Network Security

Fundamentals
What is Network Security?

Network Security refers

to any activities
designed to protect
your network
Protect from what?

Threats
What is a threat?

Threats are described

as anything that would
contribute to the
tampering, destruction
or interruption of any
service or resource of
value

About the Need for

Network Security
The need to open networks to support
evolving business requirements and
freedom of information initiatives
The growing need to protect private,
personal,
and
strategic
business
information

About Threats

Internal vs. External

Hacker Tools vs. Technical Knowledge
Size of the IT Security Problem
Evolution of Intent

Internal Threats vs.

External Threats
Internal threats constitute the most
serious of threats.
Technical
defenses
are
usually
ineffective against insider attacks.
External threats tend to rely on
technical means to achieve their
goals of breaching your security.

Hacker Tools vs. Technical

Knowledge

Size of the IT Security Problem

Number of security incidents
(Source: 2008 CSI/FBI Computer Crime and Security Survey)

The Evolution of Intent

For the next class?

What is Cisco Flexible Packet
Matching (FPM)?
How it works?
How it can help us with
threats?
http://www.cisco.com/go/fpm

What are the Network

Security Objetives?

Basic Security
Assumptions
Modern networks are very large, very
interconnected, and run both
ubiquitous protocols, such as IP, and
proprietary protocols.
Computer systems and applications
that are attached to these networks
are becoming increasingly complex.

Basic Security
Requirements

Confidentiality
Integrity
System and data
availability

Confidentiality
Ensuring that information is
accessible only to those authorized
to have access

Questions and
Answers
How could be compromised
the confidentiality in a
network?

Confidentiality How?
Limiting access to network resources
using network access control.
Limiting access to files and objects using
operating system-based access controls.
Limiting user access to data by
application level controls.
Limiting the readability of information
should there be a breach, through
encryption

Integrity
Safeguarding the accuracy and
completeness of information and
processing methods
Only authorized subjects can change
sensitive information, ensuring the
authenticity of data.

Questions and
Answers
How could be compromised
the integrity in a network?

Availability
Providing uninterrupted access to
computing resources and data even
during accidental or deliberate
network or computer disruptions.
The availability service is increasingly recognized as
one of the most important security services and
possibly the most difficult to provide.

Questions and
Answers
How could be compromised
the availability in a network?

What is necessary to
accomplish the
Network Security
Objetives?

Data Classification
To optimally allocate resources and
secure assets, it is essential that
some form of data classification
exists.
By identifying which data has the
most worth, administrators can make
the greatest effort to secure that
data.

Classification scheme in
government organizations,
including the military

Unclassified
Sensitive But Unclassified (SBU)
Confidential
Secret
Top secret

Private sector classification

scheme

Public
Sensitive
Private
Confidential

Staff Access to Information

Security Classification

How to classify certain

data?
Value
Not all data has the same value.

Age
For many types of data, its importance changes
with time.

Useful life
Often data is valuable for only a set window of time

Personal association
Data of this type usually involves something of a
personal nature.

Roles in data
classification systems
Owner
The owner is the person who is ultimately
responsible for the information.

Custodian
The custodian is usually a member of the IT staff
who has the day-to-day responsibility for data
maintenance.

User
Users do bear responsibility for using the data in
accordance with established operational
procedures.

Information classification
procedure

1.- Identify the administrator or custodian of the data.

2.- Define how information is classified and labeled.
3.- Classify the data by its owner.
4.- Specify exceptions to the classification policy.
5.- Define controls to be applied to each classification
policy.
6.- Specify termination procedures for declassifying
data or transferring the custody of the data.
7.- Create an enterprise-awareness program.
8.- (Optional) Audit compliance to classification policy.

How accomplish the

Network Security
Objetives?

Security Controls
A security control is any mechanism
that you put in place to reduce the
risk of compromise of any of the
three objectives: confidentiality,
integrity, and availability.
Categorization
By the implementation
By the type of control

For the next class?

What is ISO 27002?
What security controls are
defined in ISO 27002?
http://www.iso.org

Security Controls by the

implementation
Administrative
Controls that are largely policies and
procedures.

Technical
Controls that involve electronics,
hardware, software.

Physical
Controls that are mostly mechanical.

Administrative Controls

Security-awareness training
Security policies and standards
Change controls and configuration controls
Security audits and tests
Good hiring practices
Background checks of contractors and
employees

Technical Controls
Firewalls and IPSs
Virtual private network (VPN)
concentrators and clients
TACACS+ and RADIUS servers
One-time password (OTP) solutions
Smart cards
Biometric authentication devices
Network Admission Control (NAC) systems
Routers with ACLs

Physical Controls

Intruder detection systems

Security guards
Locks
Safes
Racks
Uninterruptible power supplies (UPS)
Fire-suppression systems
Positive air-flow systems

Security Controls by the type

of control
Preventive
The control prevents security breaches.

Deterrent
The control scare away a certain percentage
of adversaries to reduce the number of
incidents.

Detective
The control detects security breaches and
helps to determine how the network was
breached.

Why accomplish the

Network Security
Objetives?

Compliance with the law

Criminal
Concerned with crimes, and its penalties
usually involve the risk of fines or
imprisonment, or both.

Civil (also called tort)

Focuses on correcting wrongs that are not
crimes.

Administrative
Involves government agencies enforcing
regulations.

Ethics
"Act only according to that
maxim whereby you can, at
the same time, will that it
should become a universal
law., Immanuel Kant

Information Security
Ethics Codes
International Information Systems
Security Certification Consortium, Inc
(ISC)2 code of ethics
Computer Ethics Institute
Internet Activities Board (IAB)
Generally Accepted System Security
Principles (GASSP)