Network Security

One very common technique is to deliver an e-mail or Web page that contains a malicious piece of code called a mobile malicious code or a Trojan horse. A computer virus is a small program that alters the way a computer operates without the knowledge of the computer’s users and often does various types of damage by deleting and corrupting data and program files, or by altering operating system components, so that computer operation is impaired or even halted. A computer worm is a program that copies itself from one system to another over a network, without the assistance of a human being.

Denial of service attacks (or distributed denial of service attacks) bombard a computer site with so many messages that the site is incapable of performing its normal duties. In e-mail bombing, a perpetrator sends an excessive amount of unwanted e-mail messages to someone. If these e-mail messages have a return address of someone other than the person actually sending the e-mail, then the sender is spoofing. Smurfing is the name of a particularly nasty automated program that attacks a network by exploiting Internet Protocol (IP) broadcast addressing and other aspects of Internet operation. A ping storm is a condition in which the Internet ping program is used to send a flood of packets to a server to make the server inoperable.

Another popular attack method is to abuse or take advantage of valid user accounts and the permissions associated with those accounts. One more common attack method is to try to guess or intercept valid IDs and passwords from authorized users. Another type of attack that involves tricking the user into supplying confidential information is called pharming. In this attack, a Web user seeking to visit a particular company’s Web site is unknowingly redirected to a bogus Web site that looks exactly like that company’s official Web site.

The physical protection of a computer system or a computer network consists of protecting the equipment from physical damage. Causes of physical damage include fire, floods, earthquakes, power surges, and vandalism. Some equipment, obviously, has to be in the open for public access. In this case, the equipment should be locked down. Another matter of common sense is that expensive computer systems should not be placed in the basements of buildings. Rooms with a large number of external windows are also not advisable. To prevent electrical damage to computing equipment, high-quality surge protectors should be used on all devices that require an electrical current. In addition, computer devices should not be on the same circuits as electrical devices that power up and down and cause power fluctuations, such as large motors. Finally, devices that are susceptible to damage from static electricity discharges, such as memory cards and printed circuit boards, should be properly grounded.

Surveillance may also be considered a form of physical protection. Some companies use a form of surveillance called intrusion detection, or an intrusion detection system, which involves electronically monitoring data flow and system requests into and out of their systems. In addition to video surveillance and intrusion detection, an interesting surveillance technique built on the concept of a honeypot is available.

Controlling access to a computer network involves deciding and then limiting who can use the system and when the system can be used. Local area networks and database systems provide much flexibility in the assigning of access rights to individuals or groups of individuals. Access rights define the network resources that a user or set of users can access. A company’s computer network specialists, along with database administrators and someone at the top levels of management, such as the Chief Information Officer (CIO), often work together to decide how the company should be broken up into information access groups. Then they resolve each group’s access rights and determine who should be in each group. It is also possible to limit access to a system by the time of day or the day of the week. It may also be wise to limit remote access to a system during certain times of the day or week.

Perhaps the most common form of protection from unauthorized use of a computer system is the password. Anyone accessing a computer system, banking system, or voice mail/e-mail system is required to enter a password or personal identification number (PIN). Too often, passwords become known, or “misplaced,” and fall into the wrong hands. Occasionally, a password is written on paper, and the paper is discovered by the wrong people. More often, however, the password is too simple, and an intruder guesses it. The standard rules that you should follow when creating or changing a password include:

• Change your password often.
• Pick a good password by using at least eight characters, mixing uppercase and lowercase if the computer system is case-sensitive, and mixing letters with numbers.
• Do not choose passwords that are similar to your first or last names, pet names, car names, or other choices that can be easily guessed.
• Do not share your password with others; doing so invites trouble and misuse.

Because a password has so many weaknesses, other forms of identification have emerged. Biometric techniques that observe and record some aspect of the user, such as voiceprints, fingerprints, eyeprints, and faceprints, appear to be the wave of the future.

What precautions can we take to ensure that this data is not corrupted or intercepted by the wrong people? Encryption is commonly used to secure data. Basic encryption techniques are available that include substitution ciphers and transposition ciphers. More advanced techniques, such as the Advanced Encryption Standard, digital signatures, public key infrastructure, and steganography are also available.

A monoalphabetic substitution-based cipher replaces a character or group of characters with a different character or group of characters. The polyalphabetic substitution-based cipher is similar to the monoalphabetic cipher, but it uses multiple alphabetic strings to encode the plaintext, rather than one alphabetic string. Possibly the earliest example of a polyalphabetic cipher is the Vigenére cipher. For the Vigenére cipher, a 26 x 26 matrix of characters is created.

A transposition-based cipher is different from a substitution-based cipher in that the order of the plaintext is not preserved. Rearranging the order of the plaintext characters makes common patterns unclear and the code much more difficult to break. Let’s consider a simple example of a transposition cipher. Choose a keyword that contains no duplicate letters, such as COMPUTER. Over each letter in the keyword, write the number that corresponds to the order in which that letter appears in the alphabet when compared to the other letters in the keyword. For the keyword COMPUTER, C appears first in the alphabet, E is second, M is third, O is fourth, and so on. Take a plaintext message such as “this is the best class i have ever taken” and write it under the keyword in consecutive rows going from left to right. To encode the message, read down each column starting with the column numbered 1 and proceeding through to the column numbered 8. Reading column 1 gives us TESV, and column 2 gives us TLEE. Encoding all eight columns gives the following message: TESVTLEEIEIRHBSESSHTHAENSCVKITAA.

One of the inherent problems with protecting a single key is that it means that only one key is used to both encode and decode the message. But what if two keys are involved—one public and one private? Data encrypted with the public key can be decoded only with the private key, and data encrypted with the private key can be decoded only with the public key. This concept of two keys, public and private, is called public key cryptography. It is also called asymmetric encryption. Important protocols that use asymmetric cryptography include SSL, TLS, and IPSec.

The Data Encryption Standard (DES) is a commonly employed encryption method used by businesses to send and receive secure transactions. The standard came into effect in 1977 and was reapproved in 1983, 1988, and 1993. The encryption techniques are based upon substitution- and transposition-based ciphers. The Advanced Encryption Standard (AES) was selected by the U.S. government to replace DES. More precisely, the National Institute of Standards and Technology selected the algorithm Rijndael in October 2000 as the basis for AES. The Rijndael algorithm involves very elegant mathematical formulas, requires only one pass, computes very quickly, is virtually unbreakable, and operates on even the smallest computing devices.

A digital signature is a security procedure that uses public key cryptography to assign to a document a code for which you alone have the key. Digitally signing an electronic document involves sending the document through a complex mathematical computation that generates a large prime number called a hash. The original document and the hash are inextricably tied together. One drawback to this system is that if someone discovers the user’s private key, a digital signature could be forged. In an effort to create an encryption scheme that could be used by the average person, an entrepreneur named Philip Zimmermann created encryption software called Pretty Good Privacy (PGP).

Public key infrastructure (PKI) is the combination of encryption techniques, software, and services that involves all the necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management. A digital certificate, or simply a certificate, is an electronic document, similar to a passport, that establishes your credentials when you are performing transactions on the World Wide Web. Many certificates conform to the X.509 standard. All certificates are issued by a certificate authority. A certificate authority (CA) is either specialized software on a network or a trusted third-party organization or business that issues and manages certificates. A certificate revocation list (CRL) is a list of certificates that have been revoked before their originally scheduled expiration date.

Techniques used to secure communications include:

• Spread spectrum technology
• Guarding against virus
• Firewalls
• Wireless security techniques

The two basic spread spectrum techniques commonly used in the communications industry today are frequency hopping spread spectrum and direct sequence spread spectrum. The idea behind frequency hopping spread spectrum transmission is to bounce the signal around on random frequencies rather than transmit it on one fixed frequency. Anyone trying to eavesdrop will not be able to listen because the transmission frequencies are constantly changing. It turns out that the signal does not actually bounce around on random frequencies; it only seems to do so. The transmitter actually follows a pseudorandom sequence of frequencies, and the intended receiver possesses the hardware and software knowledge to follow this pseudorandom sequence of frequencies.

The second technique for creating a spread spectrum signal to secure communications is direct sequence spread spectrum. Direct sequence spread spectrum spreads the transmission of a signal over a wide range of frequencies using mathematical values. The original data is input into a direct sequence modulator, it is exclusive-ORed with a pseudorandom bit stream. Thus, the output of the direct sequence modulator is the result of the exclusive OR between the input data and the pseudorandom bit sequence. When the data arrives at the intended receiver, the spread spectrum signal is again exclusive-ORed with the same pseudorandom bit stream that was used during the transmission of the signal. The result of this exclusive-OR at the receiving end is the original data.

A firewall is a system or combination of systems that supports an access control policy between two networks. The two networks are usually an internal corporate network and an external network, such as the Internet. A firewall can limit users on the Internet from accessing certain portions of a corporate network and can limit internal users from accessing various portions of the Internet. What types of transactions will a firewall stop, and what types of transactions will it not stop? It is possible for a firewall system to stop remote logins as well as inbound or outbound e-mails and file transfers. It is also possible for a firewall to limit inbound or outbound Web page requests. Firewalls, unfortunately, do not protect a network from all possible forms of attack. Because a virus can hide within a document, it will probably not be detected by a firewall if its host document is allowed into the system. A firewall also will not protect a computer or network properly if it is possible for an intruder to avoid the firewall and enter the system through an alternate route.

The packet filter firewall is essentially a router that has been programmed to filter out certain IP addresses or TCP port numbers. These types of routers perform a static examination of the IP addresses and TCP port numbers, then either deny a transaction or allow it to pass, on the basis of information stored in their tables. A proxy server is a computer running proxy server software, whose function is much like that of a librarian who controls access to books in a library’s rare books room. To keep costly books from getting damaged by vandalism or careless handling, many libraries do not allow patrons to enter their rare books room. Instead, a patron fills out an information request slip and hands it to a librarian. The librarian enters the rare books room and retrieves the requested volume. The librarian then photocopies the requested information from the book and gives the photocopies to the patron.

One of the biggest growing pains of wireless local area networks is security. Because virtually anyone can have a wireless laptop or other wireless device, it is almost impossible to control who can connect into a wireless local area network and from where.

The first security protocol for wireless LANs was Wired Equivalency Protocol (WEP). Although WEP was a step in the right direction, it suffered two serious drawbacks. First, WEP used weak encryption keys that were only 40 bits in length. Second, the keys were static, not dynamic. Fortunately, WEP has been replaced by a new standard, Wi-Fi Protected Access (WPA). WPA keeps the 40-bit-sized encryption keys of WEP but has one significant improvement: the inclusion of the Temporal Key Integrity Protocol (TKIP) and IEEE 802.1x features, which together provide dynamic key encryption and mutual authentication for wireless clients. A new standard, IEEE 802.11i, addresses both weaknesses of WEP by allowing the keys, encryption algorithms, and negotiation to be dynamically assigned, and by adopting the AES encryption based on the Rijndael algorithm with 128-, 192-, or 256-bit keys.

Having a well-designed security policy in place will make the jobs of network support staff clearer. A well-designed security policy will make enforcement more straightforward, and it will allow the staff to react properly to specific security requests. The staff employees will know what the network users can and cannot access, and where they can and cannot go. The policy will also make clear the goals and duties of network employees when they must enforce security with respect to requests from the outside. If a good security policy is available, the corporate users themselves will have a better understanding of what they can and cannot do. This understanding will, one hopes, assist the network staff members in conducting their jobs and will allow the company to maintain security in an increasingly less secure world.