Tribhuvan University

Institute of Science and Technology

Bachelor in Computer Science and Information Technology (BSC CSIT)
7Th Semester
Network Security (CS-416 )
Unit-1: Computer Network Security Fundaments 3hrs

Instructor
Tekendra Nath Yogi
Tekendranath@gmail.com
 Contents
• Unit 1: Computer Network Security Fundamentals (3 Hrs.)

– 1.1. Introduction

– 1.2. Securing the Computer Network

– 1.3. Forms of Protection

– 1.4. Security Standards

5/14/2025 By: Tekendra Nath Yogi 2

 1.1. Introduction to Security

“The art of war teaches us to rely not on the likelihood

of the enemy's not coming, but on our own readiness to

receive him; not on the chance of his not attacking, but

rather on the fact that we have made our position

unassailable.”

- The Art of War, Sun Tzu

5/14/2025 By: Tekendra Nath Yogi 3

 Cont’d…
• Security:

– Continuous process of protection from unauthorized access.

– It is as state of being or feeling protected from harm.

– Involves physical or theoretical states of being secure.

• Over the years, the approach to security has shifted:

– Before computers, security relied on physical and administrative

controls (e.g., locked cabinets, personnel screening).

– With computer systems, automated security tools became necessary,

especially in shared or networked environments.

– Network security emerged to protect data during transmission, as

interconnection between systems became common.
5/14/2025 By: Tekendra Nath Yogi 4
 Cont’d…
• Network Security:

– Protecting data, Information and network services from Intruders during

its transmission.

– Consists of measures to deter, prevent, detect, and correct security

violations that involve the transmission & storage of information.

– Very Critical and difficult to maintain.

5/14/2025 By: Tekendra Nath Yogi 5

 Cont’d…
• Network Security: According to National Security Telecommunications
and Information Systems Security Committee (NSTISSC)

– Network Security is the protection of Information and the systems and

hardware that use, store, and transmit that information.

– It encompasses those steps that are taken to ensure the confidentiality,

integrity, and availability of data or resources.

5/14/2025 By: Tekendra Nath Yogi 6

 1.2. Securing the Computer Network
• Key Objective of the computer network security is to protect resources from

internal and external unauthorized access.

• Resources to Protect

– Tangible (Hardware):

• Input devices, network hardware, communication channels.

– Intangible (Software & Data):

• Operating systems, applications, databases, personal data.

5/14/2025 By: Tekendra Nath Yogi 7

 Cont’d…
• Four General Security Mechanisms:

– Deterrence: Warnings or barriers to discourage intrusion.

• e.g., Warning signs, security cameras in plain view, or fences with

No Trespassing signs.

– Prevention: Stops unauthorized access.

• e.g., firewalls, biometrics.

– Detection: Identifies intrusion attempts.

• e.g., sensors, alarms.

– Response: Reacts to security breaches.

• e.g., mitigation, lockdowns.

5/14/2025 By: Tekendra Nath Yogi 8

 Cont’d…
• Types of Security:

– Physical Security: Barriers, sensors, cameras, guards.

– Digital Security: Firewalls, passwords, encryption.

– Theoretical Security (Security Through Obscurity - STO)

• Based on secrecy or trust.

• Examples: Coca-Cola, KFC recipes.

5/14/2025 By: Tekendra Nath Yogi 9

 1.3 Forms of Protection
• To secure the network following category of the protection (security
services) can be enforced in the network:

– Access Control

– Authentication

– Confidentiality

– Integrity

– Nonrepudiation

5/14/2025 By: Tekendra Nath Yogi 10

 Cont’d…
• Access Control: Prevention of the unauthorized use of a resource. i.e.,
Restricts who can access what in a system.
– Hardware-Based Access Control

• Access Terminals – Use ID and rights verification.

• Visual Event Monitoring – Combines video, GPS, audio.

• ID Cards – Magnetic, barcoded, chip-based.

• Biometric Identification – Fingerprints, iris, voice.

• Video Surveillance – Real-time video analysis.

– Software-Based Access Control

• Point-of-Access – Local monitoring and control.

• Remote Monitoring – Through networks and wireless systems.

5/14/2025 By: Tekendra Nath Yogi 11

 Cont’d…
• Authentication: Assurance that the communicating entity is the one claimed.
Verifies identity of users based on:

– Username and Password

– Retinal Scans

– Fingerprints

– Physical Location (IP address)

– Identity Cards

5/14/2025 By: Tekendra Nath Yogi 12

 Cont’d…
• Confidentiality: Protection from unauthorized disclosure. i.e., Prevent
unauthorized data access.

– Uses encryption to secure data:

• Symmetric Encryption – Same key for encryption/decryption.

• Asymmetric Encryption – Public/private key pair.

5/14/2025 By: Tekendra Nath Yogi 13

 Cont’d…
• Integrity: Assurance that data received is as sent by an authorized entity. i.e.,
Ensures data is not altered.

– Uses hash functions to verify data integrity.

• Creates a unique message digest.

• Acts like a digital fingerprint of the message.

5/14/2025 By: Tekendra Nath Yogi 14

 Cont’d…
• Nonrepudiation: Protection against denial by one of the parties in a
communication

– i.e., Prevents denial of a message's origin or delivery.

– Uses:

• Digital Signatures – Verifies sender identity.

• Encryption – Protects against forgery.

5/14/2025 By: Tekendra Nath Yogi 15

 1.4. Security Standards
• Security standards ensure uniformity, interoperability, and compatibility in
securing systems, especially in a diverse technological environment.

• The adoption of specific standards depends on:

– Type of service

– Industry nature

– Organization size

– Organization mission

5/14/2025 By: Tekendra Nath Yogi 16

 Cont’d…
• Security Standards Based on Type of Service/Industry: Security
standards often align with industry services. Some examples include:
– PKCS (Public Key Cryptography Standards) – Developed by RSA Labs for interoperable
public key crypto. Widely implemented and forms the basis of SSL, S/MIME, and others.

– S/MIME (Secure/Multipurpose Internet Mail Extensions) – Adds security to MIME email

protocol using PKCS for encryption, authentication, and integrity.

– FIPS (Federal Information Processing Standards) – NIST-approved US government

encryption and processing standards.

– SSL (Secure Sockets Layer) – Encrypts Web-based communications; includes

authentication and access control. Now mostly replaced by TLS.

– Web Services Security – Standards like XML Signature, XML Encryption, SAML, and
XKMS ensure secure web transactions.

5/14/2025 By: Tekendra Nath Yogi 17

 Cont’d…
• Security Standards Based on Size/Implementation: Smaller
organizations may adopt simpler, policy-based standards:

– Physical security – Locked server areas, secured backup media.

– Operating systems – Limit root/admin access, apply patches, enforce

password policies.

– System logs – Restrict log access, define log review procedures.

– Data security – Encrypt sensitive files, minimize public server data.

5/14/2025 By: Tekendra Nath Yogi 18

 Cont’d…
• Security Standards Based on Interests: Organizations/countries may
adopt standards based on national/institutional priorities:

– BS 7799 / ISO/IEC 17799 – A framework for information security

management.

– Orange Book (DOD 5200.28-STD) – U.S. DoD Trusted Computer

System Evaluation Criteria. Part of the "Rainbow Series".

5/14/2025 By: Tekendra Nath Yogi 19

 Cont’d…
• Security Best Practices: Due to evolving threats, security practices must be
dynamic and strategic. Some key best practice frameworks:
– CASPR (Commonly Accepted Security Practices and Regulations) – Open-
source best practice documents for various security domains.
– COBIT (Control Objectives for Information and Related Technology) – A
comprehensive framework for IT governance, risk management, and security
audit.
– OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation.) –
A self-directed approach for assessing and managing information security risks
across three phases:
• Identify critical assets.
• Evaluate infrastructure and vulnerabilities.
• Define protection strategies and mitigation plans.

5/14/2025 By: Tekendra Nath Yogi 20

 Cont’d…
• General Security Best Practices (Matthew Putvinski):
– Designate a Security Officer.

– End-user training and policy enforcement

– Software patch management

– Vendor management and confidentiality

– Physical security controls

– Policy areas to cover:

• Data classification and retention

• Password policies

• Wireless and mobile device security

• Incident response planning

5/14/2025 By: Tekendra Nath Yogi 21

Miscellaneous Security
Concepts
[Extra]
 Miscellaneous Security Concepts [Extra]
• CIA Triad: Three security objectives

5/14/2025 By: Tekendra Nath Yogi 23

 Cont’d…
• Confidentiality: Keep secret
– Data confidentiality: Assures that confidential information is not
disclosed to unauthorized individuals
– Privacy: Assures that individual control or influence what information
may be collected and stored
• Integrity : Keep intact
– Data integrity: assures that information and programs are changed only
in a specified and authorized manner
– System integrity: Assures that a system performs its operations in
unimpaired manner
• Availability: assure that systems works promptly and service is not denied to
authorized users
5/14/2025 By: Tekendra Nath Yogi 24
 Cont’d…

Figure: Network Security objectives

5/14/2025 By: Tekendra Nath Yogi 25
 Cont’d…
• Other concepts to a complete security picture:

– Authenticity: the property of being genuine and being able to be verified

and trusted; confident in the validity of a transmission, or a message, or
its originator

– Accountability: generates the requirement for actions of an entity to be

traced uniquely to that individual to support nonrepudiation, deference,
fault isolation, etc.

5/14/2025 By: Tekendra Nath Yogi 26

 Security concepts and relationships
• Threat: A potential danger that could exploit a vulnerability and cause
harm.

• Attack: A deliberate action (from an intelligent threat) that attempts to

bypass security mechanisms.

• Security Attack: Any action that compromises information security.

• Security Mechanism: Tools or processes that detect, prevent, or recover

from security attacks.

• Security Service: Services that use mechanisms to protect data and

systems, aimed at preventing or mitigating attacks.

5/14/2025 By: Tekendra Nath Yogi 27

 Cont’d…
• Network Systems resources: Hardware, software (OS, apps), data (users,
system, database), communication facilities and network (LAN, bridges,
routers, …)

• Our concern: vulnerability of these resources (corrupted, unavailable, leaky)

• Threats exploit vulnerabilities

• Attack is a threat that is accrued out

– Active or passive; from inside or from outside

• Countermeasures: actions taken to prevent, detect, recover and minimize

risks

5/14/2025 By: Tekendra Nath Yogi 28

 Cont’d…
• Security concepts and relationships:

5/14/2025 By: Tekendra Nath Yogi 29

 OSI Security Architecture
• X.800, Security Architecture for OSI

• Systematic way of defining requirements for security and characterizing

approaches to satisfying them

• defines:

– Security attacks - compromise security

– Security mechanism - act to detect, prevent, recover from attack

– Security service - counter security attacks

5/14/2025 By: Tekendra Nath Yogi 30

 Cont’d…
• OSI Security Architecture:

5/14/2025 By: Tekendra Nath Yogi 31

 Cont’d…
• Types of Security Attacks: Passive Attacks:

– Intercept or monitor data without altering it.

– For Examples:

• Release of Message Contents – Eavesdropping sensitive data.

• Traffic Analysis – Observing communication patterns (e.g., who is

talking to whom, how often).

– Challenge: Difficult to detect.

– Countermeasure: Prevention via encryption.

5/14/2025 By: Tekendra Nath Yogi 32

 Cont’d…

5/14/2025 By: Tekendra Nath Yogi 33

 Cont’d…
• Types of Security Attack: Active Attacks:

– Modify or disrupt data/operations.

– Types:
• Masquerade: Pretending to be another entity.

• Replay: Capturing and resending messages.

• Message Modification: Changing, delaying, or reordering messages.

• Denial of Service (DoS): Disrupting services or overloading systems.

– Challenge: Hard to prevent.

– Countermeasures: Detection and recovery are key.

5/14/2025 By: Tekendra Nath Yogi 34

 Cont’d…

5/14/2025 By: Tekendra Nath Yogi 35

 Cont’d…
• Security Services: Security services are designed to protect data and
systems by enforcing security policies through security mechanisms. X.800
categorizes these into five main categories:

– Authentication

– Access control

– Confidentiality

– Integrity

– Nonrepudiation

5/14/2025 By: Tekendra Nath Yogi 36

 Cont’d…
• Security Services: Security services are designed to protect data and
systems by enforcing security policies through security mechanisms. X.800
categorizes these into five main categories:

– Authentication

– Access control

– Confidentiality

– Integrity

– Nonrepudiation

5/14/2025 By: Tekendra Nath Yogi 37

 Cont’d…
• Security Mechanisms: Security mechanisms are techniques or processes
designed to implement security services in computer networks. Two General
categories:

– Specific Security Mechanisms: related to OSI security services

– Pervasive Security Mechanisms: not tied to any specific layer or service.

5/14/2025 By: Tekendra Nath Yogi 38

 Cont’d…
• Specific Security Mechanisms (related to OSI security services):

– Encipherment

– Digital Signature

– Access Control

– Data Integrity

– Authentication Exchange

– Traffic Padding

– Routing Control

– Notarization

5/14/2025 By: Tekendra Nath Yogi 39

 Cont’d…
• Pervasive Security Mechanisms (not tied to any specific layer or
service):

– Trusted Functionality

– Security Label

– Event Detection

– Security Audit Trail

– Security Recovery

5/14/2025 By: Tekendra Nath Yogi 40

 Cont’d…
• Specific Security Mechanisms (related to OSI security services):

– Encipherment

– Digital Signature

– Access Control

– Data Integrity

– Authentication Exchange

– Traffic Padding

– Routing Control

– Notarization

5/14/2025 By: Tekendra Nath Yogi 41

 Cont’d…
• Relationship Between Security Services and Mechanisms:

5/14/2025 By: Tekendra Nath Yogi 42

 Cont’d…
• Fundamental Security Design Principles: Despite years of research, it is still difficult to
design systems that comprehensively prevent security flaws. But good practices for good design have
been documented.
– Economy of Mechanism
– Fail-safe defaults
– Complete Mediation
– Open Design
– Separation of Privilege
– Least Privilege
– Least common Mechanism
– Psychological acceptability
– Isolation
– Encapsulation
– Modularity
– Layering
– Least Astonishment

5/14/2025 By: Tekendra Nath Yogi 43

 Cont’d…
• Economy of mechanism: the design of security measures should be as
simple as possible

– Simpler to implement and to verify

– Fewer vulnerabilities

• Fail-safe default: access decisions should be based on permissions; i.e., the

default is lack of access

• Complete mediation: every access should checked against an access control

system

• Open design: the design should be open rather than secret (e.g., encryption
algorithms)

5/14/2025 By: Tekendra Nath Yogi 44

 Cont’d…
• Isolation
– Public access should be isolated from critical resources (no connection
between public and critical information)
– Users files should be isolated from one another (except when desired)
– Security mechanism should be isolated (i.e., preventing access to those
mechanisms)
• Encapsulation: similar to object concepts (hide internal structures)
• Modularity: modular structure
• Layering (defense in depth): use of multiple, overlapping protection
approaches
• Least astonishment: a program or interface should always respond in a way
that is least likely to astonish a user.
5/14/2025 By: Tekendra Nath Yogi 45
 Cont’d…
• Separation of privilege: multiple privileges should be needed to do achieve
access (or complete a task)

• Least privilege: every user (process) should have the least privilege to
perform a task

• Least common mechanism: a design should minimize the function shared by

different users (providing mutual security; reduce deadlock)

• Psychological acceptability: security mechanisms should not interfere

unduly with the work of users

5/14/2025 By: Tekendra Nath Yogi 46

 Cont’d…
• Attack surfaces:
– An attack surface refers to the points in a system where vulnerabilities are
exposed and can be exploited by attackers. These vulnerabilities can exist in
various forms, including:
• Open ports on web servers or other outward-facing services

• Services behind firewalls that may be vulnerable

• Code processing incoming data, such as email, XML, office documents, etc.

• Interfaces like SQL or web forms that may allow attackers to exploit flaws

• Human attack surfaces, such as employees susceptible to social engineering or

insider threats

• By identifying and analyzing these attack surfaces, organizations can better

assess threats and vulnerabilities, helping them design security mechanisms
to protect the system.
5/14/2025 By: Tekendra Nath Yogi 47
 Cont’d…
• Network Security Model:

Models information flowing over an insecure communications channel, in the

presence of possible opponents. Hence an appropriate security transform
(encryption algorithm) can be used, with suitable keys, possibly negotiated using
the presence of a trusted third party.
5/14/2025 By: Tekendra Nath Yogi 48
 Cont’d…
• Using this model requires us to:

– Design a suitable algorithm for the security transformation

– Generate the secret information (keys) used by the algorithm

– Develop methods to distribute and share the secret information

– Specify a protocol enabling the principals to use the transformation

and secret information for a security service

5/14/2025 By: Tekendra Nath Yogi 49

 Cont’d…
• Network Access Security Model: is concerned with controlled access to
information or resources on a computer system, in the presence of possible
opponents.

5/14/2025 By: Tekendra Nath Yogi 50

 Cont’d…
• Using this model requires us to:

– Select appropriate gatekeeper functions to identify users

– Implement security controls to ensure only authorized users access

designated information or resources

• Trusted computer systems may be useful to help implement this model

5/14/2025 By: Tekendra Nath Yogi 51

 Thank You !

5/14/2025 By: Tekendra Nath Yogi 52