Networks and Security A Series of Lectures, Outlining: How Networks affect Security of a system Security of System Security of Network Security of Organisation Secure vs Trustworthy Attack Vulnerabilities Web references and Bibliography Eur Ing Brian C Tompsett University of Hull
Networking Principles Revision ISO 7 Layer Model Names and function of layers Layer interconnect terminology
Internet Basics Revision IP Addresses (and registrars) Domain Names (and registrars) on.to / i.am / name.is Services/Sockets http port 80
ISO 7 Layer Model Network Datalink Physical Application Presentation Session Transport Network Datalink Physical Application Presentation Session Transport Hub/Repeater Gateway Proxy/Relay NAT/ICS/ Proxy Router Switch/Bridge PTU Frame Datagram Packet Datagram Segment Message IP TCP/UDP HTTP/FTP SMTP PPP/SLIP Ethernet 10BaseT ADSL
Internet The Movie Animation covering salient points It has some factual error Can you spot them? First Mention of Firewalls Covered later
Summary Overall Networking Architecture Role of Layers & Layer Interface Internet Protocols Network Interconnections Any further revision?
2
What is it for? What is the purpose of Trustworthy Computing? Computer Security? Information Security?
Entities Environment Organisation Infrastructure Activity
Data Procedures Activities Infrastructure Organisation
Entities Environment Organisation Infrastructure Activities Procedures Data
Information Security Model Entities Protection Environment Protection Organisation Protection Infrastructure Protection Activity Protection Procedure level Protection Data Protection
Security 7 Layer Model Activity Procedures Data Entities Environment Organisation Infrastructure Activity Procedures Data Entities Environment Organisation Infrastructure Translation Relationship Contract Language Protocol Packet Document Business Contact Information Connection Exchange Gateway Exchange
Entities Objects being manipulated by the system Entities can be active or passive Data about entities is being protected Entities can be People, Organisations or Objects Entities themselves encompass other entities – Collection or Containment Security involves: Physical Changes – Commissioning Operational Procedure – What they do Structure – Interrelations
Environment The restrictions on entities Can act to limit or constrain security or freedom of action Legislation, Regulation, Ethics Technical Capability, Resource Limitation Compatibility, Standards, Procedures Physical Limitation
Organisation The Mechanism by which operations a performed The Organisation within the environment
Infrastructure That which enables activities The physical components which may or may not be entities in their own right
Activity The tasks which process the data Usually a business activity Could be a software Application
Procedure The component steps that enable an activity Can be software components or human procedures
Data The actual data about entities The goal of a security breach Protected by Cryptography Integrity
Security Models ISO ISO – ISO series SABSA Sherwood Applied Business Security Architecture Based on Zachman IS Framework Financial Security Model
SABSA Model
Financial Security Model Finance Applications for financial users, issuers of digital value, trading and market operations Value Instruments that carry monetary value Governance Protection of the system from non-technical threats Accounting Value within defined places Rights An authentication concept – moving value between identities Software Engineering Tools to move instructions over the net Cryptography Sharing truths between parties
ISO Security Policy Organisation of Information Security Asset Management Human Resources Security Physical and Environmental Security Communications and Operational Management Access Control Systems Development, Acquisition, Maintenance Security Incident Management Business Continuity Management Compliance
ISO 17799
Network Security Model Personal Protection Organisation Protection Network Protection System Protection Application Protection Code level Protection Data Protection
Person Organisation Infrastructure Systems Application
Data Procedure Application Systems Infrastructure
Person Organisation Infrastructure Systems Applications Procedures Data
Security 7 Layer Model Application Procedures Data Person Organisation Infrastructure Systems Application Procedures Data Person Organisation Infrastructure Systems Translation Relationship Contract Language Protocol Packet Document Business Contact Information Connection Exchange Gateway Exchange
Static Dynamic ActivityObject
Personal Protection Personal Security Locking Doors, Staying Safe Personal Data Protection Giving out DOB, Credit Card, Family info Securing Access to your Computer Personal Security Policy for all Protect others personal security
Organisation Protection Organisation / Institution / Company A Holistic View Corporate Image Make public only what required Hide internal structure & information Window & Door into Organisation Manages Input & Output
Doors and Windows Decide What Services are available Web servers, ftp, Which hosts on which networks Which domains used On which IP nets Hosted by whom What registration information Names, addresses phone numbers
WWW Internet FTP SMTP Gateway Inside Outside
Network Protection Protect Network as entity/resource Manage permitted traffic flow Manage authorised use Architect the Network - zoning Firewalling
Network Architecture Proper use of Subnets and domains Limit traffic to local segments Use Bridges/Switches/Routers/Proxies Prevent data and authority leaks
What to Firewall? Certain Protocols – netBios Certain Responses – ping/traceroute Certain Applications Real/IRC Certain Systems/Networks Control Port/Host combinations Port/25, HTTP Port/80, FTP Port/21 Rate Limit Denial of Service/Scanners
System Protection Protect each system from misuse Incoming & Outgoing! Control Which Services Run Virus checkers
Application Protection Specific Application Configuration Parental Controls of Web Browsers Domain/IP blockers Spam filters Control file/device exports
Code Level Protection Writing Secure Code Even on secured system Bad Code compromises security Hence software updates
Data Protection Hiding the Data Cryptography Data Transience Data Integrity
3
Forms of Attack Denial of Service Input Data Attack Spoofing Sniffing Social Engineering