Professional Documents
Culture Documents
Chapter 7 Network Security
Chapter 7 Network Security
Chapter 7 Network Security
7.1 Overview
Security management cannot be separated from network and system administration because security
requires a fully systemic approach/principles of security management/.
Security is about protecting things of value to an organization, in relation to the possible risks.
Securing Services: The services offered by the operating system in networked environments need to be
protected. The system administrator should clearly configure each service in the view of security attacks.
If some of the services are not required, then they should be disabled and passwords must be based on
some mathematical algorithms, which will be difficult to break.
File system security should be based on the user and group privileges. Excessive care must be taken
while tuning the attack-pruned services like telnet, ftp.
Database Level Security: is more concerned with data security and unauthorized access. Data base
security is inherent part of the database design. Some of the data base security measures would be:
Data base Integrity
User Authentication
Access Control
Availability
Consistency
CONTENT SECURITY: Access to the content should be modeled on the privilege levels. Data base
management system could greatly help in managing giga bytes of contents. The measures related to
content security in a library are
l Preservation of digital contents
l Intellectual Property Rights
l Authorized access
l Backup and recovery
There are many ways to attack a networked computer in order to gain access to it, or simply disable it.
Ping attacks
The RFC 791 specifies that Internet datagrams shall not exceed 64kB. Some implementations of the
protocol can send packets which are larger than this, but not all implementations can receive them.
Some older network interfaces can be made to crash certain operating systems by sending them a ‘ping’
request like this with a very large packet size. Most modern operating systems are now immune to this
problem (e.g. NT 3.51 is vulnerable, but NT 4 is not). If not, it can be combatted with a packet filtering
router.
Denial of service (DoS) attacks
Another type of attack is to overload a system with so many service requests that it grinds to a halt. One
example is mail spamming, in which an attacker sends large numbers of repetitive E-mail messages,
filling up the server’s disk and causing the sendmail daemon to spawn rapidly and slow the system to a
standstill.
TCP/IP spoofing
Most network resources are protected on the basis of the host IP addresses of those resources. Access is
granted by a server to a client if the IP address is contained in an access control list (ACL). Since the
operating system kernel itself declares its own identity when packets are sent, it has not been common to
verify whether packets actually do arrive from the hosts which they claim to arrive from.
IP spoofing is the act of forging IP datagrams in such a way that they appear to come from a third party
host, i.e. an attacker at host A creates a packet with destination address ‘host B’ and source address ‘host
C’.
Password sniffing
Many communication protocols (telnet, ftp etc.) were introduced before security was a concern amongst
those on the Internet, so many of these protocols are very insecure. Passwords are often sent over the
network as plain text. This means that a sophisticated cracker could find out passwords simply by
listening to everything happening on the network and waiting for passwords to go by.
Preventing and minimizing failure modes
Prevention of loss is usually cheaper than recovery after the fact.
Data can be lost by accident, by fire or natural catastrophe, by disk failure, or even vandalism. Once
destroyed, data cannot be recovered. So, to avoid complete data-loss, you need to employ a policy of
redundancy,/backup/
Traditionally backups have been made to tape, since tape is relatively cheap and mobile/ mirror disks
across a network/
On both Unix and Windows, it is possible to backup filesystems either fully or differentially, also called
incrementally.
Loss of service might be less permanent than the loss of data, but it can be just as debilitating.
Downtime costs money for businesses and wastes valuable time in academia.
The basic source of all computing power is electricity. Loss of electrical power can be protected against,
to a limited extent, with an un-interruptible power supply (UPS).
Software can be abused in a denial of service attack /usually initiated by sending information to a host
which confuses it into inactivity/.
Many problems in network communication would be easily solved if there were transport layer
encryption of Internet traffic. Spoofing would be impossible, because attackers would have access to
cryptographic checksums of the packets (spoofing could be easily detected). Similarly sniffing the net
for passwords, leaked by old protocols, would be impossible, since no plaintext data would be sent.
IPSec is a security system developed for use with IPv6, but it has also been implemented for IPv4
(RFC1636).
Cryptography can reformat and transform our data, making it safer on its trip between computers. The
technology is based on the essentials of secret codes,
Cryptography The art or science encompassing the principles and methods of transforming an
intelligible message into one that is unintelligible, and then retransforming that message back to its
original form
Analyzing network security
In order to assess the potential risks to a site, we form a list:
What hosts exist on our site?
What OS types are used?
What services are running?
What bug patches are installed?
Run special tools, nmap, SATAN, SAINT, TITAN to automate the examination procedure and
find obvious holes.
Examine trust relationships between hosts