Network Security Flashcards
Security Problems
-Remote Attacks
-Software Developed with ‘back doors’
-Insecure Configuration
-Internal attacks
-Access Control
-Attaching personal devices to work networks
Security Management
-Control and Distribution
-Event Logging
-Monitoring
-Parameter Management
Security Services
-Denial of Service Prevention
-Access control – what users can do when logged into the system
-User Authentication (Multi-factor,2FA)
-Data Confidentiality
-Accountability
Security Mechanisms
-Encryption/Decryption
-Message Authentication
-Password Policy
-Digital Signatures
-Access Control
Secure Sockets Layer/Transport Layer Security
Mechanisms are utilised whenever a web access screen indicates that you are going into a secure mode of operation. E.g. for transfer of credit card details.
Secure Sockets Layer/Transport Layer Security Encryption
Encryption key may vary from 40 bits to 128 bits. 256 bits are used for a stronger cipher.
Trusted certificates
The trusted certificates contains the owner’s public key, which is trusted because it is cryptographically signed by a trusted agency.
DES, Triple DES and AES Encryption
The Data Encryption Standard (DES) dates back to the mid-1970’s
-Its 56-bit key length is inadequate today (it can be broken in less than 24 hours)
Triple DES has a much longer effective key length
The more recent Advanced Encryption Standards (AES) provides
-Greater security e.g 128-256-bit length
-An internationally developed algorithm (from Belgium)
-A 128-bit block cipher (for efficient computer implementation)
Virtual Private Networks (VPN)
Private network that uses public network (usually Internet) to connect remote sites or users together. Instead using dedicated, real-world connection such as leased line, a VPN uses “virtual” connections.
VPN appears to be private but is not
- “Privacy” occurs due to encryption
- Then, encapsulation is in “routable IP packets”
Virtual Private Networks
An outsider might intercept packets, but cant:
-Read them
-Modify them without detection
-Impersonate expensive T1/E1 leased lines
Two typical uses of virtual Private Networks
Replacing expensive T1/E1 leased lines
Replacing Expensive T1/E1 Leased Lines
A virtual private network may be utilized to replace expensive T1/E1 lines
-Using the organisation’s intranet or the internet instead
However, this does not provide any assurances of timeliness of delivery
-Gets the usual best-efforts delivery of the intranet or internet
Usage of Radius Protocol
Remote Authentication Dial-in user Service (radius) provides
-Authentication, Authorization checking and accounting
-Uses Point-to-Point Protocol (PPP)
-Operates on port 1812
-Commonly used to facilitate roaming
-Can provide customizable login prompts
RADIUS Authentication and Authorization Flow
RADIUS Client - Access Request - Radius Server
RADIUS Client < Access Accept - Radius Server
RADIUS Client < Access Reject - Radius Server
RADIUS Client < Access Challenge - Radius Server
Uncontrolled Interconnection into the Internet
Easy to connect to internet, all it takes is a router and appropriate approval. However is not good idea.
Internet Access Security solutions
Solutions are called FIREWALLS.
Routers we use to connect to internet use these filters to:
-Filter out undesired traffic
-Example external TELNET, FTP request
-Allow only email in and out
Router-Based Firewalls
The firewall may be a screening router
-The router is set up to filter connection requests
-These are not considered to be very strong security measures
This is a low-budget approach
Host-Based Firewalls
Alternatively, we may want to use a host-based firewall
-Login controls over inbound and outbound internet traffic
-May include an e-mail gateway, FTP server or Web Server
Key firewall Data Sheet Parameters
The firewall may be router or host based
- Router filtering is least expensive
-Host-based is more secure
Must be configurable to support your security policy
-What connections you will permit
-Usually deny all others
Key Firewall Data Sheet Parameters cont
Should be capable of filtering unauthorized connection attempts
-There are known vulnerabilities in many approaches to this
-Considerable care must be taken in configuring the firewall!
Key Firewall Data Sheet Parameters cont2
Should be capable of detecting all known internet security attacks
Firewalls may also include other network security capabilities
-Intrusion detection (known attack “signature” and anomalies)
-Network address translation (NAT)
-URL and content filtering
Evaluated Products
There is an internationally accepted security rating system called “common Criteria Evaluated products”
-With an “evaluated Assurance Level (EAL)” range of 1 to 7
Many government and commercial procurements are requiring an EAL rating for security-related hardware/software
-EAL 2 is the minimally accepted assurance level
-EAL 4 is the highest level obtainable for a retrofit product
-EAL’s 5 to 7 are extremely expensive to obtain (typically limited to government/military applications)
-These product include Firewalls, Intrusion detection, downgrade guards etc.
Common Criteria Evaluation Assurance Levels
EAL1: Functionally Tested. …
EAL2: Structurally Tested. …
EAL3: Methodically Tested and Checked. …
EAL4: Methodically Designed, Tested, and Reviewed. …
EAL5: Semi-Formally Designed and Tested. …
EAL6: Semi-Formally Verified Design and Tested. …
EAL7: Formally Verified Design and Tested.
