Topic outline

• 
  

  General

  Network Security
  
  An advanced course on network security
  
• 
  

  Topic 1

  Introduction

  • Introduction Page
  • Communication networks are used to transfer valuable and confidential information for a variety of purposes. As a consequence, they attract the attention of people who intend to steal or misuse information,...
• 
  

  Topic 2

  1 Terminology and abbreviations

  • 1.1 Terminology Page
  • Throughout this unit I shall use the terms ‘vulnerability’, ‘threat’ and ‘attack’. It is worthwhile clarifying these terms before proceeding:
  • 1.2 Abbreviations Page
  • The table below shows the abbreviations that are used throughout this unit, and their meanings.
• 
  

  Topic 3

  2 Background to network security

  • 2.1 Introduction Page
  • An effective security strategy will of necessity include highly technical features. However, security must begin with more mundane considerations which are often disregarded: for example, restricting physical...
  • 2.2 The importance of effective network security strategies Page
  • In more recent years, security needs have intensified. Data communications and e-commerce are reshaping business practices and introducing new threats to corporate activity. National defence is also vulnerable...
  • 2.3 Network security when using your computer Page
  • Before considering the more technical aspects of network security I shall recount what happens when I switch my computer on each morning at The Open University. I hope you will compare this with what happens...
• 
  

  Topic 4

  3 Threats to communication networks

  • 3.1 How have network security measures developed over the past fifty years? Page
  • To start this section it is useful to reflect on the different obstacles that an intruder, intending to eavesdrop on a telephone conversation, might face today compared with fifty years ago, before electronic...
  • 3.2 Important terminology and information for making the most of this section Page
  • Before we move on to consider specific issues of network security, I need to introduce some important terms that I shall use when describing how data is stored, processed or transmitted to other locations....
  • 3.3 Passive attacks Page
  • A passive attack is characterised by the interception of messages without modification. There is no change to the network data or systems. The message itself may be read or its occurrence may simply be...
  • 3.4 Active attacks Page
  • An active attack is one in which an unauthorised change of the system is attempted. This could include, for example, the modification of transmitted or stored data, or the creation of new data streams....
  • 3.5 Potential network vulnerabilities Page
  • Whatever the form of attack, it is first necessary to gain some form of access to the target network or network component. In this section I shall take a brief look at a hypothetical network to see where...
  • 3.6 Tapping into transmission media Page
  • Venturing beyond the organisation's premises in Figure 3 (see Section 3.5), there are many opportunities for interception as data passes through external links. These could be cable or line-of-sight links...
• 
  

  Topic 5

  4 Principles of encryption

  • 4.1 An introduction to encryption and cryptography Page
  • Section 3 has introduced you to the main threats to network security. Before I begin to examine the countermeasures to these threats I want to introduce briefly one of the fundamental building blocks...
  • 4.2 An overview of symmetric key systems Page
  • We can think of symmetric key systems as sharing a single secret key between the two communicating entities – this key is used for both encryption and decryption. (In practice, the encryption and decryption...
  • 4.3 The components of a symmetric key system Page
  • I shall now explain the components of a symmetric key system in more detail.
  • 4.4 Asymmetric key systems Page
  • Asymmetric or public key systems are based on encryption techniques whereby data that has been encrypted by one key can be decrypted by a different, seemingly unrelated, key. One of the keys is...
  • 4.5 Vulnerability to attack Page
  • All the symmetric and public key algorithms listed in Table 2 and Table 3share the fundamental property that their secrecy lies in the key and not in the algorithm. (This is generally known as Kerchoff's...
  • 4.6 Hybrid systems Page
  • As you have seen from earlier sections, a major advantage of asymmetric key systems over symmetric key systems is that no exchange of a secret key is required between communicating entities. However, in...
• 
  

  Topic 6

  5 Implementing encryption in networks

  • 5.1 Overview Page
  • Confidentiality between two communicating nodes is achieved by using an appropriate encryption scheme: data is encrypted at the sending node and decrypted at the receiving node. Encryption will also protect...
  • 5.2 Link layer encryption Page
  • Link layer encryption has been available for some time and can be applied by bulk encryptors, which encrypt all the traffic on a given link. Packets are encrypted when they leave a node and decrypted when...
  • 5.3 End-to-end encryption Page
  • I shall consider end-to-end encryption at the network layer and the application layer separately.
  • 5.4 Link layer encryption and end-to-end encryption compared and combined Page
  • Comparing end-to-end encryption with link layer encryption, which do you think is better?
• 
  

  Topic 7

  6 Integrity

  • 6.1 Encryption and integrity Page
  • You should recall from Section 3.2 that integrity relates to assurance that there has been no unauthorised modification of a message and that the version received is the same as the version sent.
  • 6.2 Other ways of providing assurance of integrity Page
  • Some other method of providing assurance of the integrity of a message is therefore needed – some kind of concise identity of the original message that can be checked against the received message to reveal...
• 
  

  Topic 8

  7 Freshness

  • 7.1 Introduction Page
  • A message replay attack was introduced briefly in Section 3.4. In this attack a message, or a portion of a message, is recorded and replayed at some later date. For example, an instruction to a bank to...
  • 7.2 Time stamps Page
  • A digital time stamp is analogous to a conventional postmark on an envelope: it provides some check of when a message was sent. Returning to the example of Alice and Bob, Alice could add the time and date...
  • 7.3 Sequence numbers Page
  • Sequence numbers are an alternative way of indicating freshness. If Alice is sending a stream of messages to Bob she can bind each one to a sequential serial number, and encryption will prevent...
  • 7.4 Nonces Page
  • This third method of freshness indication uses an unpredictable value in a challenge–response sequence. The sequence of events is illustrated in Figure 11. Bob wants to communicate with Alice but she needs...
• 
  

  Topic 9

  8 Authentication

  • 8.1 Overview of authentication methods Page
  • Authentication is needed to provide some assurance about the source of a message: did it originate from the location it appears to have originated from? One of the simplest authentication methods is the...
  • 8.2 Certification authorities and digital certificates Page
  • There are snags to this procedure, however: for example, Charlie could generate a key pair for himself and publish the public key using Bob's name. Some additional assurance is required that irrevocably...
• 
  

  Topic 10

  9 Access control

  • 9.1 Introduction Page
  • In this section I shall discuss two major approaches used to restrict access to networks – passwords and firewalls.
  • 9.2 Passwords Page
  • I have introduced encryption keys in previous sections. A password can also be thought of as a type of key in as much as it enables the keyholder to gain access to a particular resource. In Section 2.3,...
  • 9.3 Firewalls – an overview Page
  • Firewalls play an important role in restricting and controlling access to networks. A firewall is normally implemented within a router or gateway, and will monitor incoming and outgoing traffic at the...
  • 9.4 Packet-filtering router Page
  • A packet-filtering router either blocks or passes packets presented to it according to a set of filtering rules. Figure 14 shows this arrangement.
  • 9.5 Application level gateways Page
  • An application level gateway is implemented through a proxy server, which acts as an intermediary between a client and a server. A client application from within the protected network may request services...
  • 9.6 Circuit level gateways Page
  • A circuit level gateway operates at the transport layer of the OSI or internet reference models and, as the name implies, implements circuit level filtering rather than packet level filtering. It checks...
  • 9.7 Examples of firewall implementation Page
  • In practice, firewalls are likely to be combinations of the types that I have described. For example, a screened sub-network is commonly incorporated in a firewall scheme, as shown in Figure 17. In this...
• 
  

  Topic 11

  10 Summary

  • 10.1 Summary of Sections 1–5 Page
  • There are many terms and abbreviations relating to this topic, and it is important to understand them.
  • 10.2 Summary of Sections 6–9 Page
  • Integrity relates to assurances that a message has not been tampered with in any unauthorised way. A method of providing this assurance is to create a message digest, which gives a concise identity of...
• 
  

  Topic 12

  References and Acknowledgements

  • References Page
  • Acknowledgements Page