Vous êtes sur la page 1sur 11

Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-1

Network Security

Chapter 12

Learning Objectives
After reading this chapter, students should be able to:

• Recognize the basic forms of system attacks


• Recognize the concepts underlying physical protection measures
• Cite the techniques used to control access to computers and networks
• Discuss the strengths and weaknesses of passwords
• List the techniques used to make data secure
• Explain the difference between a substitution-based cipher and a transposition-based
cipher
• Outline the basic features of public key cryptography, Advanced Encryption
Standard, digital signatures, and the public key infrastructure
• Cite the techniques used to secure communications
• Describe the differences between the frequency hopping spread spectrum technique
and the direct sequence spread spectrum technique
• Recognize the importance of a firewall and be able to describe the two basic types of
firewall protection
• Recognize the techniques used to secure wireless communications
• List the advantages to a business of having a security policy

Chapter Outline
1. Introduction

2. Standard System Attacks

3. Physical Protection

4. Controlling Access
a. Passwords and ID systems
b. Access rights
c. Auditing

5. Securing Data
a. Basic encryption and decryption techniques
Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-2

6. Securing Communications
a. Spread Spectrum Technology
b. Guarding against viruses
c. Firewalls
d. Wireless security

7. Security Policy Design Issues

8. Network Security In Action: Making Wireless LANs Secure

9. Summary

Lecture Notes
Introduction

Computer network security has reached a point at which it can best be characterized by two
seemingly conflicting statements: Never has network security been better than it is today; and
never have computer networks been more vulnerable than they are today. How both these
statements can be true is an interesting paradox. Network security, as well as operating system
security, has come a long way from the early days of computers.

Standard System Attacks

Malicious computer users who try to break into a computer system often start with a standard set
of system attacks. They hope that the system administrator has not properly secured the system
and has left it vulnerable to attack. The two leading methods of attacks have been exploiting
known operating system vulnerabilities and exploiting known vulnerabilities in application
software. Another category of common system attacks is denial of service. Denial of service
attacks bombard a computer site with so many messages that the site is incapable of performing
its normal duties. In e-mail bombing, a user sends an excessive amount of unwanted e-mail to
someone. If the email has a return address of someone other than the person sending the email,
then the sender is spoofing.

Physical Protection

All computer systems need to be physically protected. Whether the system is a simple personal
computer in your home or a major computer network such as the Internet, it is necessary to
protect the hardware and software from theft, destruction, and malicious acts of vandalism.
Surveillance can be used to monitor activity and deter theft.
Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-3

Controlling Access

Controlling access to a computer network involves deciding and then limiting who can use the
system and when the system can be used. Network administrators can control access rights,
enforce password and ID systems, and perform auditing.

Securing Data

Many times when storing data and when transferring data from one point to another in a
computer network, it is necessary to insure that the transmission is secure from anyone
eavesdropping on the line. The term secure means two things. First, it should not be possible for
someone to intercept and copy an existing transmission. Second, it should not be possible for
someone to insert false information into an existing transmission. Cryptography is the study of
creating and using encryption and decryption techniques. Basic cryptography uses substitution-
based ciphers (that replace one or more characters with one or more characters) and
transposition-based ciphers (that rearrange the order of the characters).

Public-key infrastructure (PKI) is the combination of encryption techniques, software, and


services that involves all the necessary pieces to support digital certificates, certificate
authorities, and public-key generation, storage, and management. A company that adheres to the
principles of PKI issues digital certificates to legitimate users and network servers, supplies
enrollment software to end-users, and provides the tools necessary to manage, renew, and revoke
certificates.

Steganography, the practice of hiding bits of secret messages within other documents, is also
another approach to making data secure.

Securing Communications

Along with securing data, it is also necessary to secure the communications transmitted between
computers. Using a spread spectrum transmission system, it is possible to transmit either analog
or digital data using an analog signal. However, unlike other encoding and modulation
techniques, only an intended receiver with the same type of transmission system can accept and
decode the transmissions. The idea behind spread spectrum transmission is to bounce the signal
around on seemingly random frequencies rather than transmit the signal on one fixed frequency.
Anyone trying to eavesdrop will not be able to listen because the transmission frequencies are
constantly changing.

Most computers and networks support some form of virus detection software in an attempt to
identify and capture virus-laden messages.
Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-4

A firewall is a system or combination of systems that supports an access control policy between
two networks. The two networks are usually an internal corporate network and an external
network, such as the Internet. A firewall can limit users on the Internet from accessing certain
portions of a corporate network, and can limit internal users from accessing various portions of
the Internet. Firewalls come in two basic types: packet filter, or network level, and proxy servers,
or application level.

Security Policy Design Issues

When designing a firewall system and its corresponding security policy, a number of questions
should be answered. The first question involves the company’s expected level of security. Is the
company trying to restrict all access to services not deemed essential to the business? Or does the
company wish to allow all or most types of transactions, thus asking the firewall system only to
audit transactions and create an orderly request for transactions? A second question stems from
the first decision: How much money is the company willing to invest in a firewall system? A
third question relates to the company’s commitment to security. If the company is serious about
restricting access to the corporate network through a link such as the Internet, will the company
be equally serious about supporting security on any and all other links into the corporate network
environment?

Network Security In Action: A Wireless LAN


The In Action example for this chapter returns to the example presented in chapters 7-9. Hannah
has to decide if she wants to add wireless capability to her local area network. She must consider
all the protocols that support the LAN including security protocols.

Quick Quiz
1. What are the different techniques you can use to authenticate a user?

Passwords, badges, finger prints, voice prints, face prints, retina scan and iris print, to name a
few

2. What are the two major forms of cryptography?

Substitution-based ciphers and transposition-based ciphers

3. How can a digital certificate be used?

It can be assigned to a document so that the owner can later verify ownership.
Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-5

4. What are the basic ingredients of public key infrastructure?

Encryption techniques, digital certificates, certificate authorities, public key generation, storage,
and management

Discussion Topics
1. What parts of the body can be used for identification? Are any of these an infringement on
privacy?

2. What are some examples of video camera surveillance? Are any of these pushing the limits of
privacy?

3. The hackers that break into systems and disrupt web site services: are they criminals, or are
they heroes helping computer specialists discover faults within computer networks and systems?

4. Can the U.S. government really stop advanced encryption techniques from falling into the
hands of criminals?

5. List several uses of steganography. Is this technology virtually unstoppable?

Teaching Tips
1. When discussing viruses, show students a web site (such as
www.symantec.com/avcenter/hoax.html) which discusses virus hoaxes.

Solutions to Review Questions


1. How do hackers exploit operating system vulnerabilities?

By launching a virus that attacks something about the operating system.

2. What is a Trojan horse?

It is a malicious piece of code that is hidden in a normal piece of code.

3. How does a denial of service attack work?

It bombards a selected site with an overwhelming number of messages.


Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-6

4. What is spoofing and how does it apply to a denial of service attack?

They substitute a fake IP address in the place of their IP address in the Source IP Address field of
the IP header.

5. What is a ping storm, and how does it apply to a denial of service attack?

A ping storm is when a user uses the TCP/IP ping command to constantly bombard a site.

6. List three forms of physical protection.

Protection from fire, heat, flooding, and theft

7. How can surveillance be used to improve network security?

It can be used to deter crime, and to catch a criminal after the fact.

8. How does an intrusion detection system work?

It watches for someone trying to attack a system and either alerts an administrator and/or begins
to close-out portions of the system.

9. What is the major weakness of a password? What is its major strength?

Weakness: someone else can discover it.


Strengths: Easy to pick a difficult one and it can be changed easily and frequently.

10. What are the most common types of access rights?

The most common are who and how.


Who: user or owner, group, system, world.
How: read, write, execute, print, delete, copy, rename, append.

11. How can auditing be used to protect a computer system from fraudulent use?

It can be used to deter crime, and it can catch a criminal by tracing his transactions.

12. Describe a simple example of a substitution-based cipher.

Something in which one or more characters are replaced with one or more characters

13. Describe a simple example of a transposition-based cipher.

Anything that reassembles the text into a new position


Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-7

14. How can public key cryptography make systems safer?

You don’t have to give out your decryption key to allow someone to send you encrypted data.

15. Give a common example of an application that uses secure sockets layer.

Sending your credit card information over the Internet is very common.

16. What is the Data Encryption Standard?

A standard that applies a 56-bit key to 16 levels of encryption

17. How is the Advanced Encryption Standard different from the Data Encryption
Standard?

Uses a vastly superior encryption algorithm and a much larger key

18. What is a digital signature?

A digital signature is a hash of a document that has been encrypted with a private key.

19. What kind of applications can benefit from Pretty Good Privacy?

Basically anything, such as e-mail transfers and storage of documents

20. Is Kerberos a public key encryption technique or a private key? Explain.

Private key. There is only one key used to both encode and decode. Thus, you have to keep the
one key secret, or private.

21. List the basic elements of public key infrastructure.

Encryption techniques, digital certificates, certificate authorities, public key generation, storage,
and management

22. What kind of applications can benefit from Public Key Infrastructure?

Any transaction that requires a secure transfer of information

23. What kind of entity issues a certificate?

A certificate authority

24. Under what circumstances might a certificate be revoked?

Normal expiration, nonpayment of fees, security breech


Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-8

25. How is steganography used to hide secret messages?

By taking a little bit of the secret message and hiding it somehow within another document or
file.

26. What are the two basic techniques used to create a spread spectrum signal?

Direct sequence and frequency hopping

27. What is a computer virus and what are the major types of computer viruses?

Parasitic, boot sector, stealth, polymorphic, and macro

28. What are the different techniques used to locate and stop viruses?

Signature based scanner, terminate-and-stay-resident antivirus software, multi-level generic


software

29. What is the primary responsibility of a firewall?

To keep out malicious attacks and to keep internal users from accessing certain outside services

30. What are the two basic types of firewalls?

Packet filter and proxy server

31. What are the advantages of having a security policy in place?

Everyone, employees, management, external users know the score.

Suggested Solutions to Exercises

1. A major university in Illinois used to place the computer output from student jobs on a
table in the computer room. This room is the same computer room that housed all the
campus’ mainframe computers and supporting devices. Students would enter the room,
pick up their jobs, and leave. What kinds of security problems might computer services
encounter with a system such as this?

Dirt, dust, moisture, smoke, theft


Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-9

2. You have forgotten your password, so you call the help desk and ask them to retrieve
your password. After a few moments, they tell you your forgotten password. What has just
happened and what is its significance?

Normally passwords are stored in the computer in an undecipherable form. Apparently in this
system they were not. Which means anyone might be able to find the password file and dump its
contents.

3. Create (on paper) a simple example of a substitution-based cipher.

Answers will vary.

4. Create (on paper) a simple example of a transposition-based cipher.

Answers will vary.

5. Using the Vigenére Cipher and the key NETWORK, encode the phrase “this is an
interesting class.”

GLBOW JKAMG PSIOF XBJUT VNWL

6. Using the transposition-based cipher from this chapter and the same key, COMPUTER,
encode the phrase “birthdays should only come once a year.”

BSNN ADEA RHYE ISLC TOCA YOOR DLME HUOY

7. You are using a web browser and want to purchase a music CD from an electronic
retailer. The retailer asks for your credit card number. Before you transfer your credit
card number, the browser enters a secure connection. What sequence of events created the
secure connection?

The server sends your browser a certificate, your browser selects an algorithm and creates a
private key, browser encrypts its private key with server’s public key, browser sends encrypted
private key back to server.

8. You want to write a song and apply a digital signature to it so that you can later prove it
is your song. How do you apply the signature, and later on, how do you prove the song is
yours?

You take the song, convert it to a digital form, take the hash of the form, and apply a private key
to the hash. Then you save the encrypted hash. If someone questions ownership at a later date,
you decrypt the hash and rehash the song, comparing the hashes.

9. List three examples (other than those listed in the chapter) of everyday actions that
might benefit from applying PKI.
Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-10

There are many possible answers here, including banking, stock markets, insurance applications,
school registrations, other financial transactions, major purchases.

10. Can a firewall filter out requests to a particular IP address, a port address, or both?
What is the difference?

Both. The IP address would be the address of a device connected to the Internet, while a port
address would be the address of a particular application on a machine. You might want to restrict
all access to a particular machine or just restrict access to particular applications on a machine.

11. One feature of a firewall is its ability to stop an outgoing IP packet, remove the real IP
address, insert a “fake” IP address, and send the packet on its way. How does this feature
work? Do you think it would be effective?

Firewall keeps a table of fake IP addresses, pulls out real address and inserts a fake one. This is
usually an effective technique.

12. How does the size of a key affect the strengths and weaknesses of an encryption
technique? Consider both a friendly use of the key and an unfriendly use of the key.

Clearly, the bigger the key, the harder it is (more possible combinations) to crack. From an
unfriendly point of view, large keys make it virtually impossible to guess. From a friendly point
of view, larger keys are harder to remember, especially since you don’t want to place a key on
paper.

13. Assume a key is 56 bits. If it takes a computer 0.00024 seconds to try each key, how long
will it take to try all possible keys? What if 10,000 computers are working together to try
all keys?

256 equals 7.206 x 1016 combinations, times 0.00024 seconds per combination, equals 1.729 x
1013 seconds. That equals 548,383.5 years. If 10,000 computers are working together, that comes
down to 54.8 years.

14. What are the answers to the questions in Exercise 13 if the key is 128 bits in length?

2128 equals 3.403 x 1038 combinations. At 0.00024 seconds per combination, that equals 8.167 x
1034 seconds. That equals 2.59 x 1027 years. With 10,000 computers, that is still 2.59 x 1023 years!

15. You want to hide a secret message inside an image file using steganography. You have
decided to place one bit at a time from the message into the image’s pixels. How are you
going to select the pixels? Will they be random or all in a row? And once a pixel is chosen,
which bit are you going to replace with the bit from the secret message? Why?

Random would be the hardest for anyone to find, including the one that is supposed to find the
message. So you would probably have to use a pseudo-random sequence – one that appears to be
Data Communications and Computer Networks: A Business User’s Approach, Sixth Edition 12-11

random to an intruder, but isn’t. If you select the right-most bit of a pixel (the least significant
bit), you should cause the least effect to the image.

16. Why can’t a truly random sequence be used in a frequency hopping spread spectrum
system?

If it was truly random, nobody would be able to follow it, including the good guys.

Thinking Outside the Box


3. I would recommend hiring a third party company to support your PKI.

4. Set up a firewall to block illegal port access


Turn on and use best encryption available on router
Install anti-spyware, anti-spam, anti-virus software

5. It is reasonable to consider. ID management involves the decision of password versus ID card


versus biometric requirement etc. Then once the form of ID is decided, how are they
managed?