The document outlines key concepts in host and network security, emphasizing the importance of security planning, password management, access control, security monitoring, and firewalls. It highlights the balance between open network access and the necessity for robust security measures like one-time passwords and strict access controls. Effective network security relies on good system security practices, user authentication, and the use of various security tools.

1. 1
Chapter 5
Host and Network Security
Gadisa A.

2. Outlines
Security planning
Password security
One time password
Access control
Security monitoring and
Firewalls
2

3. Introduction
Hosts attached to a network is exposed to a wider range of security threats than
unconnected hosts.
Network security reduces the risks of connecting to a network.
It requires adequate security on individual host computers.
By nature, network access and computer security work at cross-purposes.
A network is a data highway designed to increase access to computer systems,
while security is designed to control access to those systems.
Providing network security is a balancing act between open access and security.
3

4. Security Planning
One of the most important network security tasks, and probably enjoyable.
Is development of a network security policy.
The three distinct types of security threats usually associated with network connectivity
are:
Unauthorized access: a break-in by an unauthorized person.
Disclosure of information: any problem that causes the disclosure of valuable or
sensitive information to people who should not have access to the information.
Denial of service (DoS): any problem that makes it difficult or impossible for the system
to continue to perform productive work.
4

5. Security Planning
In his class on computer security, Brent Chapman classifies information security threats into three categories as:
Threats to the secrecy,
Threats to the availability, and
Threats to the integrity of data.
Secrecy is the need to prevent the disclosure of sensitive information.
Availability means that you want information and information processing resources available when they are needed; a denial-of-service attack disrupts availability.
5

6. Security Planning…
The need for the integrity of information is equally obvious, but its
link to computer security is more subtle.
Network threats are not, of course, the only threats to computer
security, or the only reasons for denial of service.
Natural disasters and internal threats (threats from people who
have legitimate access to a system) are also serious.
6

7. Password Security
A good password is an essential part of security.
Choosing a good password boils down to not choosing a password that can be
guessed using some.
Some guidelines for choosing a good password are:
Don’t use your login name.
Don’t use the name of anyone or anything.
Don’t use any English or foreign-language word or abbreviation.
Don’t use any personal information associated with the owner of the
account. For example, don’t use your initials, phone number, social security
number, job title, organizational unit, etc.
7

8. Password Security
…
Don’t use keyboard sequences, e.g., QWERTY.
Don’t use any of the above spelled backwards, or in caps, or otherwise
disguised.
Don’t use an all-numeric password.
Don’t use a sample password, no matter how good, that you’ve gotten
from a book that discusses computer security.
Use a mixture of numbers, special characters, and mixed-case letters.
Use at least six characters.
Use a seemingly random selection of letters and numbers.
8

9. Password Security…
Common suggestions for constructing seemingly random
passwords are:
Use the first letter of each word from a line in a book, song, or poem.
For example, “People don’t know you and trust is a joke.”
Use the output from a random password generator.
Select a random string that can be pronounced and is easy to
remember. For example, the random string “adazac” can be
pronounced a-da-zac, and you can remember it by thinking of it as “A-
to-Z.”
Add uppercase letters to create your own emphasis, e.g., aDAzac.
9

10. Password Security…
Common suggestions for constructing seemingly random
passwords are:
Use two short words connected by punctuation, e.g., wRen%Rug.
Use numbers and letters to create an imaginary vanity license
plate password, e.g., 2hot4U?
It is also possible to use programs that force users to follow specific
password selection guidelines.
The web page http://csrc.nist.gov/tools/tools.htm lists several
programs that do exactly that.
10

11. Password Security…
Sometimes good passwords are not enough.
Passwords are transmitted across the network as clear text.
Intruders can use protocol-analyzer software to spy on network traffic and
steal passwords.
If a thief steals your password, it does not matter how good the password
was.
The thief can be on any network that handles your TCP/IP packets.
If you log in through your local network, you have to worry only about
local snoops.
11

12. One Time Passwords
12
Sometimes good passwords are not enough.
Passwords are transmitted across the network as clear text.
Intruders can use protocol-analyzer software to spy on network traffic and
steal passwords.
If a thief steals your password, it does not matter how good the password
was.
The thief can be on any network that handles your TCP/IP packets.
If you log in through your local network, you have to worry only about
local snoops.

13. One Time Passwords
13
But if you log in over the Internet, you must worry about unseen
listeners from any number of unknown networks.
Commands that use encrypted passwords are not vulnerable to this
type of attack.
Because of this, telnet has been largely supplanted by secure shell
(Ssh).
However, the secure shell client may not be available at a remote
site.
Use one-time passwords for remote logins when you cannot use
secure shell.

14. One Time Passwords
14
Because a one-time password can be used only once, a thief who
steals the password cannot use it.
One-time passwords are needed only for the occasions when you log
in from a remote location that does not offer Ssh.
For this reason, some one-time password systems are designed to
allow reusable passwords when they are appropriate.
There are several one-time password systems.

15. Access Control
Is a technique for limiting access.
Routers and hosts that use access control check the address
of a host requesting a service against an access control list.
If the list says that the remote host is permitted to use the
requested service, the access is granted.
If the list says that the remote host is not permitted to
access the service, access is denied.
15

16. Access Control…
It does not by pass any normal security checks.
It adds a check to validate the source of a service request and
retains all of the normal checks to validate the user.
Access control systems are common in terminal servers and routers.
For example, Cisco routers have an access control facility.
Access control software is also available for UNIX hosts.
Two such packages are xinetd and the TCP wrapper program.
16

17. Access classes
The facilities that enable the detection, isolation, and correction of abnormal operation
of the OSI environment.
UNIX defines three basic classes of file access for which protection may be specified
separately:
User access (u): Access granted to the owner of the file.
Group access (g): Access granted to members of the same group as the group
owner of the file (but does not apply to the owner himself, even if he is a member of
this group).
Other access (o): Access granted to all other normal users.
17

18. Security Monitoring
Is a key element of effective network security.
Good security is an ongoing process, and following the security guidelines
discussed above is just the beginning.
You must also monitor the systems to detect unauthorized user activity and
to locate and close security holes.
Over time, a system will change—active accounts become inactive and file
permissions are changed.
You need to detect and fix these problems as they arise.
18

19. Firewalls
Is an essential component of network security.
The term firewall implies protection from danger, and just as the firewall
in your car protects the passengers’ compartment from the car’s engine,
a firewall computer system protects your network from the outside world.
In computer system it provides strict access control between your
systems and the outside world.
The concept of a firewall is quite simple.
19

20. Functions of Firewalls
Ideally, an intruder cannot mount a direct attack on any of the systems
behind a firewall.
Packets destined for hosts behind the firewall are simply delivered to the
firewall.
The intruder must instead mount an attack directly against the firewall
machine.
Because the firewall machine can be the target of break-in attacks, it employs
very strict security guidelines.
20

21. Functions of Firewalls…
But because there is only one firewall versus many machines on the local
network, it is easier to enforce strict security on the firewall.
The disadvantage of a firewall system is obvious.
In the same manner that it restricts access from the outside world into the
local network, it restricts access from the local network to the outside world.
To minimize the inconvenience caused by the firewall, the system must do
many more things than a router does.
21

22. Summary
Network access and computer security work at cross-purposes.
Attaching a computer to a network increases the security risks for that
computer.
Evaluate your security needs to determine what must be protected and how
vigorously it must be protected.
Develop a written site security policy that defines your procedures and
documents the security duties and responsibilities of employees at all levels.
22

23. Summary…
Network security is essentially good system security.
Good user authentication, effective system monitoring, and
well-trained system administrators provide the best security.
Tools are available to help with these tasks.
SSH, OPIE, Tripwire, OpenSSL, iptables, TCP wrappers,
encryption, and firewalls are all tools that can help.
23

24. Automating System Administration
Although extensive programming experience is seldom a requirement for a system
administration position, writing shell scripts and other sorts of programs is
nevertheless an important part of a system administrator’s job.
There are two main types of programs and scripts that you will be called upon to
create:
Those designed to make system administration easier or more efficient, often by
automating some process or job.
Those that provide users with necessary or helpful tools that are not otherwise
available to them.
24

25. Automating System Administration
In general, automation offers many advantages over performing such tasks by hand,
including the following:
Greater reliability Tasks are performed in the same (correct) way every time. Once you
have automated a task, its correct and complete performance no longer depends on how
alert you are or your memory.
Guaranteed regularity Tasks can be performed according to whatever schedule seems
appropriate and need not depend on your availability or even your presence.
Enhanced system efficiency Time-consuming or resource-intensive tasks can be
performed during off hours, freeing the system for users during their normal work hours.
25

26. 26
Questions