Module 1

Introduction to Network
Security
 Introduction
The OSI security architecture
Security Security attacks
Concepts Security services
Security Mechanisms
A model for Network Security

2
 Introduction
Cybersecurity is the protection of information that is stored, transmitted, and
processed in a networked system of computers, other digital devices, and
network devices and transmission lines, including the Internet.

Cybersecurity
Information Security Network Security
Information security: This term refers to preservation of
confidentiality, integrity, and availability of information.

Network security: This term refers to protection of networks and

their service from unauthorized modification, destruction, or
disclosure, and provision of assurance that the network performs its
critical functions correctly and there are no harmful side effects.
 Security Objectives
Essential Information and Network Security Objectives
 Confidentiality

• Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and
proprietary information.
• A loss of confidentiality is the unauthorized disclosure of
information
 Confidentiality

• Data confidentiality: Assures that private or confidential information

is not made available or disclosed to unauthorized individuals.
• Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed.
 Integrity

• Guarding against improper information modification or destruction,

including ensuring information nonrepudiation and authenticity.
• A loss of integrity is the unauthorized modification or destruction of
information.
 Integrity

• Data integrity: Assures that data and programs are changed only in
a specified and authorized manner. This concept also encompasses
data authenticity
• System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.
 Availability

• Assures that systems work promptly and service is not denied to

authorized users.
• Ensuring timely and reliable access to and use of information.
• A loss of availability is the disruption of access to or use of information
or an information system
 Authenticity

• The property of being genuine and being able to be verified and

trusted; confidence in the validity of a transmission, a message, or
message originator.
• This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
 Accountability

• The security goal that generates the requirement for actions of an

entity to be traced uniquely to that entity.
• This supports nonrepudiation, deterrence, fault isolation, intrusion
detection and prevention, and after-action recovery and legal action.
Challenges of Information Security
• Security is not simple • Security mechanisms typically involve
more than a particular algorithm or
• In developing security system, protocol
potential attacks on the security
features need to be considered • Security is a constant battle of intelligence
between the attacker trying to break the
• Security procedures often seem system and the designer working to defend
confusing or opposite to expectations, it.
but they are essential for protection.
• Security is often undervalued by managers
• It is necessary to decide where to use and users until a failure exposes its true
the various security mechanisms importance.
• Requires constant monitoring • Strong security is often seen as a barrier to
speed and user convenience.
• Security is still an afterthought to be
incorporated into a system after the
design.
 OSI Security Architecture
ITU-T Recommendation X.800, Security Architecture for OSI, defines a systematic
way of defining and providing security requirements

• Security attack
• Any action that compromises the security of information owned by an organization
• Security mechanism
• A process (or a device incorporating such a process) that is designed to detect, prevent,
or recover from a security attack
• Security service
• A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization
• Intended to counter security attacks, and they make use of one or more security
mechanisms to provide the service
 Threats and Attacks
• Threat : Any circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, or the
Nation through an information system via unauthorized access, destruction,
disclosure, modification of information, and/or denial of service.
• Attack : Any kind of malicious activity that attempts to collect, disrupt, deny,
degrade, or destroy information system resources or the information itself.
 Security Attacks
A passive attack attempts to learn or make use of information from the system but
does not affect system resources

An active attack attempts to alter system resources or affect their operation

 Passive Attacks

• Are in the nature of eavesdropping on, or monitoring of, transmissions

• Goal of the opponent is to obtain information that is being transmitted
• Two types of passive attacks are:
• The release of message contents
• Traffic analysis
• Passive attacks are very difficult
to detect because they do not
involve any alteration of the data.
 Active Attacks

• Involve some modification of

the data stream or the creation
of a false stream
• Difficult to prevent because of
the wide variety of potential
physical, software, and
network vulnerabilities
• Goal is to detect attacks and to
recover from any disruption or
delays caused by them
• Types of Active Attacks are
• A masquerade takes place when one entity pretends to be a different entity.
• Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
• The denial of service prevents or inhibits the normal use or management of
communication facilities.
 Security Services
• A service provided by a protocol layer of communicating open systems and
that ensures adequate security of the systems or of data transfers
• A processing or communication service provided by a system to give a
specific kind of protection to system resources
 Service Categories

• Authentication

• Access control

• Data confidentiality

• Data integrity

• Nonrepudiation

• Availability Service
 Authentication

• Concerned with assuring that a communication is authentic

• In the case of a single message, assures the recipient that the message is
from the source that it claims to be from

• In the case of ongoing interaction, assures the two entities are authentic
and that the connection is not interfered with in such a way that a third
party can masquerade as one of the two legitimate parties
• Two specific authentication services are:
• Peer entity authentication: Provides for the corroboration of the identity
of a peer entity in an association. Two entities are considered peers if they
implement the same protocol in different systems.
• Data origin authentication: Provides for the corroboration of the source of
a data unit. It does not provide protection against the duplication or
modification of data units. This type of service supports applications like
electronic mail, where there are no ongoing interactions between the
communicating entities.
 Access Control

• The ability to limit and control the access to host systems and applications
via communications links
• To achieve this, each entity trying to gain access must first be identified, or
authenticated, so that access rights can be tailored to the individual
 Data Confidentiality
• The protection of transmitted data from passive attacks

• Broadest service protects all user data transmitted between two users
over a period of time

• Narrower forms of service include the protection of a single message or

even specific fields within a message

• The protection of traffic flow from analysis

• This requires that an attacker not be able to observe the source and
destination, frequency, length, or other characteristics of the traffic on a
communications facility
 Data Integrity
• Integrity can apply to a stream of messages, a single message, or selected
fields within a message.
• Connection-oriented integrity service
• Connectionless integrity service
• Connection-oriented integrity service:
• Deals with a stream of messages, assures that messages are received as sent with no
duplication, insertion, modification, reordering, or replays.
• The destruction of data is also covered under this service.
• The connection-oriented integrity service addresses both message stream
modification and denial of service.
• Connectionless integrity service:
• One that deals with individual messages without regard to any larger context
• Provides protection against message modification only.
 Nonrepudiation
• Prevents either sender or receiver from denying a transmitted message

• When a message is sent, the receiver can prove that the alleged sender in fact
sent the message

• When a message is received, the sender can prove that the alleged receiver in
fact received the message
 Availability service

• Availability

• The property of a system or a system resource being accessible and usable

upon demand by an authorized system entity, according to performance
specifications for the system

• Availability service

• One that protects a system to ensure its availability

• Addresses the security concerns raised by denial-of-service attacks

• Depends on proper management and control of system resources

Security Mechanisms
• Cryptographic algorithms:
• Reversible cryptographic mechanism : An encryption algorithm that
allows data to be encrypted and subsequently decrypted.
• Irreversible cryptographic mechanisms : Hash algorithms and message
authentication codes, which are used in digital signature and message
authentication applications.
• Data integrity:
• This category covers a variety of mechanisms used to assure the integrity of
a data unit or stream of data units.
• Digital signature:
• Data appended to, or a cryptographic transformation of, a data unit that
allows a recipient of the data unit to prove the source and integrity of the
data unit and protect against forgery.
• Authentication exchange:
• A mechanism intended to ensure the identity of an entity by means of
information exchange.
• Traffic padding:
• The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
• Routing control:
• Enables selection of particular physically or logically secure routes for
certain data and allows routing changes, especially when a breach of
security is suspected.
• Notarization:
• The use of a trusted third party to assure certain properties of a data
exchange.
• Access control:
• A variety of mechanisms that enforce access rights to resources.
Relationship between Security Services and Mechanisms
 Model for Network Security
• All of the techniques for providing security have two components:
• A security-related transformation on the information to be sent.
• Some secret information shared by the two principals and is unknown to
the opponent.
• Basic tasks in designing a particular security service:
a. Design an algorithm for performing the security-related transformation.
b. Generate the secret information to be used with the algorithm.
c. Develop methods for the distribution and sharing of the secret
information .
d. Specify a protocol to be used by the two principals that make use of the
security algorithm and the secret information to achieve a particular
security service.
Network Access Security Model
• using this model requires us to:
• select appropriate gatekeeper functions to identify users
• implement security controls to ensure only authorised users access
designated information or resources
• note that model does not include:
• monitoring of system
• monitoring of authorized users for misuse
• audit logging for forensic uses, etc.
 Unwanted Access

• Placement in a computer system of logic that exploits

vulnerabilities in the system and that can affect application
programs as well as utility programs
• Programs can present two kinds of threats:
• Information access threats
• Service threats
THANK YOU