General Security Concepts

 
Contents

 Understanding Information Security

 Understanding the Goals of Information Security
 Comprehending the Security Process
 Authentication Issues to Consider
 Distinguishing between Security Topologies
Terminologies

 Protocol: an official set of steps or language for

communication
 Algorithm: a specific set of steps to solve a problem or do
some task
 String: a series of characters. Example if a character can be a-
z and 0-9 an 8 character string might be “ar01z14b”
 Control: a countermeasure or attempt to mitigate a security
risk.
 A firewall is technical control. Policies are HR controls.
Encryption is a technical control.
Information Security

 Security?
 Physical security of servers and workstations
 Protecting data from viruses and worms or from hackers and
miscreants
 The capability to restore files if a user accidentally deletes them
 …
 Problems with security:
 It is next to impossible for everyone to agree on what it means
 We don’t really mean that we want things to be completely secured
 While everyone wants security, no one wants to be inconvenienced by
it
Security Triad
Securing the Physical Environment

 Protecting your assets and information from physical access

by unauthorized persons
 Threats often present themselves as service technicians,
janitors, customers, vendors, or even employees
 Components of physical security:
 Making a physical location less tempting as a target
 Detecting a penetration or theft
 Recovering from a theft or loss of critical information or systems
Examining Operational Security

 Operational security issues include:

 Network access control (NAC),
 Authentication,
 Security topologies after the network installation is complete.
 Daily operations of the network
 Connections to other networks
 Backup plans
 Recovery plans
 In short, operational security encompasses everything that
isn’t related to design or physical security in the network
Examining Operational Security
Working with Management and Policies

 Guidance, rules, and procedures for implementing a security

environment
 Policies need the support of management to be carried out
well.
 The issues that must be decided at the management and policy
level affect the entire company and can greatly impact
productivity, morale, and corporate culture
Working with Management and Policies

 A number of key policies are needed to secure a network. The

following list identifies some broad areas that require thought
and planning:
 Administrative policies
 Disaster recovery plans
 Information policies
 Security policies
 Software design requirements
 Usage policies
 User management policies
Administrative Policies

 Administrative policies lay out guidelines and expectations for

upgrades, monitoring, backups, and audits.
 System administrators and maintenance staff use these policies
to conduct business.
 The policies must be:
 Specific enough to help the administrative staff keep focused on the
business of running the systems and networks
 Flexible enough to allow for emergencies and unforeseen
circumstances.
Disaster recovery plans (DRPs)

 Expensive to develop and to test, and it must be kept current.

 Takes into consideration virtually every type of occurrence or
failure possible
 The key to its success is its completeness
 Many large companies invest huge amounts of money in
DRPs, including backup or hot sites.
Information Policies

 Refer to the various aspects of information security, including

access, classifications, marking and storage, and the
transmission and destruction of sensitive information.
 Data classification matrix
 Defines various classification levels
 Public: For all advertisements and information posted on the Web
 Internal: For all intranet-type information
 Private: Personnel records, client data, and so on
 Confidential: Public Key Infrastructure (PKI) information and other
items restricted to all but those who must know them
Security Policies

 Define the configuration of systems and networks

 Security policies also define computer room and data center
security as well as how identification and authentication (I&A)
occurs.
 Things covered:
 Determine how access control, audits, reports and network
connectivity are handled.
 Encryption and antivirus software
 Establish procedures and methods used for password selection, account
expiration, failed logon attempts, and related areas
Software Design Requirements

 Software design requirements outline what the capabilities of

the system must be
 A software design policy should be specific about security
requirements
 If the design doesn’t include security as an integral part of the
implementation, the network may have vulnerabilities.
Usage Policies

 Cover how information and resources are used

 Include statements about privacy, ownership, and the
consequences of improper acts
 Usage policies should also address how users should handle
incidents
User Management Policies

 Identify the various actions that must occur in the normal

course of employee activities
 These policies must address how new employees are added to
the system as well as managed.
 A user may acquire administrative privileges to the system by
accident.
Contents

 Understanding Information Security

 Understanding the Goals of Information Security
 Comprehending the Security Process
 Authentication Issues to Consider
 Distinguishing between Security Topologies
Goals of Information Security

 Prevention: preventing computer or information violations

from occurring.
 Detection: identifying events when they occur.
 Response: developing strategies and techniques to deal with
an attack or loss
Contents

 Understanding Information Security

 Understanding the Goals of Information Security
 Comprehending the Security Process
 Authentication Issues to Consider
 Distinguishing between Security Topologies
Comprehending the Security Process

 Security is a combination of three Ps: processes, procedures,

and policies.
 There are several parts to this process
 Appreciating Antivirus Software
 Implementing Access Control
 Authentication
Access Control

 Mandatory Access Control (MAC):

 A static model that uses a predefined set of access privileges for files
on the system.
 The system administrators establish these parameters and associate
them with an account, files
 MAC uses labels to identify the level of sensitivity that applies to
objects.
 When a user attempts to access an object, the label is examined to see
if the access should take place or be denied.
 One key element to remember is that when mandatory control is
applied, labels are required and must exist for every object., or
resources.
Access Control

 Discretionary Access Control (DAC):

 The owner of a resource establishes privileges to the information they
own.
 Labels are not mandatory but can be applied as needed.
 Role-Based Access Control (RBAC):
 A user acts in a certain predetermined manner based on the role the
user holds in the organization.
 The roles almost always shadow the organizational structure.
 The RBAC model is common in network administrative roles.
Authentication (xác thực)

 Authentication proves that a user or system is actually who

they say they are.
 Authentication systems or methods are based on one or more
of these three factors:
 Something you know, such as a password or PIN
 Something you have, such as a smart card or an identification device
 Something physically unique to you, such as your fingerprints or
retinal pattern
Biometrics

 Use physical characteristics to identify the user

 Hand scanners
 Retinal scanners
 DNA scanners (not available for now)
Certificates

 Commonly used
 A server or certificate authority (CA) can issue a certificate
that will be accepted by the challenging system.
 Certificate Practice Statement (CPS) outlines the rules used
for issuing and managing certificate
 Certificate Revocation List (CRL) lists the revocations that
must be addressed (often due to expiration) in order to stay
current
Certificates
Challenge Handshake Authentication Protocol

 CHAP doesn’t use a user ID/password mechanism

 The initiator sends a logon request from the client to the
server.
 The server sends a challenge back to the client.
 The challenge is encrypted and then sent back to the server.
 The server compares the value from the client
 If the information matches, grants authorization.
 If the response fails, the session fails, and the request phase starts over
Challenge Handshake Authentication Protocol
Kerberos

 Originally designed by MIT

 Allows for a single sign-on to a distributed network.
 Key Distribution Center (KDC) authenticates the principle
(which can be a user, a program, or a system) and provides it
with a ticket.
 After this ticket is issued, it can be used to authenticate against
other principles. This occurs automatically when a request or
service is performed by another principle
 KDC can be a single point of failure
Kerberos
Multi-Factor Authentication

 Two or more access methods are included as part of the

authentication process
Mutual Authentication

 Two or more parties authenticate each other

 Mutual authentication ensures that the client is not unwittingly
connecting and giving its credentials to a rogue server; which
can then turn around and steal the data from the real server
 Commonly, mutual authentication will be implemented when
the data to be sent during the session is of a critical nature –
such as financial or medical record
Password Authentication Protocol (PAP)

 One of the simplest forms of authentication

 No true security
 The username and password values are both sent to the server
as clear text and checked for a match.
 If they match, the user is granted access; if they don’t match,
the user is denied access
Security Tokens

 A small piece of data that holds a sliver of information about

the user
Smart Cards

 A type of badge or card that gives you access to resources,

including buildings, parking lots, and computers.
 Contains information about one’s identity and access
privileges.
 Each area or computer has a card scanner or a reader in which
you insert your card.
 Smart Cards often also require the use of a small password
called a PIN (personal identification number); which further
secures the smart card if lost by the true card holder, so that it
cannot be used by someone else to gain access to data and
resources.
Smart Card Authentication Process
Username/Password
Contents

 Understanding Information Security

 Understanding the Goals of Information Security
 Comprehending the Security Process
 Authentication Issues to Consider
 Distinguishing between Security Topologies
Authentication Issues

 Capabilities of people who will be working with policies.

 Be wary of popular names or current trends that make certain
passwords predictable.
 Distinguish between identification process and authentication
process
Contents

 Understanding Information Security

 Understanding the Goals of Information Security
 Comprehending the Security Process
 Authentication Issues to Consider
 Distinguishing between Security Topologies
Security topology

 Design goals
 Security zones
 Technologies
 Business requirements
Setting Design Goals

 Confidentiality: Prevent or minimize unauthorized access to

and disclosure of data and information
 Integrity: Making sure that the data being worked with is the
correct data
 Availability: Protect data and prevent its loss
 Accountability: Who owns the data or is responsible for
making sure that it’s accurate
Creating Security Zones

 Four most common security zones:

 Internet
 Intranet
 Extranet
 Demilitarized zone (DMZ)
The Internet – Typical LAN connection
The Internet – Cisco Network Diagram
Intranets
Extranets

 Extend intranets to include outside connections to partners

 Connect to a partner via a private network or a connection
using a secure communications channel across the Internet
Extranets
Demilitarized Zone (DMZ)

 A demilitarized zone (DMZ) is an area where you can place a

public server for access by people you might not trust
otherwise
 By isolating a server in a DMZ, you can hide or remove access
to other areas of your network
 Use firewalls to isolate your network
Demilitarized Zone (DMZ)
Some technologies

 Virtualization Technology (VT)

 VLANs
 Network Address Translation (NAT)
 Tunneling
Virtualization

 Today’s x86 computer hardware was designed to run a single

operating system and a single application, leaving most
machines vastly underutilized.
 Virtualization lets you run multiple virtual machines on a
single physical machine, with each virtual machine sharing the
resources of that one physical computer across multiple
environments.
 Different virtual machines can run different operating systems
and multiple applications on the same physical computer.
Why Virtualize?

 Get more out of your existing resources

 Reduce datacenter costs by reducing your physical
infrastructure and improving your server to admin ratio
 Increase availability of hardware and applications for
improved business continuity
 Gain operational flexibility
 Improve desktop manageability and security
Virtual Local Area Networks

 A virtual local area network (VLAN) allows you to create

groups of users and systems and segment them on the
network.
 This segmentation lets you hide segments of the network from
other segments and thereby control access.
 You can also set up VLANs to control the paths that data takes
to get from one point to another. A VLAN is a good way to
contain network traffic to a certain area in a network.
Virtual Local Area Networks
Network Address Translation

 Originally, NAT extended the number of usable Internet

addresses
 Allow an organization to present a single address to the
Internet for all computer connections
 The NAT server provides IP addresses to the hosts or systems
in the network and tracks inbound and outbound traffic.
Network Address Translation
Tunneling

 Tunneling refers to creating a virtual dedicated connection

between two systems or networks.
 You create the tunnel between the two ends by encapsulating
the data in a mutually agreed-upon protocol for transmission.
 In most tunnels, the data passed through the tunnel appears at
the other side as part of the network.
 Tunneling protocols usually include data security as well as
encryption. Several popular standards have emerged for
tunneling, with the most popular being the Layer 2 Tunneling
Protocol (L2TP).
Tunneling

 Tunneling sends private data across a public network by

placing (encapsulating) that data into other packets. Most
tunnels are virtual private networks (VPNs).
Tunneling