Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI Matakuliah : H0242 / Keamanan Jaringan Tahun : 2006 Versi : 1 Pertemuan 02 Aspek dasar keamanan Jaringan dan ketentuan baku OSI

Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menggunakan Aspek dasar keamanan jaringan dan ketentuan baku OSI untuk keamanan jaringan

Outline Materi Latar Belakang Network Security Trend Definisi Arsitektur OSI untuk Network Security

Why Is Security Important Computers and networks are the nerves of the basic services and critical infrastructures in our society Financial services and commerce Transportation Power grids Etc. Computers and networks are targets of attacks by our adversaries

Why Is Security Hard The complexity of computers and networks User expectation User ignorance Social engineering Defense is inherently more expensive Offense only needs the weakest link

Vulnerability Trends Flaws can be found without source code common: system call trace new: subroutine call trace protocols can be examined for vulnerabilities program instabilities (buffer overflow, etc.) Good news — the public & vendors becoming more security conscious Patches now being released via Internet Still untested — product liability

What is Security Security is concerned with preventing undesired behavior An enemy/opponent/hacker/adversary may be actively and maliciously trying to circumvent any protective measures you put in place

Goal Security is always a trade-off The goal should never be “to make the system as secure as possible”… …but instead, “to make the system as secure as possible within certain constraints” (cost, usability, convenience)

Concerns Detection and response How do you know when you are being attacked? How quickly can you stop the attack? Can you prevent the attack from recurring? Recovery Can be much more important than prevention Legal issues?

Definitions Computer Security generic name for the collection of tools designed to protect data and to thwart hackers Network Security (Includes Internet Security) measures to protect data during their transmission measures to protect data during their transmission over a collection of interconnected networks consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information

OSI Security Architecture ITU-T X.800 Security Architecture for OSI Defines a systematic way of defining and providing security requirements International Standard 5 Categories 14 Services

Service Categories Authentication Peer-entity, Data-origin Assurance that the communicating entity is the one claimed Access Control Prevention of the unauthorized use of a resource Data Confidentiality Connection, connectionless, selective-field, traffic-flow) Protection of data from unauthorized disclosure

Service Categories Data Integrity Connection recovery, no-recovery, selective-field Connectionless no-recovery,selective-field assurance that data received is as sent by an authorized entity Non Repudiation origin, destination protection against denial by one of the parties in a communication See Table 1.4 for details of the 5 Security Service categories and the 14 specific services.

Security Service Something that enhances the security of the data processing systems and the information transfers of an organization Intended to counter security attacks Make use of one or more security mechanisms to provide the service Replicate functions normally associated with physical documents eg. have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed

Security Mechanism A mechanism that is designed to detect, prevent, or recover from a security attack No single mechanism that will support all functions required One particular element underlies many of the security mechanisms in use: cryptographic techniques

Security Attack Any action that compromises the security of information owned by an organization Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems Have a wide range of attacks Can focus of generic types of attacks note: often threat & attack mean same cf. Table 1.2 for examples of security attacks, and Table 1.3 for definitions of threat and attack

Network Security Model In considering the place of encryption, its useful to use the following two models. The first models information flowing over an insecure communications channel, in the presence of possible opponents. Hence an appropriate security transform (encryption algorithm) can be used, with suitable keys, possibly negotiated using the presence of a trusted third party.

Network Access Security The second model is concerned with controlled access to information or resources on a computer system, in the presence of possible opponents. Here appropriate controls are needed on the access and within the system, to provide suitable security. Some cryptographic techniques are useful here also.

Security Policies A security policy is a statement that partitions the state of the system into a set of authorized (or secure) states, and a set of unauthorized (or nonsecure) states A secure system is a system that starts in an authorized state and cannot enter an unauthorized state A breach of security occurs when a system enters an unauthorized state