Telecommunications, Network, and Internet Security

Confidentiality touches on the topics of network authentication and data encryption. Integrity protects the data from unauthorized or accidental modification through the use of firewalls, cryptography, and intrusion detection tools. Availability involves sound disaster recovery planning procedures based on an accepted business continuity plan.

Classify the International Organization for Standardization /Open Systems Interconnection (ISO/OSI) layers and characteristics

  • Application — MESSAGE
  • Presentation — endpoint can understand the message on delivery
  • Session — connection and termination
  • Transport — Received and transfer data are identical — SEGMENT — DATAGRAM
  • Network — data addressing — PACKET
  • Data Link — transfer data on media — FRAME
  • Physical — BIT
  • Transmission Control Protocol: TCP is a reliable service that maintains the proper sequence of incoming packets and acknowledges receipt to the user.
  • User Datagram Protocol (UDP): UDP is a less robust version of TCP. It does not acknowledge receipt of packets and is a connectionless and less reliable service. Its advantage over TCP is its faster speed and lower overhead.

Internet Protocol — Unique address for each host

ARP — IP to MAC

RARP — MAC to IP

Internet Control Message Protocol (ICMP) — IP checking — announcing network errors and congestion, troubleshooting, and reporting timeouts

applications using TCP/IP:

File Transfer Protocol (FTP)

Remote login (Telnet)

Electronic Mail or Simple Mail Transfer Protocol (SMTP) email host to host

OSI/ISO  Security Services

Authentication: 1) User Password 2) Access List

Access control — Block or Allow to network

Data confidentiality — 1) content — network to conceal the path or route that the message followed on its way to the recipient. 2)Message flow confidentiality — preventing an attacker from obtaining information from observing the message.

Data integrity: The goal is to protect data from accidental or malicious modification, whether during data transfer, during data storage, or from an operation performed on it, and to preserve it for its intended use.

Nonrepudiation: the sender of message can’t say it wasn’t him!

Logging and monitoring: audit log

OSI model additionally identifies eight security mechanisms:

Encipherment: conversion of plain-text messages into ciphers 

Digital signature: In general, the use of public and private key encryption Access control:

Data integrity: 

Authentication:

Traffic padding: The technique by which spurious data is generated to disguise the amount of real data being sent, thus making data analysis or decryption more difficult for the attacker.

Routing control: The Internet has routes between networks. When a network drops, the routing control processor determines in real-time the optimal path, to reduce downtime. Availability*

Notarization: Digital notarizations, “Cryptography, digital signatures.)

Lan — limited space or geographic area

CAN — connect buildings campuses through a network

MAN — Connect branches of an organization using wireless (5 to 50 kilometers)

WAN — covers a larger geographic area

An extranet is an intranet that allows select users outside the firewalls to access the site

NAT —  Its purpose is to hide the internal device IP addresses from Internet users, to help secure the network.

Firewall

  • Packet filtering — It matches all packets against a series of rules — accepted, rejected, logged, and so forth — examining the source, destination, port number, and protocol types (for example, UDP or TCP). In – Out – Bi-direction
  • Stateful Inspection Packet Filtering — Filter more than one source — track state of current connection to ensure good traffic passes through — Check IP datagram — Fast — No cost — User and application (RULE) — Complex on routers, dificult to manage, not very secure way — hidden instruction can pass — 
  • Firewall
    • Protect Lan from public network
    • Application-Level Gateway Firewall — Proxy — Windows –McAfee
    • Purchase of the dedicated gateway hardware
    • Configuration of the proxy service applications
    • Time, knowledge, and skills required to configure the gateway system
    • Degradation in the level of service provided to users because of the overhead of firewall operation
    • Lack of transparency for remote users, resulting in a less user-friendly system

Proxy Server

  • Each proxy is configured to support only a subset of the standard application’s command set. If the proxy application does not support a standard command, it is simply not available to the authenticated user.
  • Each proxy is configured to allow access only to specific host systems. This means that the limited command/feature set can be applied only to a subset of systems on the protected network.
  • Each proxy maintains detailed audit information by logging all traffic, each connection, and the duration of each connection. Audit logs are essential tools for discovering and terminating intruder attacks. Each proxy is a small and uncomplicated program specifically designed for network security.
  • Each proxy is independent of all other proxies on the bastion host. If a problem occurs with the operation of any proxy or if a future vulnerability is discovered, it can be uninstalled without affecting the operation of the other proxy applications.
  • Each proxy runs as a nonprivileged user in a private and secured directory on the bastion host. If users require support for new services, the network administrator can easily install the required proxies on the bastion host. A proxy generally performs no disk access other than to read its initial configuration file. This makes it difficult for an intruder to install Trojan horse sniffers or other dangerous files on the bastion host.

Bastion Hosts

  • An application-level gateway is often referred to as a bastion host
    • Unix hardened
    • Limit to SSH , DNS, FTP, SMTP
    • network-manager complete control over each service

Screened Host Firewalls

  • packet-filtering router and a bastion host

DMZ

  • Demilitarized Zone or Screened-Subnet Firewall — Inside FW – Bastion — Outside FW

The deployment of a screened-subnet firewall system delivers several key benefits:

  • An intruder must crack three separate devices without detection Because the outside router advertises the DMZ network only to the Internet, systems on the Internet do not have routes to the protected private network. This allows the network manager to ensure that the private network is “invisible” and that only selected systems on the DMZ are known to the Internet via routing table and DNS information exchanges.
  • Because the inside router advertises the DMZ network only to the private network, systems on the private network do not have direct routes to the Internet. This guarantees that inside users must access the Internet via the proxy services residing on the bastion host. Packet-filtering routers direct traffic to specific systems on the DMZ network, eliminating the need for the bastion host to be dual-homed. The inside router supports greater packet throughput than a dual-homed bastion host when it functions as the final firewall system between the private network and the Internet. Because the DMZ network is a different network than the private network, a NAT can be installed on the bastion host to eliminate the need to renumber or resubnet the private network.

An intrusion detection system (IDS) attempts to detect an intruder breaking to systems — Check for outside and inside intruder

  • Prohibit everything that is not expressly permitted (restrictive posture).
  • Permit everything that is not expressly denied (permissive posture).
    • Protect integrity, confidentiality, or availability
      • Misues intrusions — known pattern
      • Anormaly intrusions — what is not normal on host profile
    • It must run continually without human supervision. 
    • It must be fault tolerant. 
    • It must resist subversion. The system should monitor itself to ensure that it has not been subverted.
    • It must impose minimal overhead on the attached network.
    • It must observe deviations from normal behavior. (Not standard)
    • It must be easily tailored to the network in question. Every system has different usage patterns, and the defense mechanisms should adapt easily to these patterns.
    • It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be capable of adapting.

Intrusion Prevention Systems

  • Sending an alarm to the administrator (such as an IDS)
  • Blocking traffic from the source address
  • Resetting the connection

Virtual Private Networks –establish private “tunnels” over the public Internet

  • IPSec
    • sender authentication, message integrity, and data confidentiality
    • operate at the Network Layer of TCP/IP
      • Authentication header (AH) –modifies IP datagrams by adding an attribute field that enables receivers to check the authenticity of the data within the datagram.
        • integrity value check (IVC)
        • message authentication code (MAC) or digital signature 
  • Transport mode, in which protection is applied to upper-layer protocols (TCP or UDP)
  • Tunnel mode, in which an entire IP packet is wrapped inside a new IP packet and attached with a new IP header before it’s transmitted through the public network
  • Encapsulating Security Protocol (ESP) — Sandwich the message between ESP header and an ESP trailer.
    • Confidentiality (in IPSec tunnel mode)
    • Connectionless data integrity
    • Data origin authentication
    • Protection against replay attacks
    • It can support encryption
  • Security Association
    • IP destination address
    • Security protocol identifier (AH or ESP)
    • Security parameter index (SPI)
    • IPSec database called the security association database (SAD)
    • SA and is consulted each time a packet is sent or received
    • SAs contain the actual keys used for encrypting data or signing message authentication codes or message digests.
    • PSec provides a separate protocol for exchanging security associations — Out of normal way
    • Internet Security Association and Key Management Protocol (ISAKMP)
      • Oakley uses a hybrid Diffie-Hellman key exchange protocol to exchange session keys on Internet hosts and routers
        • Cookies exchange for stateless connections (such as the Internet)
        • Diffie-Hellman public key values exchange mechanism
        • Authentication mechanism with the options of anonymity, perfect forward secrecy on the identities, and/or nonrepudiation
  • Security Policies
    • IPsec security policy database (SPD) — decide if packet can be allow or not
  • IPSec Key Management
    • Manual key exchange
    • Simple Key Interchange Protocol (SKIP)
    • ISAKMP/Oakley
  • Applied VPNs
    • Office to Office — IPSec
    • Remote access or user — SSL — No end software — Over internet — Two factor Authentication

Cloud

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)
  • Network as a Service (NaaS).

Summarize the fundamentals of communications and network security and their vulnerabilities

Analyze the Transmission Control Protocol/Internet Protocol (TCP/IP)

Distinguish among wide area networks (WANs), local area networks (LANs), and the Internet, intranets, and extranets

Outline the roles of packet-filtering routers, firewalls, and intrusion detection/prevention technology in network perimeter security

Classify the various configurations and architectures for firewalls

Illustrate the elements of IP security (IPSec) and how virtual private networks implement IPSec