Scribd
Upload
39 views32 pages

Network Security

Uploaded by

Gibril sonko
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views32 pages

Network Security

Uploaded by

Gibril sonko
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Week 7

More Essentials,
In Another Light:

Network Security:
Overview

• Why We Need Security


• Definitions and Concepts
• Access Control
• Risk vs. Vulnerability
• Threats and Attack Types
Why Security?

• The Internet was initially


designed for connectivity
– Trust assumed
– We do more with the Internet
nowadays
– Security protocols are added on
top of the TCP/IP
Why Security?

We can’t keep ourselves isolated from the


Internet
– Most business communications are done
online
– We provide online services
– We get services from third-party
organizations online
Why Security?

Fundamental aspects of information


must be protected
– Confidential data
– Employee information
– Business models
– Protect identity and resources
Internet Evolution

Different ways to handle security as the Internet evolves


Why Security?

Source: Arbor Networks Worldwide Infrastructure


Key findings: Security Report Volume VII

– Hacktivism and vandalism are the common DDoS


attack motivation
– High-bandwidth DDoS attacks are the ‘new
normal’
– First-ever IPv6 DDoS attacks are reported
– Trust issues across geographic boundaries
Breach Sources

Source: Trustwave 2012 Global


Security Report
Types of Security

• Computer Security
– generic name for the collection of tools designed to
protect data and to thwart hackers

• Network Security
– measures to protect data during their transmission

• Internet Security
– measures to protect data during their transmission over
a collection of interconnected networks
Principles of Information
Security
Access Control

The ability to permit or deny the use of an


object by a subject.

• It provides 3 essential services:

– Authentication (who can login)


– Authorization (what authorized users can do)
– Accountability (identifies what a user did)
Authentication

• A means to verify or prove a user’s identity


• The term “user” may refer to:

– Person
– Application or process
– Machine or device

• Identification comes before authentication

– Provide username to establish user’s identity


Authentication

To prove identity, a user must present either of the


following:
– What you know. (Knows-A) (passwords, passphrase,
PIN)
– What you have (Has-A) (token, smart cards,
passcodes, RFID)
– Who you are (Is-A) (biometrics such as fingerprints
and iris scan, signature or
voice)
Examples of Tokens
Trusted Network
• Standard defensive-oriented technologies
– Firewall
– Intrusion Detection

• Build TRUST on top of the TCP/IP


infrastructure
– Strong authentication
– Public Key Infrastructure (PKI)
Strong
Authentication

An absolute requirement
• Two-factor authentication
– Passwords (something you know)
– Tokens (something you have)

• Examples:
– Passwords
– Tokens
– Tickets
– Restricted access
– PINs
– Biometrics
– Certificates
Two-factor
Authentication

• Requires a user to provide at least two


authentication ‘factors’ to prove his identity
– something you know
Username/userID and password
– something you have
Token using a one-time password (OTP)
• Back in the day, the OTP is generated using a small
electronic device in physical possession of the user
– Different OTP generated each time and expires after some
time
– A newer alternative way is through applications installed on
your mobile device
• Multi-factor authentication is also common
Authorization

• Defines the user’s rights and permissions


on a system

• Typically done after user has been


authenticated

• Grants a user access to a particular


resource and what actions he is permitted
to perform on that resource

• Access criteria based on the level of trust:


– Roles
– Groups
– Location
– Time
– Transaction type
Authentication vs. Authorization

“Authentication simply identifies a party,


authorization defines whether they can
perform certain action”
Authorization
Concepts
• Authorization creep
– When users may possess unnecessarily high access
privileges within an organization

• Default to Zero
– Start with zero access and build on top of that

• Need to Know Principle


– Least privilege; give access only to information that the user
absolutely need

• Access Control Lists


– List of users allowed to perform particular access to an
object (read, write, execute, modify)
User File Protection Mechanisms

• As an illustration of Access Control Lists


File Specific Protection Schemes

• All or None Protection –administrator or system operator has


complete access to passwords and sharing
• Group Protection -identifying groups of users who had some
common relationship.
• Single Permissions- Password or Other Token, Temporary
Acquired Permission
A TYPICAL EXAMPLE
Suppose the following groups are defined to shorten a
system’s access control lists:
Question: If Aisha wants to write to File 1, give
- Group1: Aisha, Fatou, Isatou, Kadijat, Niyma
reasons as to whether Aisha will be allowed to do
- Group2: Aisha, Fatou, Isatou
so if:
- Group3: Fatou, Isatou
a. The first relevant entry policy is applied.

Suppose the access control list for File 1 is: b. The “any permission in list” policy is applied.

- File 1: Group 1, R; c. Why is Niyma not allowed access to write to


both files?
Group 2, RW

- File 2: Group 2, RW
Thanks!
Do you have any
questions?
adedoyinajayi@utg.edu.gm
+220 674 1236
Click to add

Click to add
Click to add

Click to add
Click to add

Click to add
Click to add

Click to add
Click to add

Click to add
Click to add

Click to add
Click to add
Click to add
Thanks!
Do you have any
questions?
adedoyinajayi@utg.edu.gm
+220 674 1236

You might also like