Any One Need Notes, PPT, Or Books Related to computer then Text us on 03007064299 or Email sososofar@gmail.com .We will upload it on slide share or email you.........
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Network security chapter 1,2
1. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 1
COMPUTER NETWORK SECURITY
Course outline
The need for network security
The Network security problem
Different types of attacks
Malicious and Non-Malicious Program Flaws
Protection in operating systems
Spoofing
Intrusion Detection Systems
Firewalls
Operating Systems Hardening
Device security
Honeypots and honey nets
Module objectives
Understand
Why we need network security
The nature of the network security problem
Defensive strategies
The gold standard
History
What is network security?
Network Security is the process of taking physical and software preventative measures to protect the
underlying networking infrastructure from unauthorized access, misuse, malfunction, modification,
destruction, or improper disclosure, thereby creating a secure platform for computers, users and
programs to perform their permitted critical functions within a secure environment.
OR Network security is an over-arching term that describes that the policies and procedures
implemented by a network administrator to avoid and keep track of unauthorized access, exploitation,
modification, or denial of the network and network resources. This means that a well-implemented
network security blocks viruses, malware, hackers, etc. from accessing or altering secure information.
1. The need for network security
1.1 Why do you need to take this course?
Credit towards Bachelor degree
An easy A
Value for your organization
An organization’s data may include personnel information which may include sensitive information,
which could be misused, or information of personal nature which should not be disclosed to authorize
users only. It may include payroll information, contact lists, strategies and plans, fiscal reports, and
2. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 2
intellectual property such as present and future product designs, the sort of things that the organization
wouldn’t publish on the streets
1.1.1 Value of an organization’s data
Personnel information
Financial information
Intellectual property
Proprietary information
Contact lists
1.1.2 Organizations that are at risk:
Corporate financial systems
Credit card processing systems
ATMs
Telephone systems
Emergency response infrastructure
Air traffic control
Power system
Almost all processes automated
No manual alternative
In case of a crash, restoration is essential
Nature of problem
Common belief: Computers are digital devices, sharp 1s and 0s, so perfect security should be
possible
Not true
Too many contributing factors: too many people and too many programs involved
A reasonable goal would be as good as real-world security
Common network security problem isn’t the result of human error or intent; it is due to the forces of
nature: lightning, flood, fire and earthquake. And surprisingly, some other common network security
problems are none other than equipment failure, outdated technology, issues with ISP or WAN service
or software failures and errors.
Nature of problem-differences
Variety of attack methods
Can attack a lot more places
Can attack a lot more quickly
Can attack with relative anonymity
All without spending too many resources
Defensive strategies
Access Control
Keep everybody out. Disconnect your PC from the network, and only install programs that you
wrote yourself. It will be secure, but it will be more difficult to be worked on.
3. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 3
Keep the bad guy out. This can be done in a variety of ways, such as code signing and
firewalls.
You can let the bad guy in but keep him from doing bad things by using sandboxing or access
control.
Try to catch the bad guy and prosecute him. This uses a different set of techniques, instead of
locks it uses auditing.
The access control model is based on a principal sending requests to an object, and there is a guard in
between that scrutinizes the request and its source to decide whether or not it should be allowed to go
through to the object.
The gold standard
Authentication, authorization, and auditing, all start with Au, so they are also known as the
gold standard.
The principle of authentication is that you have a way of knowing what principal is taking
responsibility for the request that is being made.
Principals are usually people, but can also be channels, servers, and programs.
For example, typically in distributed applications, communication channels are implemented
by means of encryption and the encryption key acts as a principal.
Cont’d
The next step is to figure out whether or not that request coming from that party ought to be granted.
This is authorization. Typically access is granted to principals or group of principals.
Auditing keeps track of all the activity. Auditing analyzed logs and access requests that were made by
principals that were either granted or denied.
Another underlying principle in this model is assurance. How do you know that the system doesn’t
have bugs? One of the ways to think of that is in terms of a trusted computing base in which are all
things that have to be working correctly in order for you to have security.
Common attacks and Exploits
1.Denial of Service (Dos) 2.Distributed Denial of Service (DDoS) 3.Back door 4.Spoofing 5.Man in
the middle 6.Replay 7.Session hijacking 8.DNS poisoning 9.Password guessing 10.Software
exploitation 11.War dialing 12.War driving 13.Buffer overflow 14.SYN flood 15.ICMP flood
16.UDP flood 17.Smurfing 18.Sniffing 19.Ping of death
Denial of Service (DoS)
A denial of service attack causes disruption of service to legitimate users.
4. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 4
For example, causing a web server to overload, due to which browsers would be unable to
view the websites on that web server, or overloading a file server so that users are unable to
access their home folders.
Work by:
Resource exhaustion
Application or OS crash
A denial of service attack is an effort to make one or more computer systems unavailable. It is
typically targeted at web servers, but it can also be used on mail servers, name servers, and any other
type of computer system.
Denial of service attacks can be problematic, especially when they cause large websites to be
unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS
attacks and limit their effectiveness. While many well-known websites, like Google, Twitter, and
WordPress, have all been targets of denial of service attacks in the past, they have been able to update
their security systems and prevent further service interruptions.
Distributed Denial of Service (DDoS)
A distributed denial of service attack is when several machines taken over by an attacker
launch a coordinated denial of service attack against a common target to achieve a far greater
impact.
These are compromised machines.
See http://grc.com/dos/grcdos.htm for a good example of this type of attack.
A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems
attack a single target, thereby causing denial of service for users of the targeted system. The flood of
incoming messages to the target system essentially forces it to shut down, thereby denying service to
the system to legitimate users
Back door
A backdoor is an opening in software which allows entry into the system/application without
the knowledge of the owner.
Backdoors are sometimes left by the developer intentionally, and sometimes exist by virtue of
bad programming logic and practices.
Definition: A backdoor is a secret or undocumented means of getting into a computer system. Many
programs have backdoors placed by the programmer to allow them to gain access to troubleshoot or
change the program. Some backdoors are placed by hackers once they gain access to allow themselves
an easier way in next time or in case their original entrance is discovered
Spoofing
Some communication protocols use a host’s IP address as a trust and authentication
mechanism.
An attacker may forge the IP address of a trusted host to fool the target into trusting the
attacker’s machine
5. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 5
The word "spoof" means to hoax, trick, or deceive. Therefore, in the IT world, spoofing refers tricking
or deceiving computer systems or other computer users. This is typically done by hiding one's identity
or faking the identity of another user on the Internet.
E-mail spoofing can take place on the Internet in several different ways. One common method is
through e-mail. E-mail spoofing involves sending messages from a bogus e-mail address or faking the
e-mail address of another user.
IP spoofing another way spoofing takes place on the Internet is via IP spoofing. This involves
masking the IP address of a certain computer system. By hiding or faking a computer's IP address, it is
difficult for other systems to determine where the computer is transmitting data from.
Man in the middle
Man in the middle attacks is launched by placing oneself in the middle of a communication
session, so as to intercept the traffic.
The attacker may merely passively listen in on the conversation or may introduce other
information into the traffic.
A Man-in-the-Middle attack is a type of cyber-attack where a malicious actor inserts him/herself into
a conversation between two parties, impersonates both parties and gains access to information that the
two parties were trying to send to each other. A Man-in-the-Middle Attack allows a malicious actor to
intercept, send, and receive data meant for someone else, or not meant to be sent at all, without either
outside party knowing until it is too late. Man-in-the-Middle attacks can be abbreviated in many ways
including, MITM, MitM, MiM, or MIM.
Replay
The attacker uses a packet sniffer to capture packets on the wire and extracting information
from them.
For example, username and passwords, and later placing the same information back on the
wire so as to have the target believe that it is a new legitimate session.
A Replay attack is when a Hacker uses a Sniffer to grab packets off the wire
After packets are captured, then the hacker can simply extract information from the packets like
authentication information and passwords
Once the information is extracted, the captured data can be placed back on the network or replayed
For example, messages from an authorized user who is logging into a network may be captured by an
attacker and resent (replayed) the next day. Even though the messages may be encrypted, and the
attacker may not know what the actual keys and passwords are, the retransmission of valid logon
messages is sufficient to gain access to the network.
6. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 6
Session hijacking (TCP/IP Hijacking)
This is when an attacker takes over a communication session between two hosts.
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most
authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a
machine. A popular method is using source-routed IP packets. This allows a hacker at point A on the
network to participate in a conversation between B and C by encouraging the IP packets to pass
through its machine
DNS poisoning
Wrong information may be added to your DNS files. Your host will be directed to the wrong
direction due to DNS poisoning.
Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the
corruption of an Internet server's domain name system table by replacing an Internet address with that
of another, rogue address. When a Web user seeks the page with that address, the request is redirected
by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser
hijacking program, or othermalware can be downloaded to the user's computer from the rogue
location.
Password guessing
Password guessing is an attack on the authentication credentials on any system.
One form of password guessing is brute force attacks in which an attacker uses every single
possible key to try and crack the passwords.
In another form, known as dictionary attack, all words in a dictionary file are tried as
passwords.
Another type of network attack is Password Guessing attack. Here a legitimate users access rights to a
computer and network resources are compromised by identifying the user id/password combination of
the legitimate user.
Password guessing attacks can be classified into two.
Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of
trying every possible code, combination, or password until you find the correct one. This type of attack
may take long time to complete. A complex password can make the time for identifying the password
by brute force long.
Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a
dictionary of common words to identify the user’s password.
Software exploitation
These are attacks against a system’s software bugs or flawed code.
7. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 7
a piece of software is it will still contain bugs. One of the most common bugs involves buffer
overflows where an area of memory has been allocated by the programmer to store a specific amount
of data. When the volume of data written to the storage area exceeds the space allocated a buffer
overflow occurs causing part or all of the system to crash, potentially leaving it open for an intruder to
take over
War dialling
In order to gain access into a network, the organization’s range of PBX numbers is used as
input to a war dialler program, which dials all those phone numbers using a modem, and logs
whether or not the call was answered by a modem.
The process of running modem scanning tools against a PBX or any given dialup modem for the
purpose of penetration.
A war dialler is a computer program used to identify the phone numbers that can successfully make a
connection with a computer modem.
The program will dial a range of numbers you ask it to dial and will log failure and success ranges in a
database
War driving
These are attacks against wireless networks, which work by passing from outside the building
with a wireless Ethernet card in promiscuous mode.
Around the year 2000, an engineer named Peter Shipley coined the term war driving to refer to the
practice of deliberately searching a local area looking for Wi-Fi wireless network signals. Mr. Shipley
pioneered the practice of using an automobile, a Global Positioning System (GPS), and a mounted
antenna to identify unsecured wireless home networks
Buffer overflow
Buffer overflow attacks are due to poorly written code which does not check the length of
variable arguments.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary
data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of
data, the extra information - which has to go somewhere - can overflow into adjacent buffers,
corrupting or overwriting the valid data held in them. Although it may occur accidentally through
programming error, buffer overflow is an increasingly common type of security attack on data
integrity.
SYN flood
Occurs when a network becomes so overwhelmed by SYN packets initiating incomplete
connection requests that it can no longer process legitimate connection request causing high
CPU, memory, and NIC usage.
A SYN flood is a type of denial of service (DoS) attack that sends a series of "SYN" messages to a
computer, such as a web server. SYN is short for "synchronize" and is the first step in establishing
8. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 8
communication between two systems over the TCP/IP protocol.When a server receives a SYN request,
it responds with a SYN-ACK (synchronize acknowledge) message. The computer then responds with
an ACK (acknowledge) message that establishes a connection between the two systems. In a SYN
flood attack, a computer sends a large number of SYN requests, but does not send back any ACK
messages. Therefore, the server ends up waiting for multiple responses, tying up system resources. If
the queue of response requests grows large enough, the server may not be able respond to legitimate
requests. This results in a slow or unresponsive server.
ICMP flood (Internet Control Message Protocol Flood)
An ICMP flood occurs when ICMP pings overload a system with so many echo requests that
the system expends all its resources responding until it can no longer process valid network
traffic.
ICMP is primarily used for error messaging and typically does not exchange data between systems. An
ICMP Flood is the sending of an abnormally large number of ICMP packets. This flood can
overwhelm a target server that attempts to process every incoming ICMP request, and can result in a
denial-of-service condition for the target server.
UDP flood
Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose
of slowing down the system to the point that it can no longer handle valid connections.
A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a
session less/connectionless computer networking protocol. Using UDP for denial-of-service attacks is
not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack
can be initiated by sending a large number of UDP packets to random ports on a remote host
Smurfing
An ICMP echo request is sent to a network’s broadcast address with a spoofed source IP
address.
The spoofed machine is then overwhelmed with a large number of echo replies.
The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control
Message Protocol(ICMP) packets with the intended victim's spoofed source IP are broadcast to
a computer network using an IP Broadcast address. Most devices on a network will, by default,
respond to this by sending a reply to the source IP address. If the number of machines on the network
that receive and respond to these packets is very large, the victim's computer will be flooded with
traffic. This can slow down the victim's computer to the point where it becomes impossible to work
on.
9. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 9
Sniffing
Sniffing uses protocol analysers or packet sniffers to capture network traffic for passwords or
other data.
A sniffer is an application that can capture network packets. Sniffers are also known as network
protocol analysers. They are also used by hackers for hacking network. If the network packets are not
encrypted, the data within the network packet can be read using a sniffer. Once the packet is captured
using a sniffer. Sniffers are used by hackers to capture sensitive network information, such as
passwords, account information etc.
Ping of death
Ping of death attack uses oversized ICMP echo requests to a hosts in an attempt to crash it.
Ping of Death (PoD) is a type of network attack in which an attacker sends a network packet that is
larger than what the target computer can handle. This can crash the computer, or freeze or degrade
computer service. Ping of death is used to make a computer system unstable by deliberately sending
larger ping packets to the target system over an IPv4 network. Ping of death is also known as long
ICMP
TCP Three-way handshake
Security implementation
Identify what you are trying to protect.
Determine what you are trying to protect them from.
Determine how likely the threats are.
Implement steps that protect your assets in a cost effective manner
Review the process continuously making improvements when you find a weakness
Assets needing to be protected
Physical resources
Intellectual resources
10. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 10
Time resources
Perception resources
Physical resources
Anything that has a physical form
Routers, hubs, switches, servers etc
Assets that have a physical form, such as workstations, servers, printers, hubs, switches, routers,
firewalls. Basically, any computing resource that has a physical form can be considered a physical
resource.
An individual walks into an organization’s office claiming to be a computer repairs technician. The
receptionist allowed him through giving directions to the network administrator’s office. The repairs
person returns a short while later with a network printer which he claims needs repairs and must be
taken back to the shop.
Of course, the printer didn’t need repairs, and he didn’t seek the network administrator. Instead, he just
unplugged the first high end printer he came across and took it with him. The theft was discovered
when the network administrator heard complaints about people being unable to print. Of course, it’s
not easy to print without the printer.
This printer theft could’ve been avoided if the company policy dictated that no outsider would be
allowed in without an escort, and would have saved the company the cost of replacing a high end
network printer
Intellectual resources
Sometimes harder to identify
Exist in electronic form only
Any information that plays a vital role in your organization’s business
Software, financial records, database records, schematics, emails etc
These resources are sometimes harder to identify because they exist only in electronic form. An
intellectual resource is any information that plays a part in your organization’s business. This can
include software, financial information, database records and schematic .If email is used to exchange
information, the stored email messages are also intellectual resources.
Time resources
An important resource which is overlooked quite often in a risk analysis.
To evaluate what lost time costs your organization, make sure to include all consequences of
lost time
It is an important organizational resource which is quite often over-looked in a risk analysis. When
evaluating what lost time could cost your organization, make sure that you include all the
consequences of lost time.
Consider a company’s file server, which is backed up every night, but doesn’t have redundant hard
disk drives. The disk drive crashes. The physical loss is a hard disk drive, which is not very expensive.
The intellectual loss is whatever was updated since the last backup. What is lost in terms of time can
be evaluated based on what the network administrator must do as a cleanup job
11. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 11
1. Install the new disk drive in the system 2• completely reinstall the network operating system, any
required patches, and the back-up software, if necessary 3• Restore all required backup tapes. If a full
backup is not performed every night, there may be multiple tapes to restore from.
Perception resources
Risk of damage to perception is the cause of significant trouble
The stock prices for affected companies fell after the denial of service attacks of February 2000.
Although this loss was not long term, it had a real, measurable impact on the trust of consumers and
stockholders. With the publicity surrounding the penetration of Microsoft’s system in October 2000,
some wondered if valuable source code had been unknowingly modified.
Sources to protect from
Potential network attacks may come from any source that has access to your network. These sources
can vary greatly, depending on your organization’s size and the type of network access provided.
Some of these sources could include:
Internal network
Access from field offices
Access from WAN link to the business partners
Access through the Internet
Access through modem pools
Internal systems
A vast majority of attacks originate from within the organization
Using firewalls protects from external threats, but it is still the employees that are responsible
for the greatest amount of damage or compromise of data, because they have the insider’s view
of how your network operates
A vast majority of attacks originate from within the organization. While using firewalls protects assets
from external attacks is all the rage, it is still the employees, who have an insider’s view of how your
network operates, who are responsible for the greatest amount of damage to, or compromise of your
data. This damage can be accidental, or in some cases, intentional
Internal attacks
Disgruntled employee or ex-employee
Not so computer literate management with access privileges
A company’s CEO insisted on having administrative privileges on the NetWare server and
inadvertently deleted the cc:Mail directory
The most typical cause of a true attack is a disgruntled employee or ex-employee.
for example, one company’s owner insisted on having full privileges on the NetWare server, even
though he was not very computer literate. He inadvertently deleted the cc:Mail data directory, which
contained al the mail messages and public folders. Approximately two years worth of data
disappeared.
12. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 12
External attacks
Although external attacks can come from ex-employees, the range of possible attacks increases
dramatically.
Competitors
Stealing designs, financial statements, making network resources unavailable
Shorten development time
Equip their products with better features
Second lowest price website DoS
If you are in a highly competitive business, an ambitious competitor may see advantage in attacking
your network. This can take the form of stealing designs or financial statements, or just making your
network resources unusable
Subjecting the website of a competitor with lower prices to a denial of service attack than your
organization, could lead some buyers to your website because it has the second lowest prices, and the
lowest price product is unavailable due to denial of service
Militant viewpoints
If your organization has controversial viewpoints
If your business can be considered controversial, it may be prone to threats from others who take a
different point of view. In 1998, following the nuclear tests by India and Pakistan, Indian and Pakistani
hackers launched defacing attacks on each other’s websites.
High profile
An organization with high visibility is a good candidate for an attack for merely the sake of
notoriety or a wider audience
Organizations can become a target for attack simply because of their high level of visibility. A would-
be attacker may attempt to infiltrate a well-known site with the hope that a successful attack will bring
with it some level of notoriety. In May 1999, major US government websites including
whitehouse.gov, fbi.gov, and senate.gov were defaced.
Threat assessment
Network security attacks are malicious or unintentional attempts to use or modify resources
available through a network in a way they were not intended to be used
The goal of network security is to protect its assets from network attacks.
The goal of network security is to protect its assets from network attacks. Network attacks may be
defined as malicious or unintentional attempts at using or modifying resources available through the
network in a way that they were not intended to be used.
All network attacks fall into one of the following categories:
13. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 13
Network attack types
Unauthorized access to resources or information through the use of a network
Unauthorized manipulation and alteration of information on a network
Denial of service
The key to note here is the word unauthorized. It is the job of a network security policy to spell out
what is authorized and what is not.
The network attack can be planned as well as intentional and the job of the network security
mechanisms is not only to protect against planned attacks which are coordinated attacks conducted by
malicious users, but also against unintentional attacks in terms of mistakes made by users.
Network security goals
Based on the three types of attacks, the goals of network security are to:
Ascertain data confidentiality
Maintain data integrity
Maintain data availability
Risk assessment
After threat identification, the likelihood must be determined
Security is expensive
It is not feasible to protect against all types of attacks
It is wise to protect against the most likely threats
Having identified the assets and the factors that threaten them, the next step in formulating a network
security implementation is to ascertain how likely the threats are in the environment in which the
security is being implemented. Realize that although it can be important to protectagainst all types of
attacks, security does not come cheap. Therefore, a careful analysis must be done to find out what the
most significant sources of attack are and devote the most resources to protecting against them.
Even though risk assessment can be done in a number of ways, there are two main factors that affect
the risk associate with a particular type of threat’s materializing:
• The likelihood of that particular attack being launched against the asset in question
• The cost to the network in terms of damages that a successful attack will incur
It is often useful to divide the risk analysis into three categories:
Confidentiality
Integrity
Availability
If a network resource’s availability is critical and the likelihood of an attack being launched against it
is high, this asset’s risk level can be considered fairly high. For example, a high visibility web server.
14. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 14
Due to its high visibility, it can be a likely target for attackers. Also, it is important for a web server to
be available all the time. Therefore, this asset is high-risk in terms of availability.
If an asset’s availability is critical and the likelihood of an attack is high, the asset’s risk level
can be considered high
e.g., a high visibility web server is a high risk asset in terms of availability
An FTP server used internally, which is not visible from the outside has a lower risk level in
terms of availability but a high risk level in terms of confidentiality
Note that all risk assessments are relative
Once a list of risk levels associate with various assets in the network have been compiled, the next step
is to create a policy framework for protecting these resources so that risk can be minimized
Network security policy
Having determined the risk level of various assets, the next step is to formulate a security
policy
A security policy must prioritize mitigation of threats against high risk assets and then spend
the rest of its resources to protecting the lower risk assets
Defines a framework for protecting the assets connected to a network
Defines access rules and limitations for accessing various assets
A source of information for users and administrators as they:
Setup, Use and Audit the network
Should be broad and general in scope
Provide a high level view of the principles on which security related decisions should be taken
Should not go into the details of how security is to be implemented
The details can change overnight, but the general principles of what these details are trying to
achieve should remain the same
Roles played by the policy:
Clarify what is being protected and why
State who is responsible for providing the protection
Provide grounds on which to interpret and resolve any future conflicts
The first point is an offshoot of the asset identification and risk analysis
Those responsible for the protection can be one or more of the following:
Users
Administrators and managers
Network usage auditors
Managers who have overall ownership of the network and its associate resources
The third point places responsibility on shoulders of a particular person to resolve any conflicts
A network policy should be such that it can be implemented using existing technology, it
shouldn’t contain elements that are not technically enforceable
In terms of ease of use there are two types of network security policies:
Permissive: that which is not expressly prohibited is allowed
Restrictive: that which is not expressly allowed is prohibited
15. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 15
It is better to have a restrictive policy and then based on usage open it up for legitimate uses
A permissive policy will have holes in it no matter how hard you try to plug all holes
A security policy must balance:
Ease of use
Network performance
Security aspects
An overly restrictive policy costs more than a slightly more lenient one might make up for it in
terms of performance gains
Minimum security requirements as identified by risk analysis must be met for a security policy
to be practical.
A network security policy defines a framework to protect the assets connected to a network based on a
risk assessment. A network security policy defines the access rules and limitations for accessing
various assets. It is the source of information for users and administrators as they set up, use, and audit
the network.
A network security policy should be general and broad in scope. What this means is that it should
provide a high level view of the principles based on which security-related decisions should be made,
but it should not go into the details of how the policy should be implemented. The details can change
overnight, but the general principles of what these details are trying to achieve should remain the
same.
The policy should play the following roles:
• Clarify what is being protected and why it is being protected
• State who is responsible for providing that protection
• Provide grounds on which to interpret and resolve any later conflicts that might arise
The first point is an off shoot of the asset identification and risk assessment. The second point covers
who is responsible for ensuring the security requirements are met.
This can be one or more of the following:
• Users
• Administrators and managers
• Network usage auditors
• Managers who have overall ownership of the network and its associated resources
The third point places the responsibility of resolving issues not covered by the policy on the shoulders
of a particular person rather than leaving them open to arbitrary interpretation.
A network security policy should be implementable given available technology. A network security
that is very comprehensive but contains elements that are not technically enforceable is less than
useful.
In terms of ease of use of network resources for users,
There are two types of network security policies:
• Permissive: everything not expressly prohibited is allowed
• Restrictive: everything not expressly permitted is prohibited
16. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 16
It is generally better to have a restrictive policy and then based on actual usage, open it up for
legitimate usage. A permissive policy generally has holes no matter how hard you try to plug all the
holes.
A security policy must balance ease of use, network performance, and security aspects in defining the
rules and regulations. This is important, because an overly restrictive security policy can end up
costing more than a security policy that is somewhat more lenient but makes up for it in terms of
performance gains. Of course, minimum security requirements as identified by risk analysis must be
met for a security policy to be practical.
Implementation
Implementation of Network security involves technical and non-technical aspects
It is important to come up with a design agreeable for all involved parties
The following points must be kept in mind before implementation:
All stakeholders (including users and management) must agree on the policy
It is crucial to educate all parties including management on why security is necessary.
This education must continue in case of newcomers
Management and financial people must be educated about the cost and risk analysis
because security is expensive and is not a one-time expense
Responsibilities of people and their reporting relationship must be clearly defined
The next step is network security design
Translate security policy into procedures which are usually laid out tasks that must be
completed to implement the security policy
Execution of these procedures results in a network design that can be implemented using
various devices
The following are components of network security design:
Device security features such as administrative password
Firewalls
Remote access VPN concentrators
Intrusion detection
Access control and limiting mechanisms
Implementing a network security policy involves technical as well as non-technical aspects. Even
though it is challenging enough to find the right equipment that can work together and implement the
security policy in its true spirit, coming up with a design that is workable for all parties concerned is
equally challenging.
The following points must be kept in mind before implementing a security policy:
• All stakeholders, including the users and the management must agree or have consensus on the
security policy. It is not easy to maintain a security policy that not everyone is convinced is necessary.
• It’s crucial to educate the users and the affected parties, including management, on why security is
important. You must make sure that all parties understand the reasons behind the security policy and
what is about to be implemented. This education must continue on an ongoing basis such that all
newcomers to the company are aware of the network’s security aspects.
17. Chapter No 1 & 2 Computer Network Security
Written by Engr. Muhammad Waseem 17
• Security does not come for free. Implementing security is expensive and is often an ongoing expense
rather than a one-time cost. It is important to educate the management and the financial people about
the cost and risk analysis done in coming up with the security policy.
• Responsibilities of various people must be clearly defined for various parts of the network and their
reporting relationships.
Working on implementing a security policy while keeping these issues in mind can help you
implement a security policy both in practice and in spirit.
Audit and improvement
It is important to continually analyse, test and improve the security policy after implementation
This can be done through:
Formal security audits
Day-to-day checks based on operational measurements
Audits can also be done using automated tools
An important purpose of audits is to keep the users aware of implications of their actions
Can help identify bad user habits
There should be schedule and random audits
A random audit will help:
Catch the organization with its guards down
Reveal weakness during maintenance etc
If the audit reveals technical issues, they can be fixed by technical means
Other issues can be addressed by user education programs
Education programs should not go into minute details, but focus on the goals of the policy and
how the user can help in its implementation
Using examples of what they did wrong would cause the users to think that they can not do any
wrong unless they are caught doing wrong
After implementation of a network security policy, it is critically important to continually analyze, test
and improve it. This can be done by formal audits of the security systems as well as through day-to-
day checks based on normal operational measurements. Audits can also take various forms, such as
automated audits using software tools. Many commercial as well as open source tools are available for
this.
An important purpose of the security audit is to keep the users aware of the implications of their
actions on the network. Audits can be used to identify habits that the users may have formed that can
lead to network attacks. Audits should be scheduled as well as random. A random audit tends to catch
the organization with its guards down and also reveals penetrability during maintenance, turnaround
and so on.
After identification of various issues through the audit, if the issues are technical, they can be fixed or
they can be transformed into educational programs to educate the users on better network security
techniques. These programs should focus on the goals of the network security policy and how
individuals can help in its implementation. The education should not be of minute details of things that
the users are doing wrong, but to educate them on the general security policy and use infringements as
examples. An audit and education that is too hands on can remove a sense of empowerment from the
users, making them think that they can do no wrong until they are caught doing something wrong.