Ch.

2: Network Security

Preface:

The first question to address is what we mean by “network security.” Several possible
fields of effort come to mind within this broad topic, and each is worthy of a lengthy
article. To begin, virtually all the security policy issues raised in Matt Bishop’s book,
Computer Security Art and Science [1] apply to network as well as general computer
security considerations. In fact, viewed from this perspective, network security is a subset
of computer security.

References
1. M. Bishop, Computer Security Art and Science, Pearson Education, 2003.

The art and science of cryptography and its role in providing confidentiality, integrity, and
authentication represents another distinct focus even though it’s an integral feature of
network security policy.

The topic also includes design and configuration issues for both network-perimeter and
computer system security. References in this area include Stephen Northcutt and
colleagues’ Inside Network Perimeter Security,[2] the classic Firewalls and Network
Security [3] by Steven Bellovin and William Cheswick, and too many specific system
configuration texts to list. These are merely starting points for the interested novice.

[2]. S. Northcutt et al., Inside Network Perimeter Security, New Riders Publishing, 2003.
[3]. S. Bellovin and R.W. Cheswick, Firewalls and Internet Security: Repelling the Wily
Hacker, Pearson Education, 1994.

Outline of Ch.2:

This chapter (The second chapter) of the project contains fundamental knowledge on
network security and related topics. It provides comprehensive coverage of the
fundamental concepts of network security and the processes and means required to
implement a secure network. Therefore, the goal of this chapter is to provide an
understanding of security engineering processes. The flow of the material is designed to
provide a smooth transition from fundamental principles and basic knowledge to the
practical details of network security.
This Chapter also describes the various network protocols, particularly the specifics of the
OSI and TCP models. The fundamental concepts of wireless communication and wireless
security are explained, including coding schemes, the different wireless technology
generations, and wireless vulnerabilities. In general, this chapter addresses the following
relevant and important areas:

- Network Security Background: This first section provides a foundation for the
current state of network security so you can understand the key issues and areas of
focus. This first section lays the foundation for the rest of the project and for
building a robust knowledge base on network security.

- State of Network Security: In order to be able to properly protect an organization

we need to understand the current state of network security, what is happening, and
what risks an organization needs to be most concerned with. Even though cyber
security is gaining a lot of attention, many organizations have a perception of
what’s happening that’s not always directly aligned with reality.

- Attacks and Threats: The only way to have a good defense is by understanding
the offense. This chapter will look at the various threats that organizations face and
dissect the threats down into specific attacks that can be launched against an
organization. By understanding the specific attacks, these can mapped against key
vulnerabilities and be used as a roadmap to securing an organization.

- Network Protocols: This chapter explains briefly the OSI and TCP models and the
IP, ICMP, TCP, and UDP protocols. It also reviews address resolution concepts and
methods and relates them to the general goals of network security.

- The Future: Just because an organization is secure today does not mean it will be
secure in the future. Risks and the corresponding threats and vulnerabilities are
always changing so organizations need to focus on mission resiliency, making sure
that critical business processes continue to operate regardless of any threats that
might exist.

After this chapter, we would have a solid foundation and a clear roadmap for implementing
effective, proactive security across an organization. Always remember that security is all
about justifying risk to critical assets, so before we spend a dollar of our budget or an hour
of our time we would ask these three important questions:
 ■ What is the risk?
■ Is it the highest priority risk?
■ What is the most cost-effective way of reducing the risk?

In the next chapters of the project, the topics addressed will include implementing virtual
private networks (VPNs), and applying different protocols to protect information
transmitted over the Internet. Chapter 3 explains the functioning of virtual private networks
(VPNs) and the considerations that must be addressed before implementing a VPN. It also
surveys the various protocols now in use and presents an example of a low-cost VPN
implementation.

As we finish up the project, the last chapters look at putting everything we have learned
together into an integrated solution. Network Security is not about deploying products or
technology; it is about solutions that provide proactive security to enable mission resilience
focusing on reducing risk to an organization's critical assets.

Overview of Basic Security Concepts:

It seems that every other day there is a story in the newspapers about a computer network
being compromised by hackers. Every organization should monitor its systems for possible
unauthorized intrusion and other attacks. This needs to be part of the daily routine of every
organization's IT unit, as it is essential to safeguarding a company's information assets.

The most reliable way to ensure the safety of a company's computers is to refrain from
putting them on a network and to keep them behind locked doors. Unfortunately, however,
that is not a very practical solution. Today, computers are most useful if they are
networked together to share information and resources, and companies that put their
computers on a network need to take some simple precautions to reduce the risk of
unauthorized access.

It may seem absurd to ask the question. "Why is computer and network security
important?" but it is crucial for organizations to define why they want to achieve computer
security to determine how they will achieve it. It is also a useful tool to employ when
seeking senior management's authorization for security-related expenditures. Computer
and network security is important for the following reasons:
 To protect company assets
 To gain a competitive advantage
  To comply with regulatory requirements and fiduciary responsibilities
 To keep your job

One thing to keep in mind is that network security costs money: It costs money to hire,
train, and retain personnel; to buy hardware and software to secure an organization's
networks; and to pay for the increased overhead and degraded network and system
performance that results from firewalls, filters, and intrusion detection systems (IDSs). As
a result, network security is not cheap. However, it is probably cheaper than the costs
associated with having an organization's network compromised.

History

The need for network security is a relatively new requirement. Prior to the 1980s most
computers were not networked. It was not due to lack of desire to network them; it was
more a result of the lack of technology. Most systems were mainframes or midrange
systems that were centrally controlled and administered. Users interfaced with the
mainframe through "dumb" terminals. The terminals had limited capabilities. Terminals
actually required a physical connection on a dedicated port. The ports were often serial
connections that utilized the RS-232 protocol. It usually required one port for one terminal.
IBM, Digital Equipment, and other computer manufacturers developed variations on this
architecture by utilizing terminal servers, but the basic concept was the same. There was
nothing equivalent to what we experience today where hundreds if not thousands of
connections can reach a system on a single network circuit.

In the 1980s, the combination of the development of the personal computer (PC), the
development of network protocol standards, the decrease in the cost of hardware, and the
development of new applications made networking a much more accepted practice. As a
result, LANs, WANs, and distributed computing experienced tremendous growth during
that period.

When first deployed, LANs were relatively secure-mainly because they were physically
isolated. They were not usually connected to WANs, so their standalone nature protected
the network resources.

WANs actually preceded LANs and had been around for some time, but they were usually
centrally controlled and accessible by only a few individuals in most organizations. WANs
utilizing direct or dedicated privately owned or leased circuits were relatively secure
because access to circuits was limited. To connect two locations (points A and B) usually
required a point-to-point (A-B) circuit. If you wanted to connect a third location (point C)
to both A and B, it required two more circuits (A-B, A-C, B-C).

Development of packet-switched protocols such as X.25 and Transmission Control

Protocol/Internet Protocol (TCP/IP) reduced the cost to deploy WANs, thus making them
more attractive to implement. These protocols allowed many systems to share circuits.
Many people or organizations could be interconnected over the shared network. It was no
longer necessary to connect systems in a point-to-point configuration. Vulnerabilities were
introduced with the deployment of this distributed environment utilizing shared, packet
switched networks employing protocols such as TCP/IP and the concept of trusted
systems.

Systems on the network "trusted" each other. This situation was frequently made worse by
connecting relatively secure LANs to an unsecured WAN. Basically, an organization's
network connections enter into the cloud of the packet-switched network. Other
organizations share the cloud, and on the packet-switched network one company's packets
are intermixed with another organization's packets.

In this distributed environment the emphasis was on providing ease of access and
connectivity. Security was an afterthought, if it was considered at all. As a result, many
systems were wide open and vulnerable to threats that previously had not existed.

The Internet is the largest and best known of this type of network. The Internet utilizes
TCP/IP and was primarily designed to connect computers regardless of their operating
systems in an easy and efficient manner. Security was not part of the early design of
TCP/IP, and there have been a number of widely publicized attacks that have exploited
inherent weaknesses in its design. One well-known event was the Internet Worm that
brought the Internet to its knees back in 1986. Today, security has to be more important
than ease of access.

The Security Trinity

The three legs of the "security trinity," prevention, detection, and response, comprise the
basis for network security. The security trinity should be the foundation for all security
policies and measures that an organization develops and deploys. See Figure 2.1.
 Figure 2.1: The security trinity.

1- Prevention
The foundation of the security trinity is prevention. To provide some level of security, it is
necessary to implement measures to prevent the exploitation of vulnerabilities. In
developing network security schemes, organizations should emphasize preventative
measures over detection and response: It is easier, more efficient, and much more cost-
effective to prevent a security breach than to detect or respond to one. Remember that it is
impossible to devise a security scheme that will prevent all vulnerabilities from being
exploited, but companies should ensure that their preventative measures are strong enough
to discourage potential criminals-so they go to an easier target.

2- Detection
Once preventative measures are implemented, procedures need to be put in place to detect
potential problems or security breaches; in the event preventative measures fail. As later
chapters show, it is very important that problems be detected immediately. The sooner a
problem is detected the easier it is to correct and cleanup.

3- Response
Organizations need to develop a plan that identifies the appropriate response to a security
breach. The plan should be in writing and should identify who is responsible for what
actions and the varying responses and levels of escalation.

Before beginning a meaningful discussion on computer and network security, we need to

define what it entails. First, network security is not a technical problem; it is a business and
people problem. The technology is the easy part. The difficult part is developing a security
plan that fits the organization's business operation and getting people to comply with the
plan. Next, companies need to answer some fundamental questions, including the
following.
 • How do you define network security?
• How do you determine what is an adequate level of security?
To answer these questions, it is necessary to determine what you are trying to protect.

Information Security
Network security is concerned, above all else, with the security of company information
assets. We often lose sight of the fact that it is the information and our ability to access that
information that we are really trying to protect-and not the computers and networks. A
simple definition for information security:

Information security = confidentiality + integrity + availability + authentication.

There can be no information security without confidentiality; this ensures that

unauthorized users do not intercept, copy, or replicate information. At the same time,
integrity is necessary so that organizations have enough confidence in the accuracy of the
information to act upon it. Moreover, information security requires organizations to be able
to retrieve data; security measures are worthless if organizations cannot gain access to the
vital information they need to operate when they need it. Finally, information is not secure
without authentication determining whether the end user is authorized to have access.

Information security is also about procedures and policies that protect information from
accidents, incompetence, and natural disasters. Such policies and procedures need to
address the following:
• Backups, configuration controls, and media controls;
• Disaster recovery and contingency planning;
• Data integrity.

It is also important to remember that network security is not absolute. All security is
relative. Network security should be thought of as a spectrum that runs from very unsecure
to very secure. The level of security for a system or network is dependent on where it lands
along that spectrum relative to other systems. It is either more secure or less secure than
other systems relative to that point. There is no such thing as an absolutely secure network
or system.

Network security is a balancing act that requires the deployment of "proportionate

defenses." The defenses that are deployed or implemented should be proportionate to the
threat. Organizations determine what is appropriate in several ways, described as follows.
 • Balancing the cost of security against the value of the assets they are protecting;
• Balancing the probable against the possible;
• Balancing business needs against security needs.

Risk Assessment
The concept of risk assessment is crucial to developing proportionate defenses. To perform
a risk analysis, organizations need to understand possible threats and vulnerabilities. Risk
is the probability that vulnerability will be exploited. The basic steps for risk assessment
are listed as follows:
1. Identifying and prioritizing assets;
2. Identifying vulnerabilities;
3. Identifying threats and their probabilities;
4. Identifying countermeasures;
5. Developing a cost benefit analysis;
6. Developing security policies and procedures.

Security Models
There are three basic approaches used to develop a network security model. Usually,
organizations employ some combination of the three approaches to achieve security. The
three approaches are security by obscurity, the perimeter defense model, and the defense in
depth model.

1- Security by Obscurity
Security by obscurity relies on stealth for protection. The concept behind this model is that
if no one knows that a network or system is there, then it won't be subject to attack. The
basic hope is that hiding a network or at least not advertising its existence will serve as
sufficient security. The problem with this approach is that it never works in the long term,
and once detected, a network is completely vulnerable.

2- The Perimeter Defense

The perimeter defense model is analogous to a castle surrounded by a moat. When using
this model in network security, organizations harden or strengthen perimeter systems and
border routers, or an organization might "hide" its network behind a firewall that separates
the protected network from an untrusted network. Not much is done to secure the other
systems on the network. The assumption is that perimeter defenses are sufficient to stop
any intruders so that the internal systems will be secure.

There are several flaws in this concept: First, this model does nothing to protect internal
systems from an inside attack. As we have discussed, the majority of attacks on company
networks are launched from someone internal to the organization. Second, the perimeter
defense almost always fails eventually. Once it does, the internal systems are left wide
open to attack.

3- The Defense in Depth

The most robust approach to use is the defense in depth model. The defense in depth
approach strives for security by hardening and monitoring each system; each system is an
island that defends itself. Extra measures are still taken on the perimeter systems, but the
security of the internal network does not rest solely on the perimeter systems. This
approach is more difficult to achieve and requires that all systems and network
administrators do their part. With this model, however, the internal network is much less
likely to be compromised if a system administrator on the network makes a mistake like
putting an unsecured modem on the system. With the defense in depth approach, the
system with the modem may be compromised, but other systems on the network will be
able to defend themselves. The other systems on the network should also be able to detect
any attempted hacks from the compromised system. This approach also provides much
more protection against an internal intruder. The activities of the internal intruder are much
more likely to be detected.

Chapter 2: Threats, Vulnerabilities, and

Attacks