Computer Engineering II Computer and Network Security Rabie A. Ramadan

2 Welcome Back

Organization of the Course 3 Two lectures weekly Evaluation is based on: Midterm and Final Exams In class quizzes Assignments, Tutorials Project

Organization of the Course (Cont.) 4 Textbooks William Stallings, “Cryptography and Network Security,” Fourth Edition Behrouz A. Forouzan, “Cryptography and Network Security,” 2008 Edition Charles P. Pfleeger and Shari L. Pfleeger, “Security in Computing,” third addition

Course Contents 5 Introduction to Cryptography Authentication Functions Symmetric Key-Exchange Protocols Asymmetric Key-Distribution and Cryptography Network Layer Security Transport Layer Security Introduction to wireless network security

Exams 6 Do not worry about the exam as long as : You are attending Done with your project Done with your presentation Assignments are delivered

Why should I attend ? 7 We will have group activities in class. Some materials will be taught from outside our textbook(s). Some materials will be skipped or left for you to read

Projects 8 There will be a term project Only 4 persons per project You can select your own project after my approval Suggested Projects

TA ?????

Things need to be with you in class 10 For the group activities

Table of Contents 11 Introduction Security Goals Attacks Services and Mechanisms Security mechanisms Techniques

Introduction 12 The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu

The Role of Security 13 Security is like adding brakes to cars. The purpose of brakes is not to stop you; it is to enable you to go faster. Brakes help avoid accidents caused by mechanical failures in other cars, rude drivers, and road hazards. Better security is an enabler for greater freedom and confidence in the Cyber world.

Why Security? 14 Play

What is the Internet? 15 Three layers All have vulnerabilities

16 The Transit Layer

17

The Application Layer 18 Source: Olaf Kolkman, Internet Architecture Board

Spectrum of Risk 1.Messaging 2. Storing Information 3. Transactional systems 4. Technology Integration 5. Fully Integrated information based Business Degree of Data Digitization Business has been aggregating data and risk at an unprecedented rate…

We have developed the myth that technology can be an effective fortress – we can have security 20 Traditional focus on: Better Firewalls Boundary Intrusion Detection Critical Offsite Capacity Compliance Certification False myths: IT staff = security staff Compliance failure is the main source of risk Being compliant = being safe

But this concept of security is false – the Internet is fundamentally open 21 Facts: We don’t know what’s on our own nets What’s on our nets is bad, and existing practices aren’t finding everything Threat is in the “interior” Threat is faster than the response “Boundaries” are irrelevant We don’t know what is on our partner’s nets nor on the points of intersection Compromises occur despite defenses Depending on the motivation behind any particular threat, it can be a nuisance, costly or mission threatening Global Internet The critical capability it do develop real time response and resiliency

22

Why is computer and network security important? 23 To protect company assets The assets are comprised of the "information" that is housed on a company's computers and networks. Information is a vital organizational asset. To gain a competitive advantage Security can mean the difference between wide acceptance of a service and customer response.

Why is computer and network security important? 24 To comply with regulatory requirements Ensuring the continuing operation of the organization. Many organizations are subject to governmental regulation, which often stipulates requirements for the safety and security of an organization. To keep your job Security should be part of every network or systems administrator's job. Failure to perform adequately can result in termination.

Historical Aspects of Security 25 In old days, to be secure, Information maintained physically on a secure place Few authorized persons have access to it (confidentiality) Protected from unauthorized change (integrity) Available to authorized entity when is needed (availability) Nowadays, Information are stored on computers Confidentiality are achieved  few authorized persons can access the files. Integrity is achieved  few are allowed to make change Availability is achieved  at least one person has access to the files all the time

Current aspects of security 26 Achieving Confidentiality, Integrity, availability is a challenge: Distributed information Could be captured while it is transmitted Could be altered Could be blocked

Security Trinity Basis for Computer and Network Security 27 Prevention, Detection, and Response,

What is a Computer Security? 28 Different answers It is the password that I use to enter the system or required set of rules (lock the computer before you leave) – End User It is the proper combination of firewall technologies with encryption systems and access controls – Administrator Keeping the bad guys out of my computer– Manager 28

What is a computer security? 29 A computer is secure if you can depend on it and its software to behave as you expect– Simson and Gene in “Practical Unix and Internet Security “ book Which definition is correct ? All of them. However, We need to keep all of these prospectives in mind

CIA Triad 30 Security Goals Confidentiality, Integrity, and Availability

31 CIA Triad Security