Friday, May 14, 2010

“NETWORK SECURITY”

ABSTRACT


 


 

Today's world is a networked world in which everyone is entering into outside world for mainly, for communication purpose. This is possible only due to the internet facility whose access is an immense source of information. Apart from being a source, we need to have secure communication channel through which the information passes. Loss of irreplaceable data is very real threat, especially for the business owners. They need to communicate with their vendors, employees, customers who are far away from each other. At this stage, Internet will be the easiest & fast source of information exchange for them. So, to keep this information safe & secure, a need felt to provide security to the Internet.

Network security is a complicated subject, historically only tackled by well-trained and experienced experts. Network, as it is vast, interconnected & complicated structure requires lot of understanding about each component, which is a part of it. So, Network Security tests our stamina about keeping the network as safe, secure as possible. As more and more people become ``wired'', an increasing number of people need to understand the basics of security in a networked world. Network Security ensures the reliability, flexibility of an network's working so as to make smooth communication through the network. Any organization, before taking Internet access, first think of firewall.

Some history of networking is included, as well as an introduction to TCP/IP and internetworking. Some points are also concerned to the types of threats, from which one should be aware of, & providing protection against it.


 


 


 


 


 


 


 


 


 

INDEX


 

1.    INTRODUCTION

2.    SECURED COMMUNICATION

3.    NEED OF SECURITY

  • THREATS TO SECURITY

    4.    MECHANISMS OF SECURITY

    5.    CRYPTOGRAPHY

  • SECRET - KEY ENCRYPTION
  • PUBLIC - KEY ENCRYPTION
  1. FIREWALL AND INTERNET ACCESS.
  • FIREWALL ARCHITECTURE
  • PACKET - LEVEL FILTERS.
  • SECURITY AND PACKET FILTER MECHANISM.
  • ACCESSING SERVICES THROUGH A FIREWALL.


     

  1. NETWORK SECURITY TOOLS
  2. CONCLUSION
  3. REFERENCES


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 

INTRODUCTION


 

Network


 

A ``network'' has been defined as

``Any set of interlinking lines resembling a net, a network of roads || an
interconnected system, a network of alliances.''

This definition suits our purpose well:

A computer network is simply a system of interconnected computers.


 

Security

Security by the name itself is very important for any individual, a machine or also in a network like the locks to help tangible property secure, computers and data networks need provisions that help keep the information secure. Security in an Internet environment is both important and difficult. It is important because information has a significant value -information can be bought and sold directly or used indirectly to create new products and services that yield high profits. Security in an internet is difficult because involves understanding when and how participating users, computers, services and networks can trust one another, as well as understanding the technical details of network hardware and protocols.

As the Internet is becoming more complex day by day security administrators face the risk of being attacked by external intruders that may

  • Read Access - Read or copy confidential information.
    • Write Access - Write to network or perhaps infect the system with the system with viruses and Trojan horses.
  • Denial of Service - Deny authorized users normal network services.

A single computer can compromise the security of entire network. To guard against such threats the security of distributed system, security
policies must be adapted and security mechanisms must be employed to implement security policies.


 


 

Threats

There are four classes of Security threats to computers systems. These are

  1. Leakage
  2. Tempering
  3. Resource stealing
  4. Vandalism

Thus to guard against threats to the security of distributed system, security policies as well as security mechanisms must be employed thereby providing a secure communication link for a data transmission between interconnected host computer systems of network.


 

SECURED COMMUNICATION

Suppose two persons A & B are communicating. Both of them make sure that contents delivered are not altered by an intruder and are being transferred between them only. The following considerations below reflect these desirable properties of secure communication.


 

  • SECRECY

Only the sender and the intended receiver should be able to understand the contents of the transmitted message. Because eavesdroppers may intercept the message been somehow "encrypted" so that an intercepted message can be "decrypted" by an interceptor. For example, A might also want the mere fact that she's communicating with B to be a secret.


 

  • AUTHENTICATION

Here both the sender and receiver need to confirm the identity of the other party involved in the communication- to confirm that the other party is indeed who or what they claim to be.

For example - If A receives mail from B, in order to know that it has been sent by the B only A needs some authentication; likewise in network there are authentication protocols.


 

  • MESSAGE INTEGRITY

Here the sender and receiver want to ensure that apart from authentication the content of their communication is not altered, either maliciously or by accident in transmissions.


 

NEED FOR NETWORK SECURITY

Most of the security problems are intentionally caused by malicious people trying to gain some benefit or harm some one enforcing the security administrators to keep network free from programming errors. Thus in turn involves out mastering often intelligent, dedicated and sometimes well-funded adversaries and hence need for security rises. The issue is that network security calls for protections against malicious attack by hackers and intruders, but security is also associated with controlling and authorization mechanisms and the prevention of the effects of errors and equipment failures.

All communication over Internet uses the transmission control protocol /Internet protocol (TCP/IP). TCP/IP allows information to be send from one computer to another computer through variety of intermediate computer and separate network before its destination.

The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet and Intranet communications protocol. At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for a third party to interface with communications in the following ways:


 

  • Eavesdropping. Information remains intact, but its privacy is compromised .For example, someone could learn your credit card number, record a sensitive conversation, or intercept classified information.
  • Tampering. Information in transit is changed or replaced and then sent on to the recipient. For example, someone could alter an order for goods or change a person's resume.
  • Impersonation. Information passes to a person who poses as the indirect recipients. Impersonation can take two forms


 


 


 


 

MECHANISMS FOR NETWORK SECURITY


 

Internet security problems can be divided into three broad sets.

Authentication mechanisms solve the problem of verifying identification. In centralized multi-user systems, the user's identity can be authenticated by a password check at the start of each interactive session. In distributed systems, authentication is the means by which the identities of servers and clients are reliably established. The mechanism used to achieve this is based on possession of encryption keys.


 

Encryption can also handle the problem of privacy. If a sender and receiver both use public key encryption scheme, the sender can guarantee that the intended receiver can read a message .To do so, the sender uses the receiver's public key to encode the message and the receiver uses its private key to decode the message. Because only the intended receiver has necessary private key, no other party can decode the message.


 

Mechanisms that control Internet access handle problem of screening of particular network or an organization from an unwanted communication. Such mechanism can help to prevent outsiders from obtaining information, changing information, or disrupting communication on an organization 's internal Internet.


 

CRYPTOGRAPHY

INTRODUCTION

"The art of devising a ciphers i.e. converting the plaintext into coded format & then decoding it" refers to cryptography. Here message to be encrypted are known as plain text & are transformed by a function parameterized by a key. The output of encryption process is known as 'cipher text' and is often transmitted by a messenger .At the receiver its decrypted with help of decryption key and the original message is retrieved.

To encrypt information we transform it in such way that it cannot understand by anyone except the intended recipient who posses the means to reverse the transformation. Computer encryption techniques fall into two main classes-

which useful implementation security, which can be used without much impact on the method of encryption.


 

This method is used for transformation of secret information. In this method applying an agreed encryption function to the plain text with secret key encrypts a message. Decryption is achieved by applying inverse function to the cipher text using the same key, to produce the original plain text. Since the keys are kept secret, the encryption and decryption function need not be secret. Before communication can take place both the sender and receiver must acquire the secret key.


 

  1. PUBLIC KEY ENCRYPTION

In this method each potential recipient of message makes a pair of keys, Ke & Kd and keeps the decryption key Kd a secret. The encryption key Ke can be made known publicly for use by anyone who wants to communicate. This method is based on use of any-way function to define the relation between the two keys, so that it is very hard to determine Kd from knowledge of Ke. Thus it avoids the need for transmission of secret keys between principles.


 

FIREWALLS AND INTERNET ACCESS

The Firewalls defines as "a system or group of systems that enforces an access control policy between two networks." In the context of home networks, a firewall typically takes one of two forms:

or


 


 


 

A single technique has emerged as the basis for Internet access control .The technique places a block known as Internet firewall at the entrance to the part of Internet to be produced .For example, an organization can place firewall at its connection to the global Internet to protect it from unwanted access .A firewall partition has two regions , Informally referred as inside & outside.

There are lots of ways to structure your network to protect your systems using a firewall. If you have a dedicated connections to the Internet through a router, you could plug the router directly into your firewall system. Or, you could go through a hub to provide for full access servers outside your firewall.

You may be using a dialup service like an ISDN line. In this case you might use a third network card to provide provide a filtered DMZ. This gives you full control over your Internet services and still separates them from your regular network.

If there is a router or cable modem between you and the Internet. If you own the router you could setup some hard filter rules in the router. If this router is owned by your ISP so you may not the have the needed controls. You can ask your ISP to put in filters.

If you need to monitor where users of your network are going and your network is small, you can intergrate a proxy server into your firewall. ISP's some times do this to create interest list of their users to resell to marketing agencies.

You can put the proxy server on your LAN as will. In this case the firewall should have rules to only allow the proxy server to connect to the Internet for the services it is providing. This way the users can get to the Internet only through the proxy.

If you are going to run a service like YAHOO or may be Slash Dot you may want to make your system by using redundant routers and firewalls. (Check out the High Availability HowTo.) By using a round-robin DNS techniques to provide access to multiple web servers from one URL and multiple ISP's, routers and firewalls using High Availability techniques you can create a 100% uptime service.

It is easy to let your network get out of hand. Keep control of every connection. It only takes a user with a modem to compromise your LAN.


 

Many commercial routers offer a mechanism tact augments normal routine and permits a manager to further control packet processing . Packet filters mechanism requires the manager to specify how the router should dispose of each datagram . When Datagram first arrives, the router passes the Datagram through its packet filter before performing any other processing . if the filter rejects the Datagram the router drops it immediately. Each router vender is free to choose the capabilities of their packet filter as well as the interface a manager use to configure the filter.


 

Packet filtering firewall consists of list of acceptance denial rules . These rules explicitly define which packets will and will not be allowed through the network interface. These rules are based on the specific network layer's source and destination addresses.


 

An organization can only provide safe access to outside services through a secure computer . Instead of trying to make all computer system organizations secure,an organization usually associates one secure computer with each firewall. It is often called as bastion host.


 


 

Bastion host :

A general-purpose computer used to control access between the internal (private) network (intranet) and the Internet (or any other untrusted network). Typically, these are hosts running a flavor of the Unix operating system that has been customized in order to reduce its functionality to only what is necessary in order to support its functions. Many of the general-purpose features have been turned off, and in many cases, completely removed, in order to improve the security of the machine.


 

To permit safe access, firewall has two conceptual barriers which the figure shows. The outer barrer blocks all incoming traffic except :


 

to make available externally,

  1. The inner barrier blocks the incoming traffic excepts datagrams that originate on the

    bastion host.


 

To understand how the bastion host operates ,consider the FTP service. Suppose a user in the organization needs to access an external FTP server to obtain copy of the file . Because the firewall prevents the user's computer from receiving incoming datagrams , the user cannot run FTP client software directly .Instead, the user must run the FTP clienton the bastion host. after the file has been copied to the bastion host,the user can run file transfer between the bastion host and their local computer .


 

NETWORK SECURITY TOOLS

Various Tools for the Network Security are existing in this world which can work better& provides reliable communication channel through which information can be safely transmitted from sender to the reciever. These tools are as follows:

SATAN, the System Administrator Tool for Analyzing Networks, is a network security analyzer designed by Dan Farmer and Wietse Venema. SATAN scans systems connected to the network noting the existence of well known, often exploited vulnerabilities. For each type of problem found, SATAN offers a tutorial that explains the problem and what can be done.


 

  • ipacl

The ipacl package from Siemens. Forces all TCP and UDP packets to pass through an access control list facility. The configuration file allows packets to be accepted, rejected, conditionally accepted, and conditionally rejected based on characteristics such as source address, destination address, source port number, and destination port number. Should be portable to any system that uses System V STREAMS for its network code.

  • TCP Wrappers

The tcp_wrapper package by Wietse Venema. Formerly called log_tcp. Allows monitoring and control over who connects to a hosts TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, FINGER, and SYSTAT ports. Also includes a library so that other programs can be controlled and monitored in the same fashion.


 

Some more no. of tools are as follows:

  1. Logdaemon
  2. Portmap
  3. Rpcbind
  4. Sara
  5. Scanssh
  6. Securelib
  7. Rpcbind


     


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 

CONCLUSION


 


 

Security is a very difficult topic. Everyone has a different idea of what ``security'' is, and what levels of risk are acceptable. The key for building a secure network is to define what security means to your organization . Once that has been defined, everything that goes on with the network can be evaluated with respect to that policy. Projects and systems can then be broken down into their components, and it becomes much simpler to decide whether what is proposed will conflict with your security policies and practices.

Many people pay great amounts of lip service to security, but do not want to be bothered with it when it gets in their way. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him. Users who find security policies and systems too restrictive will find ways around them. It's important to get their feedback to understand what can be improved, and it's important to let them know why what's been done has been, the sorts of risks that are deemed unacceptable, and what has been done to minimize the organization's exposure to them.

Security is everybody's business, and only with everyone's cooperation, an intelligent policy, and consistent practices, will it be achievable.


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 

REFERENCES


 


 


 

  1. Computer networks by Andrew Tannenbaum.
  2. Computer networking by John Martin.
  3. Internetworking with TCP/IP by Douglas E.Comer.


 


 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)