Chapter One
Introduction to Network and Information Security
Main points to be discussed:
➢ Introduction
➢ Challenges of Security
➢ Security attacks
➢ Security services
➢ Security Mechanism
➢ Security Model
By Bereket S.
1
� Network and Information Security
➢ Network security is the process of taking physical and software preventative
measures to protect the underlying networking infrastructure from
unauthorized access, misuse, malfunction, modification, destruction, or
improper disclosure.
➢ Information security refers to the processes and methodologies that are
designed and implemented to protect print, electronic, or any other form of
confidential, private and sensitive information or data from unauthorized
access, use, misuse, disclosure, destruction, modification or disruption.
2
�➢ Open Systems Interconnection (OSI) security architecture provides a systematic
framework for defining security attacks, mechanisms, and services.
➢ Security attacks are classified as either passive attacks, which include unauthorized
reading of a message of file and traffic analysis or active attacks, such as modification of
messages or files, and denial of service.
➢ Security mechanism is any process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
✓ Examples of mechanisms are encryption algorithms, digital signatures, and authentication
protocols.
➢ Security services include authentication, access control, data confidentiality, data
integrity, nonrepudiation, and availability.
3
� Challenges of Security
➢ Security is not as simple as it might first appear to the novice. The requirements seem to be
straightforward;
➢ indeed, most of the major requirements for security services can be given self-explanatory, one-
word labels: confidentiality, authentication, nonrepudiation, or integrity.
➢ But the mechanisms used to meet those requirements can be quite complex, and understanding
them may involve rather subtle reasoning.
➢ In developing a particular security mechanism or algorithm, one must always consider potential
attacks on those security features.
➢ In many cases, successful attacks are designed by looking at the problem in a completely
different way, therefore exploiting an unexpected weakness in the mechanism.
4
� Cont.
➢ Because of aforementioned point, the procedures used to provide particular services are often
counterintuitive.
➢ Typically, a security mechanism is complex, and it is not obvious from the statement of a
particular requirement that such elaborate measures are needed.
➢ It is only when the various aspects of the threat are considered that elaborate security
mechanisms make sense.
➢ Having designed various security mechanisms, it is necessary to decide where to use them.
➢ This is true both in terms of physical placement (at what points in a network are certain security
mechanisms needed) and in a logical sense [at what layer or layers of an architecture such as
TCP/IP should mechanisms be placed].
5
� Cont.
➢ Security mechanisms typically involve more than a particular algorithm or
Protocol.
➢ They also require that participants be in possession of some secret information
(e.g., an encryption key), which raises questions about the creation, distribution,
and protection of that secret information.
➢ There also may be a reliance on communications protocols whose behavior may
complicate the task of developing the security mechanism.
➢ Security requires regular, even constant, monitoring, and this is difficult in today’s
short-term, overloaded environment.
6
� Cont.
➢ Computer and network security is essentially a battle of wits between a perpetrator who tries
to find holes and the designer or administrator who tries to close them.
➢ The great advantage that the attacker has is that he or she need only find a single weakness,
while the designer must find and eliminate all weaknesses to achieve perfect security.
➢ There is a natural tendency on the part of users and system managers to perceive little benefit
from security investment until a security failure occurs.
➢ Security is still too often an afterthought to be incorporated into a system after the design is
complete rather than being an integral part of the design process.
➢ Many users and even security administrators view strong security as an impediment to efficient
and user-friendly operation of an information system or use of information.
7
� Security Attack
Any action that compromises the security of information owned by an organization
8
� Cont.…
➢Interruption:This is an attack on availability
➢Interception:This is an attack on confidentiality
➢Modification:This is an attack on integrity
➢Fabrication:This is an attack on integrity
9
� Cont.…
➢ Generally, there are two categories for security attacks:
✓ Passive Attack: are in the nature of eavesdropping on, or monitoring of, transmissions. The
goal of the opponent is to obtain information that is being transmitted.
✓ Two types of passive attacks are the release of message contents and traffic analysis
➢ Passive attacks are very difficult to detect, because they do not involve any
alteration of the data.
➢ Typically, the message traffic is sent and received in an apparently normal fashion,
and neither the sender nor receiver is aware that a third party has read the
messages or observed the traffic pattern.
10
�Security Attack(Passive Attack)
11
� Security attack (Active Attack)
➢ Active attacks involve some modification of the data stream or the creation of a false stream and
can be subdivided into four categories: masquerade, replay, modification of messages, and denial
of service.
➢ Masquerade takes place when one entity pretends to be a different entity.
➢ Replay involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect.
➢ Modification of messages simply means that some portion of a legitimate message is altered, or
that messages are delayed or reordered, to produce an unauthorized effect.
➢ Denial of service prevents or inhibits the normal use or management of communications
facilities.
12
�Cont.
13
�Cont.
14
� Security Service
➢ [X.800] defines a security service as a service that is provided by a protocol layer of communicating
open systems and that ensures adequate security of the systems or of data transfers.
➢ Security services implement security policies and are implemented by security mechanisms.
➢ Authentication:The assurance that the communicating entity is the one that it claims to be.
➢ Data Confidentiality:The protection of data from unauthorized disclosure.
➢ Data Integrity: The assurance that data received are exactly as sent by an authorized entity (i.e.,
contain no modification, insertion, deletion, or replay).
➢ Nonrepudiation: Provides protection against denial by one of the entities involved in a communication
of having participated in all or part of the communication.
15
� Security Mechanisms (X.800)
➢ Encipherment/Encryption: The use of mathematical algorithms to transform data
into a form that is not readily intelligible.
➢ The transformation and subsequent recovery of the data depend on an algorithm and
zero or more encryption keys.
➢ Digital Signature: Data appended to, or a cryptographic transformation of, a data
unit that allows a recipient of the data unit to prove the source and integrity of the
data unit and protect against forgery (e.g., by the recipient).
➢ Routing Control: Enables selection of particular physically secure routes for certain
data and allows routing changes, especially when a breach of security is suspected.
➢ And so on;
16
�Model for Network Security
17
� General Rules
This general model shows that there are four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-related transformation.
2. The algorithm should be such that an opponent cannot defeat its purpose.
3. Generate the secret information to be used with the algorithm.
4. Develop methods for the distribution and sharing of the secret information.
5. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
18
