Detection System (NIDS) and Host Based Intrusion Setection System (HIDS).
- NIDS: it identifies intrusions by analysing traffic and monitor the hosts. It gains the access to the network traffic by connecting to switches and hubs configured for port monitoring. A good example is a product called Snort.
- HIDS: it consists of agents installed on many hosts to monitor their system logs, application logs and file system modification. An example is OSSEC.
In the other hand, there are limitations for any IDS systems:
- Noise: the effectiveness of any IDS will be limited by the noise. Many examples for network noise such as DNS corrupt data, software bugs and packets that escaped can create high false alarm rates.
- Signature updates: Many attacks are targeted a specific version of software. These softwares are not updated regularly.
- Number of attacks: real attacks are so far below the false alarm rate and they often missed and ignored.
Antivirus software can defend the user or organization against viruses and other malware threats such as Trojans, worms and spyware. It uses a scanner to identify malicious programs. Scanners can detect known viruses by comparing files on the infected host against a library of identities for known viruses. Also they scan for previously unknown viruses by analysing the behaviour of the program. All these abilities are depend on the frequent updates that are done by either the user or system administrator.
In conclusion, Network security is very wide area of computer science. There are no such a 100% secure environments.In this paper, we defined computer security in general and network security in specific. Secondly, we listed and explained the security services for OSI models. Thirdly, we showed the security mechanism for any network. Then, some of the security attacks were mentioned. Finally, some security systems available were listed.
Hussain Saiemaldahar 112088 Page 13