Network Security

Question 1

Security Problems

Answer 1

-Remote Attacks
-Software Developed with ‘back doors’
-Insecure Configuration
-Internal attacks
-Access Control
-Attaching personal devices to work networks

Question 2

Security Management

Answer 2

-Control and Distribution
-Event Logging
-Monitoring
-Parameter Management

Question 3

Security Services

Answer 3

-Denial of Service Prevention
-Access control – what users can do when logged into the system
-User Authentication (Multi-factor,2FA)
-Data Confidentiality
-Accountability

Question 4

Security Mechanisms

Answer 4

-Encryption/Decryption
-Message Authentication
-Password Policy
-Digital Signatures
-Access Control

Question 5

Secure Sockets Layer/Transport Layer Security

Answer 5

Mechanisms are utilised whenever a web access screen indicates that you are going into a secure mode of operation. E.g. for transfer of credit card details.

Question 6

Secure Sockets Layer/Transport Layer Security Encryption

Answer 6

Encryption key may vary from 40 bits to 128 bits. 256 bits are used for a stronger cipher.

Question 7

Trusted certificates

Answer 7

The trusted certificates contains the owner’s public key, which is trusted because it is cryptographically signed by a trusted agency.

Question 8

DES, Triple DES and AES Encryption

Answer 8

The Data Encryption Standard (DES) dates back to the mid-1970’s
-Its 56-bit key length is inadequate today (it can be broken in less than 24 hours)
Triple DES has a much longer effective key length
The more recent Advanced Encryption Standards (AES) provides
-Greater security e.g 128-256-bit length
-An internationally developed algorithm (from Belgium)
-A 128-bit block cipher (for efficient computer implementation)

Question 9

Virtual Private Networks (VPN)

Answer 9

Private network that uses public network (usually Internet) to connect remote sites or users together. Instead using dedicated, real-world connection such as leased line, a VPN uses “virtual” connections.

Question 10

VPN appears to be private but is not

Answer 10

• “Privacy” occurs due to encryption
• Then, encapsulation is in “routable IP packets”

Question 11

Virtual Private Networks

Answer 11

An outsider might intercept packets, but cant:
-Read them
-Modify them without detection
-Impersonate expensive T1/E1 leased lines

Two typical uses of virtual Private Networks
Replacing expensive T1/E1 leased lines

Question 12

Replacing Expensive T1/E1 Leased Lines

Answer 12

A virtual private network may be utilized to replace expensive T1/E1 lines
-Using the organisation’s intranet or the internet instead

However, this does not provide any assurances of timeliness of delivery
-Gets the usual best-efforts delivery of the intranet or internet

Question 13

Usage of Radius Protocol

Answer 13

Remote Authentication Dial-in user Service (radius) provides
-Authentication, Authorization checking and accounting
-Uses Point-to-Point Protocol (PPP)
-Operates on port 1812
-Commonly used to facilitate roaming
-Can provide customizable login prompts

Question 14

RADIUS Authentication and Authorization Flow

Answer 14

RADIUS Client - Access Request - Radius Server
RADIUS Client < Access Accept - Radius Server
RADIUS Client < Access Reject - Radius Server
RADIUS Client < Access Challenge - Radius Server

Question 15

Uncontrolled Interconnection into the Internet

Answer 15

Easy to connect to internet, all it takes is a router and appropriate approval. However is not good idea.

Question 16

Internet Access Security solutions

Answer 16

Solutions are called FIREWALLS.

Routers we use to connect to internet use these filters to:
-Filter out undesired traffic
-Example external TELNET, FTP request
-Allow only email in and out

Question 17

Router-Based Firewalls

Answer 17

The firewall may be a screening router
-The router is set up to filter connection requests
-These are not considered to be very strong security measures

This is a low-budget approach

Question 18

Host-Based Firewalls

Answer 18

Alternatively, we may want to use a host-based firewall
-Login controls over inbound and outbound internet traffic
-May include an e-mail gateway, FTP server or Web Server

Question 19

Key firewall Data Sheet Parameters

Answer 19

The firewall may be router or host based
- Router filtering is least expensive
-Host-based is more secure

Must be configurable to support your security policy
-What connections you will permit
-Usually deny all others

Question 20

Key Firewall Data Sheet Parameters cont

Answer 20

Should be capable of filtering unauthorized connection attempts
-There are known vulnerabilities in many approaches to this
-Considerable care must be taken in configuring the firewall!

Question 21

Key Firewall Data Sheet Parameters cont2

Answer 21

Should be capable of detecting all known internet security attacks

Firewalls may also include other network security capabilities
-Intrusion detection (known attack “signature” and anomalies)
-Network address translation (NAT)
-URL and content filtering

Question 22

Evaluated Products

Answer 22

There is an internationally accepted security rating system called “common Criteria Evaluated products”
-With an “evaluated Assurance Level (EAL)” range of 1 to 7

Many government and commercial procurements are requiring an EAL rating for security-related hardware/software
-EAL 2 is the minimally accepted assurance level
-EAL 4 is the highest level obtainable for a retrofit product
-EAL’s 5 to 7 are extremely expensive to obtain (typically limited to government/military applications)
-These product include Firewalls, Intrusion detection, downgrade guards etc.

Question 23

Common Criteria Evaluation Assurance Levels

Answer 23

EAL1: Functionally Tested. …
EAL2: Structurally Tested. …
EAL3: Methodically Tested and Checked. …
EAL4: Methodically Designed, Tested, and Reviewed. …
EAL5: Semi-Formally Designed and Tested. …
EAL6: Semi-Formally Verified Design and Tested. …
EAL7: Formally Verified Design and Tested.