of 9

Network Security Unit -1 Notes

Published on June 2016 | Categories: Types, School Work, Study Guides, Notes, & Quizzes | Downloads: 9 | Comments: 0
1064 views

Notes for VTU syllabus 7th sem Elective subject

Comments

Content

Network Security- 8th semester (Unit 1)

Unit 1
The OSI Security Architecture: To assess the security requirements of an organization the manager has to choose various products and define certain requirements and characterize the approaches to satisfy these requirements. This is difficult for a centralized data processing environment and the difficulty is compounded if there are LANs and WANs. The ITU-T Recommendation X.800, Security Architecture for OSI defines such a systematic approach to fulfill security requirements. It is an international standard. Computer and communications vendors have designed their products to relate to these security standards. OSI Architecture focuses on (i) (ii) (iii) (i) Security Services Security Mechanism Security Attack. Security Services: (a) Data Confidentiality (b) Authentication (c) Data Integrity (d) Non-repudiation (e) Access Control (a) Data Confidentiality Protection of data from unauthorized disclosure. 1) Connection confidentiality: Protection of all user data on a connection.

2) Connectionless Confidentiality: Protection of all user data on a single data block. 3) Selective field confidentiality: Confidentiality of a selected field in user data on a connection or on a single data block. 4) Traffic flow confidentiality: Protection of information that might be derived by observing the flow of traffic. (b) Authentication: Assurance that communicating entity is the one that it claims to be.

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

1

Network Security- 8th semester (Unit 1)

1) Peer entity authentication: Used in association with the logical connection to provide confidence in the identity of the entities connected. 2) Data origin authentication: In connectionless transfer provides assurance that the data is from the source it claims to be. (c) Data Integrity: Assures that data is received as it is sent by authorized entity. 1) Connection integrity with recovery: Provides for integrity of all user data on a connection and detects any modification, insertion, deletion and replay and attempts recovery if detected. 2) Connection integrity without recovery: Provides for integrity of all user data on a connection and only detects modification, replay, insertion and deletion with no attempt to recovery. 3) Selective field connection integrity: Provides for integrity of selected fields in the user data in a block in a connection and takes the form of determination of modification, insertion, deletion and replay in that field. 4) Connectionless integrity: provides for integrity of user data in a single connectionless block and takes the form of determination of modification and retain degree of detection of replay. 5) Selective field connectionless integrity: provides for integrity in selected fields in connectionless data block and takes the form of determination of modification in that field. (d) Non-repudiation: Provides against denial of one of the entities involved in communication having participated in part or in all of the communication. 1) Non-repudiation , Origin: Proof that message was sent by specified party. 2) Non-repudiation , Destination: Proof that message was received by specified party. (e) Access Control: Prevention of unauthorized use of resources. (Controls who can have access to the resources, under what conditions access can be given, and what those accessing the resources are allowed to do). ii) Security Mechanisms: There is no single mechanism which can provide all the services mentioned above but there is one technique which

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

2

Network Security- 8th semester (Unit 1) underlies all mechanisms and that is cryptographic technique. Encryption or encryption-like transformations of information are the most common means of providing security. iii) Security Attacks: The classification of attacks can be characterized by viewing the function of a computer system as providing of information. There is flow of information from a source such as a file or a region of main memory to a destination such as another file or a user. The normal flow is as depicted below.

Information source

Information destination

Four types of attacks are depicted below i) ii) iii) iv) i) Interruption Interception Modification Fabrication. Interruption:

The computer system assets are made unusable or unavailable or destroyed. This is an attack on availability. Examples are, destroying pieces of hardware like the hard disk, cutting the communicating line or destroying the file management system. ii) Interception:

An unauthorized party gains access to the computer system assets. This is an attack on confidentiality. The authorized party could be a person, program or

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

3

Network Security- 8th semester (Unit 1) computer. An example is wiretapping to capture the data in a network and illicit copying of files or programs.

iii) Modification:

Unauthorized party not only gains access to the assets but also tampers with it. This is an attack on integrity. For example, changing values in a data file, altering a program so that it performs differently, modifying the contents of messages being transmitted in a network. iv) Fabrication:

An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity. For example, this involves insertion of spurious messages into the network or addition of records in a file.

Passive threats Passive attacks and Active attacks: Interception

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia. Release of message Content Traffic analysis

4

Network Security- 8th semester (Unit 1)

Active threats

Interruption (Attack on availability)

Fabrication Modification (Attack on authenticity) (Attack on integrity) Passive attacks use interception. Interception has two goals. One is the release of message content. An email or a telephone conversation or a transmission of a file may contain sensitive information. We should prevent the opponent from learning the contents of the transmissions. Traffic analysis is more subtle and it is very difficult to detect. The messages can be masked by using encryption, so that even if the opponent could access the messages it would not be useful. Still, he can guess the nature of the message by getting to know the location and identity of the hosts communication and the length and frequency of the messages being transmitted. Emphasis is given to prevention rather than detection. Active attacks are of four types. 1. Masquerade 2. Replay 3. Modification of the message 4. Denial of service. 1. Masquerade: One entity pretends to be another different entity. One entity with few privileges captures the authentication sequences of another entity and replays it thus enabling the entity with few privileges to gain more privilege by impersonating the entity who has those privileges. 2. Replay: Replay is the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

5

Network Security- 8th semester (Unit 1) 3. Modification of the message: Some portion of the legitimate message is altered or it is delayed or recorded. For example, a message such as, “Allow John Smith to read confidential file accounts” can be modified to read “Allow Jacob Brown to read confidential file accounts”. 4. Denial of Service: Prevents or inhibits the normal use or management of a communication facility. It may have a particular target. For example, the security service audit. Another form of service denial is disrupting an entire network with messages so as to degrade performance. A model for Network Security:

Principal

Trusted third party (Arbiter, distributor of secret information)

Principal

Message L og ic al in fo r m ati on ch an ne l

Message

Secret information

Secret information

Opponent

Computing resources (processor, memory, I/O) Data Opponent -human (ex. Cracker) -software Gate Keeper function (ex. Virus, worm) DepartmentChannel C, K.V.G.C.E., Sullia. Bindu M.N. Access of E & Processes Software Internal Security Controls

6

Network Security- 8th semester (Unit 1)

The message is transferred from one party to another. The two parties involved are called the principals. The communication link over which the message is transferred is called the logical information channel. There should be an agreement between the two parties for the communication to take place. The agreement is done in the form of a common protocol such as the TCP/IP. The communication link is also called the internet. The logical information channel is established by finding a route through the internet from the source to the destination. The security aspect comes into consideration when we want to protect the information being transmitted over the channel from the opponent. The two aspects are: 1. Encryption: This is a method used to protect the information from being understood by the opponent. It involves scrambling of the message before transmitting and descrambling on reception. Also a code is introduced which identifies the sender. 2. Encryption Key: This is a common information shared by the sender and receiver or the two principals and hopefully not known to the opponent. The key is used in conjunction with transmission to scramble the message and to unscramble it at the receiving end. A trusted third party is also involved in distributing the shared secret information called the key and also to solve disputes between the two principals regarding authenticity.

The general model for security service performs the following major tasks: 1. Generates an algorithm to perform security related transformation. The algorithm should be so designed such that the opponent cannot defeat its purpose. 2. Generating shared secret information by the two principals used with the algorithm. 3. Methods to distribute and share the secret information.

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

7

Network Security- 8th semester (Unit 1) 4. Specify a protocol to be used by the two principals who make use of the algorithm and the shared secret information to achieve a particular security service. Another model, as shown in figure 2 above, provides security to a computer system which can be accessed over a network. The security is provided against hackers, who have no malignant intention except the satisfaction of breaking into a computer system, against a disgruntled employee who has intentions of breaking into the system to do harm, or a criminal who exploits the computer assets for financial gain. For example, illegal transfer of money or obtaining credit card numbers. Another type of unwanted access is the placement of a logic in a computer system which can affect the computer application or the editor and compiler. Two kinds of threats are presented by the programs. 1. Information access threats intercept and modify data on behalf of a user who should not have access to that data 2. Service threats exploit services flaws and inhibits the use of the computer by legitimate users. Virus and worms are examples of unwanted logic which can be introduced into a computer system through a diskette or over the network. Because it can be introduced over the network the security mechanism can be broadly classified into two categories. One is the gate keeper function which provides access to user based on a password. Once the unwanted logic gains entry into the system the internal security control monitors the activity and analyses the stored information in an attempt to detect the presence of unwanted intruders. The virus is a concealed unwanted logic in otherwise useful software.

Unit 1 questions 1. List and describe the Services, Attacks and Mechanisms of the OSI Security Architecture.

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

8

Network Security- 8th semester (Unit 1) 2. How are Attacks classified? OR List and describe active attacks and passive attacks. 3. With a diagram explain the model for Network Security.

Bindu M.N. Department of E & C, K.V.G.C.E., Sullia.

9

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close