1Introduction to LANIntroduction to LANTDC 363TDC 363Lecture 09Lecture 0903/06/08TDC363-091Network Security (Chap. 14)Network Security (Chap. 14)Course OutlineCourse Outline Identifying security risks in the networkIdentifying security risks in the network People, Hardware, Software, and InternetPeople, Hardware, Software, and Internet Examples of security attacksExamples of security attacks Addressing security riskAddressing security risk Security policySecurity policy Firewall, Proxy Server, RAS, and RADIUSFirewall, Proxy Server, RAS, and RADIUS03/06/082TDC363-09w, y v, , d Uw, y v, , d U User Authentication User Authentication EncryptionEncryption Private Key and Public KeyPrivate Key and Public Key KerberosKerberos PGPPGP SSHSSH IPSecIPSecExample of Security ProblemExample of Security Problem (a)(a) Normal situation. Normal situation. (b)(b) An attack An attack based on breaking into DNS and based on breaking into DNS and modifying Bob's record.modifying Bob's record.03/06/083TDC363-092TerminologyTerminology A A hackerhacker is someone who masters the inner workings of is someone who masters the inner workings of operating systems and utilities in an effort to gain inside/private operating systems and utilities in an effort to gain inside/private information. (ref. p. 711)information. (ref. p. 711) A A cracker cracker is someone who uses his or her knowledge of is someone who uses his or her knowledge of operating systems and utilities to intentionally damage or destroy operating systems and utilities to intentionally damage or destroy data or systemsdata or systemsrootrootaccount (UNIX) andaccount (UNIX) andadministratoradministratoraccount (Windows)account (Windows)03/06/084TDC363-09rootrootaccount (UNIX) and account (UNIX) and administratoradministratoraccount (Windows)account (Windows) Authentication Authentication –– Who are you?Who are you? The process of reliably determining the genuine identity of The process of reliably determining the genuine identity of the communicating nodes or users.the communicating nodes or users. Authorization Authorization –– What can you do?What can you do? The process of determining the access rights of authenticated The process of determining the access rights of authenticated usersusers..Need for SecurityNeed for SecuritySome people who cause security problems and why.Some people who cause security problems and why. Student: have fun snooping on the network Student: have fun snooping on the network (reading others’ e(reading others’ e--mails)mails) Cracker: Test/attack the security of the system.Cracker: Test/attack the security of the system. Business: industry espionageBusiness: industry espionage03/06/085TDC363-09yp gyp g ExEx--employee: get revenge employee: get revenge Accountant: embezzle $$$ from a companyAccountant: embezzle $$$ from a company Con man: steal credit card info for saleCon man: steal credit card info for sale Spy:Spy: Terrorist: Terrorist: Ref. Tanenbaum p. 722Security AuditsSecurity Audits Security audit is an activity that assesses an Security audit is an activity that assesses an organization’s security risksorganization’s security risks WhenWhenRegular: annual or quarterlyRegular: annual or quarterly03/06/086TDC363-09Regular: annual or quarterlyRegular: annual or quarterly Irregular: conduct a security audit after making Irregular: conduct a security audit after making any major changes to the networkany major changes to the network It is common to hire a hacker to conduct a It is common to hire a hacker to conduct a security audit.security audit.3Security RiskPeopleProtocolandSoftware03/06/087TDC363-09RiskHardware and Network DesignInternetSecurity Risks w/ PeopleSecurity Risks w/ People Network administrators overlooking security flaws Network administrators overlooking security flaws in topology or hardware configurationin topology or hardware configuration Network administrators overlooking security flaws Network administrators overlooking security flaws in operating system or application configurationin operating system or application configuration03/06/088TDC363-09 Lack of proper documentation and communication Lack of proper documentation and communication of security policiesof security policies Dishonest or disgruntled employees abusing their Dishonest or disgruntled employees abusing their file and access rightsfile and access rights An unused computer or terminal being left logged An unused computer or terminal being left logged into the networkinto the networkSecurity Risks w/ People (cont.)Security Risks w/ People (cont.) Users or administration choosing easyUsers or administration choosing easy--toto--guess guess passwordspasswords Authorized staff leaving computer room doors Authorized staff leaving computer room doors open or unlockedopen or unlocked03/06/089TDC363-09 Staff discarding disks or backup tapes in public Staff discarding disks or backup tapes in public waste containerswaste containers Administrators neglecting to remove access files Administrators neglecting to remove access files and rights for former employees and rights for former employees Users leaving passwords out in open spacesUsers leaving passwords out in open spaces4Risks Associated with Hardware and Risks Associated with Hardware and Network DesignNetwork Design Wireless transmission can typically be Wireless transmission can typically be interceptedinterceptedN k h b b d ffi hN k h b b d ffi h03/06/0810TDC363-09Network hubs broadcast traffic over the Network hubs broadcast traffic over the entire segment, vulnerable to entire segment, vulnerable to sniffingsniffing.. Unused ports on hubs, switches, routers, or Unused ports on hubs, switches, routers, or servers can be exploited.servers can be exploited.Risks Associated with Hardware and Risks Associated with Hardware and Network Design (cont.)Network Design (cont.) If routers are not properly configured, outside If routers are not properly configured, outside users can sneak into the private network.users can sneak into the private network. DialDial--in access servers used by telecommuting in access servers used by telecommuting or remote staff may
View Full Document