LECTURE 5 Telecommunications, Network, and Internet Security

The OSI model addresses the following security issues:-

OSI Model and Security
 Security Mechanisms used in networks
 Encipherment
 Digital signature
 Access control
 Data integrity
 Authentication
 Traffic padding
 Routing protocol
Basic Network Security Infrastructures

Layer Function Network Protocols or Standards

Device

7: Application Provides services such as HTTP, FTP, TFTP, DNS,

email, file transfers and file SMTP, SFTP, SNMP, RLogin,
servers BootP, MIME

6: Presentation Provides encryption, code MPEG, JPEG, TIFF

conversion and data
formatting

5: Session Negotiates and establishes a Gateways SQL, X- Window, ASP, DNA,

connection with another SCP, NFS, RPC
computer

4: Transport Supports end-to-end delivery Gateway TCP, UDP, SPX

of data

3: Network Performs packet routing Router IP, OSPF, ICMP, RIP, ARP,
RARP

2: Data link Provides error checking and Switch Ethernet, Token Ring, 802.11
transfer of message frames

1: Physical Physically interfaces with Hub EIA RS-232, EIA RS-449,

transmission medium and IEEE, 802
sends data over the network

Router
A network traffic management device that, unbeknownst to the user, sits between subnetworks
(LANs) and routes traffic intended for or leaving the network segments to which it’s attached

Packet Filter
A simple and effective form of protection that matches all packets against a series of rules
Basic Packet Filtering
 Allows communication originating from one side of the communication path or the other
 Identifies and controls traffic by examining the source, destination, port number, and
protocol types

Stateful Inspection Packet Filtering

 A more complex packet-filtering technology that keeps track of the state of the current
connection to help assure that only desired traffic passes through

Benefits of Packet-Filtering Routers

 Little or no cost to implement because packet filtering is a feature of standard routers
 Little impact on router performance
 Generally transparent to users and applications

Limitations of Packet-Filtering Routers

 Defining packet filters can be a complex task
 The filtering rule set can become complicated, increasing in difficulty to manage and
comprehend
 There are few testing facilities to verify the correctness of the filtering rules
 The packet throughput of a router decreases as the number of filters increase
 It is not capable of understanding the context/data of a particular service

Firewalls
 Firewalls typically run monitoring software to detect and thwart external attacks on the site
and protect the internal corporate network
 Firewalls are an essential device for network security
 Many of the architectures needed for security rely on one or more firewalls within an
intelligent design

Application-Level Gateway Firewall

 Allows the network administrator to implement stricter security policies than packet-filtering
routers can manage
 Requires special-purpose code (a proxy service) for each desired application
 The proxy code can be configured to support only acceptable features of an application
 Users are permitted access to the proxy services, but may not log in to the application-level
gateway itself

Benefits of Application-Level Gateways

 The network manager has complete control over each service and permitted services
 It has the ability to support strong user authentication and provide detailed logging
information
 The filtering rules are much easier to configure and test

Limitations of Application-Level Gateways

 It requires either that users modify their behavior or that specialized software be installed on
each system that accesses proxy services
 Firewall Implementation Examples
1. Packet-Filter Router
 Inexpensive and transparent to users
 Inherent limitations of a packet-filtering router
2. Screened Host Firewalls
a. Public information server can be placed on the segment shared by the packet-filtering
router and the bastion host

3. DMZ or Screened-Subnet Firewall

 Private network is invisible
 Inside users must access the Internet via the proxy services
Intrusion Detection Systems (IDS)
 IDSs attempt to detect an intruder breaking into systems or an authorized user misusing
system resources
 IDSs are needed to detect both types of intrusions
 Break-in attempts from the outside
 Knowledgeable insider attacks
Two basic philosophical options
1. Prohibit everything that is not expressly permitted
2. Permit everything that is not expressly denied

A Good Intrusion Detection System must

 run continually without human supervision
 be fault tolerant
 resist subversion
 impose minimal overhead on the attached network
 observe deviations from normal behavior
 be easily tailored to the network
 cope with changing system behavior

False Positives, False Negatives, and Subversion Attacks

A false positive occurs when the system classifies an action as anomalous when it is legitimate
A false negative occurs when an intrusive action has occurred but the system allows it to pass as
nonintrusive behavior
A subversion error occurs when an intruder modifies the operation of the intrusion detector to
force false negatives to occur

Virtual Private Networks (VPNs)

 VPN is a network technology that makes it possible to establish private “tunnels” over the
public Internet
 IP security (IPSec) operates at both the Network Layer and Session Layer of the TCP/IP
protocol stack
 IPSec VPNs are the most common form in use today and are widely available from network
and firewall providers

IPsec - Performs both encryption and authentication to address the inherent lack of security on
IP-based networks

Three characteristics - Sender authentication, message integrity, and data confidentiality

SECURING MULTI-PLATFORM SYSTEMS

Networks are increasingly heterogeneous, containing different types of hardware and software
and running multiple operating systems that all need to be able to communicate with one another.
There are fewer and fewer pure Windows (or pure UNIX) shops, with many companies running
Windows domains side-by-side with UNIX web servers, accessed by client computers running
Windows, Linux and Mac. Add to the mix a variety of smart phones (Windows Mobile, iPhone,
Android, Symbian and more) that need to download mail and possibly access other network
resources, and you have a real challenge.
The same basic security concepts apply to both heterogeneous and homogeneous networks, so it
goes without saying that, regardless of the platform(s), you should:
 Secure the edge with a good firewall/threat management gateway and intrusion
detection/prevention system
 Use anti-virus and anti-malware software (including on non-Windows systems) and keep
definitions updated
 Implement security auditing/monitoring to detect attempted breaches

 Harden systems by turning off unnecessary services

 Close unused ports
 Restrict physical access to the systems
  Restrict administrative/root access to those who really need it; on UNIX systems, restrict
root access to secure terminals
 Implement file level permissions; on UNIX systems, partition the file system and use
read-only partitions for storing files that don’t change often, and use ACLs (Access
Control Lists) for complex permissions management
 On UNIX systems, limit the access processes have on the file system by using the chroot
and ulimit interfaces
 Enforce strong password policies
 In high security environments, require two-factor authentication
 On UNIX systems, use SSH (Secure Shell) for remote command line access
 Use encryption: to protect files on the drive, to protect data crossing the network, to
protect the operating system from unauthorized access
 Implement a public key infrastructure to issue digital certificates

Hire an outside security auditor

A third party security audit can be useful to evaluate and advise on the security implementation
in any complex network, but that goes double for a heterogeneous network. A company that does
security audits for a living will have personnel experienced in reviewing many different types of
systems and will be current on new vulnerabilities and new solutions that your IT personnel may
not have the time to keep up with. They can perform penetration testing for a real-world
assessment of where the vulnerabilities lie, and they can advise you on the most effective and
most cost-effective ways to close the gaps.

Summary
1. The Telecommunications, Network, and Internet Security domain is one of the most
important areas that security practitioners must understand well
2. We can begin to mix and match the building blocks of network security tools and techniques
to implement defense in depth in preserving confidentiality, integrity, and availability
3. It is important to know how to find security information and how to decide which security
architecture is most appropriate for a given situation