COMPUTER NETWORK

SECURITY

BY

NETONGO CLOVIS
1
UNIT 1

COMPUTER NETWORK AND

NETWORK SECURITY CONCEPTS

2
INTRODUCTION
In this modem era, organizations greatly rely on computer networks to share
information throughout the organization in an efficient and productive manner.
Organizational computer networks are now becoming large and ubiquitous.
Assuming that each staff member has a dedicated workstation, a large scale
company would have few thousands workstations and many server on the
network.
It is likely that these workstations may not be centrally managed, nor would they
have perimeter protection. They may have a variety of operating systems,
hardware, software, and protocols, with different level of cyber awareness among
users. Now imagine, these thousands of workstations on company network are
directly connected to the Internet. This sort of unsecured network becomes a
target for an attack which holds valuable information and displays vulnerabilities.
3
INTRODUCTION
With all these, the need for automated tools for protecting files and other
information stored on the computer became evident. This is especially the case for
a shared system, and the need is even more acute for systems that can be accessed
over the Internet. The generic name for the collection of tools designed to protect
data and to thwart hackers is computer security.

Network Security: Introduction of distributed systems and the use of

networks and communications facilities for carrying data between terminal user
and computer and between computer and computer. Network security measures
are needed to protect data during their transmission. The term network security in
general refers to internet security.
4
Goal of Network Security
1. During transmission, data is highly vulnerable to attacks. An attacker can
target the communication channel, obtain the data, and read the same or re-
insert a false message to achieve his nefarious aims.
2. Network security is not only concerned about the security of the computers at
each end of the communication chain; however, it aims to ensure that the
entire network is secure.
3. Network security entails protecting the usability, reliability, integrity, and
safety of network and data. Effective network security defeats a variety of
threats from entering or spreading on a network.

5
Examples of Security violation
User A transmits a file to user B.
The file contains sensitive
information (e.g., payroll
records) that is to be protected
from disclosure. User C, who is
not authorized to read the file, is
able to monitor the transmission
and capture a copy of the file
during its transmission.

6
Examples of Security violation
A network manager, D, transmits a
message to a computer, E, under
its management. The message
instructs computer E to update an
authorization file to include the
identities of a number of new users
who are to be given access to that
computer. User F intercepts the
message, alters its contents to add
or delete entries, and then forwards
the message to E, which accepts
the message as coming from
manager D and updates its
authorization file accordingly.
7
Examples of Security violation
Rather than intercept a message, user
F constructs its own message with
the desired entries and transmits that
message to E as if it had come from
manager D. Computer E accepts the
message as coming from manager D
and updates its authorization file
accordingly.

8
COMPUTER SECURITY CONCEPT
• Definition of computer Security: The protection afforded to an
automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and
confidentiality of information system resources (includes
hardware, software, firmware, information/ data, and
telecommunications).
• This definition introduces three key objectives that are at the
heart of computer security which are confidentiality, integrity
and availability
9
CONFIDENTIALITY
The term confidentiality covers two related concepts:
Data confidentiality: Assures that private or confidential
information is not made available or disclosed to unauthorized
individuals.
Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and by
whom and to whom that information may be disclosed.

10
INTEGRITY
The term integrity covers two related concepts:
Data integrity: Assures that information and programs are
changed only in a specified and authorized manner.
System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.

11
AVAILABILITY
Availability: Assures that systems work promptly and service is not
denied to authorized users.

These three concepts are called the CIA triad. The three concepts;
confidentiality, integrity and availability carries the fundamental security
objectives for data (information), information systems and computing services.

12
13
• We can provides some characterization of the CIA triad objectives in terms of
requirements and the definition of a loss of security in each category and also
adding two most commonly mention requirements of security:
Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.
Integrity: Guarding against improper information modification or destruction
including ensuring information nonrepudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.
Availability: Ensuring timely and reliable access to and use of information. A
loss of availability is the disruption of access to or use of information or an
information system.

14
• We can provides some characterization of the CIA triad objectives in terms of
requirements and the definition of a loss of security in each category and also
adding two most commonly mention requirements of security:
Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message originator.
This means verifying that users are who they say they are and that each input arriving
at the system came from a trusted source.
Accountability: The security goal that generates the requirement for actions of
an entity to be traced uniquely to that entity. This supports non-repudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action. Because truly secure systems are not yet an
achievable goal, we must be able to trace a security breach to a responsible
party. Systems must keep records of their activities to permit later forensic
analysis to trace security breaches or to aid transaction dispute.

15
Some additional security concepts may include the following;
Security attack: Any action that compromises the security of
information owned by an organization.
Security mechanism: A process (or a device incorporating such a
process) that is designed to detect, prevent, or recover from a security
attack.
Security service: A processing or communication service that enhances
the security of the data processing systems and the information transfers of
an organization. The services are intended to counter security attacks, and
they make use of one or more security mechanisms to provide the service.

16
CHALLENGES OF COMPUTER
SECURITY
Computer and network security are both fascinating and complex. Due to
the complexity, it is difficult to attain a 100% goal of security in a
computer security system. Some of the challenges faced are;

The mechanisms used to meet those requirements can be quite complex, and
understanding them may involve rather subtle reasoning.
In developing a particular security mechanism or algorithm, one must always
consider potential attacks on those security features. In many cases, successful
attacks are designed by looking at the problem in a completely different way,
therefore exploiting an unexpected weakness in the mechanism.

17
CHALLENGES OF COMPUTER
SECURITY
Having designed various security mechanisms, it is necessary to decide
where to use them.
Security mechanisms typically involve more than a particular algorithm or
protocol. They also require that participants be in possession of some secret
information (e.g., an encryption key), which raises questions about the
creation, distribution, and protection of that secret information.
Computer and network security is essentially a battle of wits between a
perpetrator who tries to find holes and the designer or administrator who
tries to close them. The great advantage that the attacker has is that he or
she need only find a single weakness, while the designer must find and
eliminate all weaknesses to achieve perfect security.
18
CHALLENGES OF COMPUTER
SECURITY
Security requires regular, even constant, monitoring, and this is difficult in
today’s short-term, overloaded environment.
Security is still too often an afterthought to be incorporated into a system
after the design is complete rather than being an integral part of the design
process.

19
VULNERABILITY AND HACKING
Vulnerability:
In computer security, a vulnerability is a weakness which can be exploited by
a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform
unauthorized actions) within a computer system. To exploit vulnerability, an
attacker must have at least one applicable tool or technique that can connect
to a system weakness. In this frame, vulnerabilities are also known as the
attack surface.
The common vulnerability that exists in both wired and wireless networks is
an ''unauthorized access" to a network. An attacker can connect his device to
a network though unsecure hub/switch port. In this regard, wireless network
are considered less secure than wired network, because wireless network can
be easily accessed without any physical connection.
20
VULNERABILITY AND HACKING
Hacking:
Hacking is an attempt to exploit a computer system or a private network
inside a computer. Simply put, it is the unauthorized access to or control over
computer network security systems for some illicit purpose. One can easily
assume them to be intelligent and highly skilled in computers.

Some terms that are mostly been used in the security interchangeably
or to mean more or less the same thing are; threats and attack

21
VULNERABILITY AND HACKING

Threat: A potential for violation of security, which exists when there is a

circumstance, capability, action, or event that could breach security and
cause harm. That is, a threat is a possible danger that might exploit a
vulnerability.
Attack: An assault on system security that derives from an intelligent threat;
that is, an intelligent act that is a deliberate attempt (especially in the sense of
a method or technique) to evade security services and violate the security
policy of a system.

22
VULNERABILITY AND HACKING

After accessing, an attacker can exploit this vulnerability to launch attacks

such as;
• Sniffing the· packet data to steal valuable information.
• Denial of service to legitimate users on a network by flooding the
network medium with spurious packets.
• Spoofing physical identities (MAC) of legitimate hosts and then
stealing data or further launching a ‘Man-in-the-middle’ attack.

23
SECURITY ATTACK

A useful means of classifying security attacks is in terms of passive attacks

and active attacks. A passive attack attempts to learn or make use of
information from the system but does not affect system resources. An active
attack attempts to alter system resources or affect their operation.

24
PASSIVE ATTACK

Passive attacks are in the nature

of eavesdropping on, or
monitoring of, transmissions as
shown in the figure. The goal
of the opponent is to obtain
information that is being
transmitted.
Two types of passive attacks
are the release of message
contents and traffic analysis.

25
PASSIVE ATTACK

The release of message contents is

easily understood. A telephone
conversation, an electronic mail
message, and a transferred file may
contain sensitive or confidential
information. We would like to
prevent an opponent from learning
the contents of these transmissions.

26
PASSIVE ATTACK

A second type of passive attack,

traffic analysis, is subtler. Suppose
that we had a way of masking the
contents of messages or other
information traffic so that opponents,
even if they captured the message,
could not extract the information
from the message. The common
technique for masking contents is
encryption.

27
PASSIVE ATTACK

If we had encryption protection in

place, an opponent might still be able
to observe the pattern of these
messages. The opponent could
determine the location and identity of
communicating hosts and could
observe the frequency and length of
messages being exchanged. This
information might be useful in
guessing the nature of the
communication that was taking place.

28
PASSIVE ATTACK

Passive attacks are very difficult to detect, because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in
an apparently normal fashion, and neither the sender nor receiver is aware
that a third party has read the messages or observed the traffic pattern.
However, it is feasible to prevent the success of these attacks, usually by
means of encryption. Thus, the emphasis in dealing with passive attacks is
on prevention rather than detection.

29
ACTIVE ATTACK

Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.

Masquerade: This takes place when one entity pretends to be a different

entity. A masquerade attack usually includes one of the other forms of
active attack. For example, authentication sequences can be captured and
replayed after a valid authentication sequence has taken place, thus
enabling an authorized entity with few privileges to obtain extra privileges
by impersonating an entity that has those privileges.

30
ACTIVE ATTACK

Masquerade: This takes place

when one entity pretends to be a
different entity. A masquerade
attack usually includes one of the
other forms of active attack. For
example, authentication sequences
can be captured and replayed after
a valid authentication sequence
has taken place, thus enabling an
authorized entity with few
privileges to obtain extra
privileges by impersonating an
entity that has those privileges.
31
ACTIVE ATTACK

Replay involves the passive capture

of a data unit and its subsequent
retransmission to produce an
unauthorized effect

32
ACTIVE ATTACK

Modification of messages simply

means that some portion of a
legitimate message is altered, or that
messages are delayed or reordered, to
produce an unauthorized effect. For
example, a message meaning “Allow
John Smith to read confidential file
accounts” is modified to mean “Allow
Fred Brown to read confidential file
accounts.”

33
ACTIVE ATTACK

Denial of Service: The denial of

service prevents or inhibits the normal
use or management of communications
facilities. This attack may have a
specific target; for example, an entity
may suppress all messages directed to
a particular destination. Another form
of service denial is the disruption of an
entire network either by disabling the
network or by overloading it with
messages so as to degrade
performance.
34
ACTIVE ATTACK

With a DoS attack, a hacker attempts to

render a network or an Internet
resource, such as a web server,
worthless to users. A DoS attack
typically achieves its goal by sending
large amounts of repeated requests that
paralyze the network or a server.

35
ACTIVE ATTACK

Active attacks present the opposite characteristics of passive attacks.

Whereas passive attacks are difficult to detect, measures are available to
prevent their success. On the other hand, it is quite difficult to prevent
active attacks absolutely because of the wide variety of potential physical,
software, and network vulnerabilities. Instead, the goal is to detect active
attacks and to recover from any disruption or delays caused by them. If the
detection has a deterrent effect, it may also contribute to prevention.

36
SECURITY MECHANISM

The following are mechanisms that can be implement in order to prevent

attacks.
 Encipherment: The use of mathematical algorithms to transform data
into a form that is not readily intelligible. The transformation and
subsequent recovery of the data depend on an algorithm and zero or
more encryption keys.
 Digital Signature: Data appended to, or a cryptographic transformation
of, a data unit that allows a recipient of the data unit to prove the source
and integrity of the data unit and protect against forgery (e.g., by the
recipient).
 Access Control: A variety of mechanisms that enforce access rights to
resources. 37
SECURITY MECHANISM

 Data Integrity: A variety of mechanisms used to assure the integrity of

a data unit or stream of data units.
 Authentication Exchange: A mechanism intended to ensure the identity
of an entity by means of information exchange.
 Traffic Padding: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts.

38
SECURITY SERVICE

Security service which is a processing or communication service that is

provided by a system to give a specific kind of protection to system
resources; implements security policies and are implemented by security
mechanisms.
These services are;

 Authentication: The assurance that the communicating entity is the one

that it claims to be.
Access Control: The prevention of unauthorized use of a resource (i.e., this
service controls who can have access to a resource, under what conditions
access can occur, and what those accessing the resource are allowed to do).
39
SECURITY SERVICE

 Data Confidentiality: The protection of data from unauthorized

disclosure.
Data Integrity: The assurance that data received are exactly as sent by an
authorized entity (i.e., contain no modification, insertion, deletion, or
replay).
 Nonrepudiation: Provides protection against denial by one of the
entities involved in a communication of having participated in all or
part of the communication.

40
R E L AT I O N S H I P B E T W E E N S E C U R I T Y S E RV I C E S A N D
MECHANISMS

41
MODEL FOR NETWORK SECURITY

A Network Security Model exhibits how the security service has been designed
over the network to prevent the opponent from causing a threat to the
confidentiality or authenticity of the information that is being transmitted through
the network.
For a message to be sent or receive there must be a sender and a receiver. Both the
sender and receiver must also be mutually agreeing to the sharing of the message.
Now, the transmission of a message from sender to receiver needs a medium i.e.
Information channel which is an Internet service.
A logical route is defined through the network (Internet), from sender to the
receiver and using the communication protocols both the sender and the receiver
established communication.

42
MODEL FOR NETWORK SECURITY

Any security service would have the three components discussed below:
Transformation of the information which has to be sent to the receiver. So,
that any opponent present at the information channel is unable to read the
message. This indicates the encryption of the message.
Sharing of the secret information between sender and receiver of which the
opponent must not any clue. Yes, we are talking of the encryption key which
is used during the encryption of the message at the sender’s end and also
during the decryption of message at receiver’s end.

43
MODEL FOR NETWORK SECURITY

There must be a trusted third party which should take the responsibility of
distributing the secret information (key) to both the communicating parties
and also prevent it from any opponent.

44
MODEL FOR NETWORK SECURITY

45