Recent Changes - Search:

Network Programming

This website demonstrates using wikis as teaching and learning tool.

The course instructor is happy to share the teaching materials here with those who find it readable.

Lecture /

security in Networks

A Network Programming Lecture by Steven Choy

Overview: Security goals - Network Segmentation - Firewalls - Proxy Servers - Intrusion detection systems (IDS) - Virtual Private Network (VPN) - Network Security Protocols

Security Goals

  • Confidentiality - Information is protected against unauthorized disclosure
Attackers can thwart confidentiality mechanisms by sniffing network traffics to steal passwords or access sensitive data. Encryption, access control, and data classification system should therefore be put in place to address this goal.
  • Integrity - Information is protected against unauthorized modification
Networks often open up a conduit for viruses, Trojan horses or hackers to intrude into and wreak havoc on computer systems, thus compromising the integrity of the data residing therein. Strict access control, network intrusion detection, and checksum/signature verification should be implemented to uphold this goal.
  • Authenticity - Data access, transactions and exchanges are verified and made accountable
The identity of an individual should be verified before he is granted access to systems. The transactions carried subsequently by that individual should also be tracked. Any specific action that individual has carried out can be tracked, and he can be held accountable for the consequences arising out of such actions. Smart cards, biometrics, and digital signatures are all measures that can step up the level of authenticity for computer or networking systems.
  • Availability - Information is made available in usable form when required, and the networks/systems can appropriately resist attacks and failures
Both the availability of networks themselves, and that of the computer systems running on them, are important, especially for critical systems that serve users across the globe and round the clock 7 x 24 ( 7 days a week, 24 hours a day). Denial of service (DoS) attacks launched remotely by hackers over networks is a popular method of disrupting networks or systems availability. Firewalls, elimination of single points of failure (e.g. dual subscriptions to two different Internet service providers, redundancy mechanisms, etc.) are effective means of counteracting threats to availability.

Network Segmentation

  • A secure network design approach is to divide networks into a number of smaller segments, with each segment serving a particular purpose.
  • For example, we can use internal segment to house the systems (e.g. inventory system, payroll system, etc.) that only internal users can use.
  • The following are some simple examples of segmenting networks for security.
Outside Segment - In this segment, you have only the edge router and in our case, it is the internet. In this segment, you have no control on traffic coming to you, But you have a full control to decide which traffic can get in your network and which traffic can travel to outside.
Service Segment - This segment contains the main services you are looking to provide them to the public. Some people call it DMZ zone. In this segment, you need to allow any request coming from outside to your network services.
Internet Segment - This is the highest security level in your network. It is containing the internal stations and internal servers that contain all your business plan, marketing plan and financials details.
Remote User Segment - This segment is the most critical one and you must concern about it. A first time you must ask your self in advance, “Do we need our staff to access our internal network from outside or not?” If NO, just remove this segment and don’t care about it. Otherwise you must define your polices and techniques to secure this segment.

Firewalls 防火牆

  • A firewall is a device in your network to protect you from outside attacker.
  • The firewall in your network will be the contact point with outside world.
  • Therefore, your need to identify each service that will allow going outside and each service, which will allow reaching our network.
  • One typical type of firewalls is a packet filtering firewall, which operates at the network layer of the TCP/IP model.
  • A packet-filtering firewall examines the header of every packet of data received and does the filtering based on predefined criteria.
For review purpose: TCP/IP headers information
Some illustrations

Proxy Servers 代理伺服器

  • A proxy server is software that acts as an intermediary between external and internal networks, screening all incoming and ongoing traffic.
  • It is often used in conjunction with firewalls to strengthen the protection of a network.
Figure: A proxy server working with a packet-filtering firewall (source Figure 14-4, Dean, Network+ Guide to Networks)
  • Proxy servers operate at the application layer of the TCP/IP model.
  • One common use is as a web proxy server. When a user requests a web page from an external web server, the web proxy server will make the request on the user’s behalf and then pass back the obtained web page to the user.
  • Only its address is exposed to the outside, while the user’s address can be kept separate. This can effectively protect the user from external attacks.
  • The proxy server will also save the retrieved web page in its cache. When another user requests the same page next time, the proxy server can return the cached page to the user immediately, thus speeding up the response.
  • For class discussion: do you heard of anonymous proxy server, anonymous proxy service, anonymity online, or some similar terms? do you know their functions?

Intrusion detection systems (IDS) 入侵偵測系統

  • An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Managment Station.
  • It is common to use IDS tools to protect Internet web servers or mail servers.
  • There are two types of IDS: network-based IDS and host-based IDS.
    • Network-based IDS - to examine network packets transmitted in the network
In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.
  • Host-based IDS - to detect any abnormalities arising in a host system (e.g. unexpected changes to system files).
In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed, including file system, logs and the kernel. Some application-based IDS are also part of this category.

Virtual Private Network (VPN) 虛擬專用網絡

Introduction

  • Used to secure end-to-end private network connections over a public network infrastructure
  • Data is tunneled, but it appears as if information is sent over a dedicated private line
  • More secure than traditional Internet transport
  • Inexpensive substitute for leased lines (租用的專線)

VPN Design Requirements

  • Basic Premise – secure transfer of data across a public network
  • Security of tunnel requires that its endpoints are authentic (must have accurate authentication scheme)
  • Must ensure that data has not been modified in transit (integrity)
  • Must be able to manage both the establishment and operation of VPN tunnels
  • Must be able to restrict unauthorized access to your network (access control)
  • Must be able to prevent viewing or copying of data as it traverses the network (confidentiality)

VPN Types

  • Intranet VPN (Site-to-site VPN) - Site-to-site interconnection across various countries for intranet connectivity
illustration
  • Extranet VPN - Connections with business partners and customers (Extranet connectivity or B2B)
  • Remote Access - Access the VPN anywhere with Internet access (Remote access for the mobile workforce)
illustration

Network Security Protocols

  • IPSec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.
Illustration
  • SSL
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.
  • SSH
SSH (Secure Shell) is a common network protocol for remote administration of Unix computers.
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] Used primarily on GNU/Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible to packet analysis.[2] The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.

References and Resources

Thanks for Reading

If you would rather like to have this lecture note in printed format, please click the print action link in the top right corner.

If you find any problem in this lecture note, please feel free to tell Steven via steven@findaway.hk.

Edit - History - Print - Recent Changes - Search
Page last modified on March 11, 2010, at 09:46 AM