Chapter Four

Network Security Management

 Introduction
The security architecture addresses three essential issues:
1. What kind of protection is needed and against what threats?
2. What are the distinct types of network equipment and facility groupings that need
to be protected?
3. What are the distinct types of network activities that need to be protected?

Security Layers
Security Layers represent a hierarchical approach to securing a network
Mapping of the network equipment and facility groupings to Security Layers
Determining how the network elements in upper layers can rely on protection that the
lower layers provide.

2
 Threat Model
1Threat
- Destruction (an attack on availability):
(simplified)
–Models:
Destruction of information and/or network resources X
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset

3 - Removal (an attack on availability):

– Theft, removal or loss of information and/or other resources

4 - Disclosure (an attack on confidentiality):

– Unauthorized access to an asset

5 - Interruption (an attack on availability):

– Interruption of services. Network becomes unavailable or
unusable
X
3
 • Limit & control access to
Eight Security Dimensions Address • Provide Proof of
network elements, the Breadth of
services & applications Identity
NetworkVulnerabilities • Examples: a shared
• Examples: password, Access Control
firewall secret, digital signature,
digital certificate
• Prevent ability to deny Authentication • Ensure confidentiality of
that an activity on the data
network occurred • Example: Encryption
• Examples: system logs, Data
Confidentiality • Ensure data is received
digital signatures as sent or retrieved as
Non-repudiation
• Ensure information stored
only flows from • Examples: MD5,
source to destination Data digital signature, anti-
• Examples: VPN, MPLS, Integrity virus software
L2TP Communication Security • Ensure identification
• Ensure network elements, and network use is
Availability kept private
services and application • Example: NAT,
available to legitimate
Encryption
users Privacy
• Examples: IDS/IPS,
4 network redundancy, Each Security Dimensions applied to each Security Perspective (layer and
BC/DR plane)
 Three Security 3 - Applications Security Layer:
• Network-based applications accessed by
Layers
 end-users
Vulnerabilities • Example
s:
Threats – Web
brow
sing
Attack 2 - Services
– Direc Security Layer:
s • Services
tory Provided to End-Users
 Destruction

• Examples:
assis
Corruption
 Removal – tance
Frame Relay, ATM, IP
 Disclosure –– Email
Cellular,Wi-Fi,
 Interruption
– and
VoIP, QoS, IM, Location
E-
services
– com
Toll free call services
1 - Infrastructure Security mercLayer:
• Fundamental building blocks eof networks services and
applications
• Examples:
5 – Individual routers, switches, servers
– Point-to-pointWAN links and Ethernet links
Cont.…
 Infrastructure Security Layer

 Individual routers, servers

 Communication links

 Services Security Layer

 Basic IP transport
 IP support services (e.g., AAA(American automobile
association), DNS(Domain Name System), DHCP(Dynamic
Host Configuration Protocol))

 Value-added services: (e.g.,VPN,VoIP, QoS)

 Applications Security Layer

 Basic applications (e.g. FTP, web access)

 Fundamental applications (e.g., email)
6
 High-end applications (e.g., e-commerce, e-
Reviewing the TCP /IP Communications
Flow a user at a computer wants to access a Web page:
When
Starts a Web browser application and types the name of the Web site

The web browser application generates a request to have the Web site name
resolved to an IP address.
The browser then attempts to establish communications with that Web site.

When application data is sent from one computer to another:

The information is passed from the Application layer to the Transport layer.

The Transport layer protocols:

Considers the Application layer information as the payload (or data)
Create a header that contains information such as source and destination port

Information is passed to the Internet layer.

7
Cont.…
The Internet layer protocols:
Considers the Transport layer information as the payload

Create an IP header that contains information such as destination IP addresses

Information is passed to the Network Interface layer.

The Network Interface layer protocols:

Consider the Internet layer information as the payload

Creates a preamble and a frame header, which contains the source and
destination MAC addresses
Once it arrives, and trailer information, called a checksum that contains the count
of the number of bits in a transmission so that the receiver can ensure the packet
did not get damaged in transit.

8 The information is placed on the local

network.
 Cont.….
At Distension Point when the information reaches the destination computer :
The Network Interface layer protocols strip the preamble and checksum from the
packets and then pass the payload to the Internet layer.

The Internet layer protocols strip the IP header from the packet and pass the
payload to the Transport layer.
The Transport layer protocol strips the TCP or UDP header and passes the payload
to
the Application layer.
The application that is specified to manage that data receives the data.

9
TCP /IP Layers
andVulnerabilities
Identifying Possible Application Layer Attacks
Some of the most difficult to protect against because they take advantage of
vulnerabilities in applications and lack of end-user knowledge of computer security.

Some of the ways the Application layer can be exploited to compromise the CIA
triad
include the following:
E-mail application exploits:
Attachments

Embedded malicious code in Hypertext Markup Language (HTML) formatted

messages.
Web browser exploits:
FTP client exploits:
10
 Cont.…
Identifying Possible Transport Layer Attacks
Either a UDP or TCP header is added to the message

The application that is requesting the service determines what protocol will be
used.
Some of the ways the Transport layer can be exploited to compromise the C-I-A
triad include the following:
Manipulation of the UDP or TCP ports.

DoS
Session hijacking
This attack occurs after a source and destination computer have established a
communications link.

A third computer disables the ability of one the computers to communicate, and
11
then imitates that computer.
 Cont.…
Identifying Possible Internet Layer Attacks
IP datagrams are formed

The packet is comprised of two areas:The header and the payload

Some of the ways the Internet layer can be exploited to compromise the C-I-A
triad include the following:
IP address spoofing

If the IP header fields and lengths are known, the IP address in the IP datagram
can be easily discovered and spoofed. Any security mechanism based on the
source IP address is vulnerable to this attack
Man-in-the-middle attacks
A hacker places himself between the source and destination computer in
such a way that neither notices his or her existence.
12
Meanwhile, the attacker can modify packets or simply view their
 Cont.…
DoS
Corrupting packets

If the packet is intercepted, the information in the header can be modified,
corrupting the IP datagram.
It could change the protocols and payload information in the datagram
At the Network Interface layer, the packet of information that is placed on
the
wire is known as a frame.

The packet is comprised of three areas:

The header, the payload, and the FCS
Because the Network Interface layer is used for communications on a
local network, the attacks that occur at this level would be carried out
13
on local networks.
 Cont.…
Identifying Possible Network Layer Attacks
MAC address spoofing

Attackers can easily spoof the MAC address of another computer.

Any security mechanism based on MAC addresses is vulnerable to this attack.
Denial of service (DoS)

ARP cache poisoning

The ARP(Address Resolution Protocol), a TCP/IP protocol for determining the
hardware address (or physical address) of a node on a local area network
connected to the Internet cache stores MAC (Media Access Control)
If incorrect, or spoofed, entries were added to the ARP cache, then the
computer is not able to send information to the correct destination

14
Program Security
 Security:When is it software
problem
We can distinguish security problems by the mechanisms requiring changes to
eliminate the vulnerability:
1. Network Problem:

 Requires changing networking mechanisms such as network protocols

2. OS Problem:
 Requires changing OS mechanisms such OS resource management policies.

3. Software Problem: requires changing software implementation or design

 It may be a hybrid problem requiring more than one type of change.

 A change in a mechanism such as protocols may be implemented in software

or hardware.

 It may be possible to eliminate a problem by making a fundamental change

in the
16 processor hardware such as the stack mechanism for implementing subroutine
calls.
 Program
Program security implies some degree of trust that the program enforces
Security
expected level of confidentiality, integrity and availability.

Program security characteristics depends on the application and user’s

perception about the software quality:
 One person may decide that code is secure:

 If it has run for a period of time with no apparent failure

 If it takes too long to break through its security controls
 Any potential fault in meeting security requirements makes code
insecure

If the quality of a software is only about adhering to standards:

 Can be achieved by making the code secure

 Having conventional security approaches (locks in IBM machines)
17
Assessment of security also influenced by someone’s general perspective on
 Cont.…
Program security should be from sound requirement analysis to installation &
maintenance

And making sure the program

 Do what it is supposed to do

 Not what is not supposed to do

 The quality of program security can be judged using:

1. Fixing Faults:- What the fault is, its causes and the effects of the fault.
 Fixing Faults can be done using:
A. Penetrate and patch: in which analysts searched for and repaired faults.
 Introduces more problems and cause side effects
 May also affect the non-functional requirements

 The patch techniques were largely useless, because they frequently introduced
18 new faults.
 Cont.…
B. Tiger Team: would be convened to test a system’s security by attempting
to cause it to fail.
 If the system withstood the attacks, it was considered secured.

2. Unexpected Behavior:- compare the requirements with the behavior.

 Whether they behave as their designers intended or users expected
 Such unexpected behavior of a program is know as program security
flaw: it
is inappropriate program behavior caused by a program security.

 A flaw can be either a fault or failure and vulnerability usually describes a

class
of flaws, such as a buffer overflow.
 Program security flaws can derive from any kind of software fault.

19  That is, they cover everything from a misunderstanding of program

requirements
 Cont.…
 There are techniques to eliminate or address all program security flaws.

 There are two reasons for this distressing situation:

1. Program controls apply at the level of the individual program and

programmer

2. Programming and software engineering techniques change and evolve far

more rapidly than do computer security techniques.

 Taxonomy of program flaws:

 How (genesis) the flaw was introduced into the system

 When (time) the flaw was introduced into the system

 Where (location) the flaw was introduced into the system

20
 Cont.…
 Program Security Flaws by Genesis:
 Unintentional human errors(Inadvertent)

 Validation errors(incomplete or inconsistent)

 Domain Errors

 Boundary condition violation

 Inadequate identification & authentication

 Serialization and aliasing.

 Other exploitable logic errors

 Malicious and Intentionally induced errors

 Malicious flaws: Trojan Horse,Trapdoor, Logic

Bomb,Worms, Virus

21  Non-Malicious errors
 Cont.…
 Program Security Flaws by Time:

 During development

Requirement/specification/design

 Source code

 Object code

 During maintenance

 During operation

 Program Security Flaws by Location:

 Software and Hardware:

 Operating system: system initialization, memory management, process management,

device management, file management, identification / authentication

22  Support and Application: privileged utilities, unprivileged

utilities
Database Security
 Database
Security
 Database is an integral part of any information system and often hold sensitive data.

 The security of the data depends on physical security, OS security and DBMS
security.

 Database security can be compromised by obtaining sensitive data, changing data or

degrading availability of the database.

 Databases are a favorite target for attackers because of the data they are containing
and
also because of their volume. Data warehouse is the ultimate goal.

 As systems become more modular and sophisticated attacker is presented with

more vectors to conduct an attack.

 Efforts to ensure database security are considerably higher than for the other types of data.

 It is easier to implement an access list for a great number of files than an access list

for the elements of a database.

 Cont.…
 Database security presents features that must be seriously taken into account.

 The first option, for a secure database is represented by its optimal protection.

 Ensuring database security must be done from outside to inside, this involving

ensuring security starting from the physical level and ending with the data level
(physical, network, host, applications and data).

 The focus of attacks on the company’s databases are motivated by the following
factors:
Databases are the mass of information which the company works with;

 Databases can reveal private data by processing public data.

 Database security is relative in the next situations:

 Theft and fraud;

Loss of confidentiality/privacy;
25  Loss of privacy, integrity and
availability.
 Cont.…
 To ensure a minimum security of the databases the following requirements must be satisfied:

Physical integrity of databases;

 Logical integrity of databases;

The integrity of each element which composes the database;

 Access control;

 User identification;

Availability

 The physical and logical integrity of databases will require the focus of efforts for

protecting the physical integrity of databases, especially recordings against

destruction
The easiest way to do that is represented by regular backups.

 The integrity of each element forming the database requires the value of each field
26 be written or changed only by authorized users and only if there are correct
may
values.
 Cont.…
 The access control is being done taking into consideration the restrictions of

the database administrator.

 DBMS will apply the security policy of the database administrator (DBA).

 This must meet the following requirements:

Server security: involves limiting access to data stored on the server. It’s the
most
important option that has to be taken in consideration & planned carefully.

Connections to the database: Using the ODBC will have to be followed by

checking that each connection corresponds to a single user who has access to
data.
Access control table: The access control table is the most common form of

securing a database. An appropriate use of the table access control involves a close
collaboration between the administrator and the base developer.
 Cont.…
 Secure IP addresses: Some servers may be configured to receive only queries from

hosts that are in a list. Oracle servers allow blocking queries that are not related to
the database.

 Cancellation of the Server Account: The ability to suspend an account when

guessing the password is tried after a predefined number of attempts (usually 3).

 Special tools: Special programs such as Real Secure by ISS which will alert in case

of intrusion attempts. Oracle has an additional set of authentication methods:

Kerberos security;Virtual private databases; Role-based security; Grant-execute
security;

 Authentication servers; Port access security.

 User identification will allow at any time to be known who does anything in the

system. All the operations performed by users will be stored and will form a
history of access. Checking the history of all hits is sometimes hard and requires a
 Cont.…
 Attacks specific to the databases:

 Inference: where an unclassified user has access legitimately to public information

but
on which they are able to infer classified information.

 Two situations which leads to the disclosure of secret data from public data:

data aggregation and association.

 Data aggregation problem arises whenever a set of information is classified at a

higher
level than individual levels of involved data.

 Data association problem arises whenever two values taken together are
classified at a
higher level than the one of each value.
 A first step in countering these types of attacks is the protection of sensitive data- data
that must not be made public.
 Cont.…
 When an attacker applies one or more methods of attack, and in combination

with a weak protection of databases, several sensitive data types may be

displayed:
Accurate data: When the database does not implement any protection
mechanism,
the extracted data is exactly the expected ones. Queries are simple and obvious.

Bound data: an attacker can determine the range of values which the searched

value can have.

Existing data: Data are classified but which can be emphasized that the

existence by a process of inserting data protection mechanisms, operation

refused by the protection mechanisms of the database because the data already
exist.

30 Negative data: After some seemingly innocent queries sensitive data can be
 Probable data: Their existence is highlighted by complex
 Cont.…
 An attacker, after he passed all levels of protection and reached the database, he will

try progressively a series of attacks: direct, indirect and by tracking.

 Direct attacks are obvious attacks and are successful only if the database does not

implement any protection mechanism. The displayed results will be the ones
required and expected. If this attack fails then the attacker moves to the next.

 Indirect attacks are attacks that are executed when it is desired the extraction of

other data than those that are displayed. Combinations of queries are used some of
them having the purpose to cheat the security mechanisms.

 The tracking attack is applied to the databases that have implemented a

suppression mechanism for the claims that have dominant results.This type of
attack is used against databases that have short answers to queries.

31
 Cont.…
 The options that can be chosen for a mechanism that will not permit

displaying sensitive data are the following:

Suppressing the applications with sensitive results: The requests for access for

database elements that have as result displaying sensitive results are rejected
without any response.

Results approximation: The results of request will be approximated in such way

that the attacker will not be able to determine the exact values.
Limiting the results of a request that reveals sensitive data:

Combining results: Combining the results from several request will create even a

greater confusion for the attacker.

Administrative control elements: From this category we have: Security policy and

emergency situations plan, Staff control, Placing the equipment in safe conditions,
32
Escrow agreements, Maintenance agreements and the physical control of
 Thank You!
48