Lesson 3

Internet Security

Mehamed Ahmed(Ph.D.)
mohammeda128@gmail.com
 The art of war teaches us to rely not on the likelihood of
the enemy's not coming, but on our own readiness to
receive him; not on the chance of his not attacking, but
rather on the fact that we have made our position
unassailable.
—The Art of War, Sun Tzu

2
 Background
 Information Security requirements have been changing through times

 Traditionally provided by physical and administrative mechanisms

 eg. Rugged filing cabinets with locks and administrative personnel

screening procedures during hiring process
 However, through time the major changes are

 The growing computer use requires automated tools to protect files and

other stored information

 The introduction of Distributed systems and use of networks and

communications links requires measures to protect data during transmission

3
 Definitions
Computer Security - generic name for the collection of

tools designed to protect data and to prevent hackers

Network Security - measures to protect data during

their transmission
Internet Security - measures to protect data during their

transmission over a collection of interconnected

networks
4
 Key Security Concepts or
Attributes
 There are three major concepts embody the fundamental security
objectives for both data and for information and computing
services.
 A useful characterization in terms of requirements and the
definition of a loss of security in each category:
 Confidentiality:
Preserving authorized restrictions on information access and
disclosure
 Integrity: Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation
and authenticity. A loss of integrity is the unauthorized
modification or destruction of information.
 Availability: Ensuring timely and reliable access to and use of
information. A loss of availability is the disruption of access to or
use of information or an information system.
Key Security Concepts
 Additional concepts
Although the use of the CIA triad to define security
objectives is well established, some in the security field feel
that additional concepts are needed to present a complete
picture. Two of the most commonly mentioned are:
Authenticity: The property of being genuine and being
able to be verified and trusted; confidence in the validity of
a transmission, a message, or message originator.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity.
 Security Trends

8
 OSI Security Architecture
Is useful to managers as a way of organizing the task of
providing security.
ITU-T X.800 “Security Architecture for OSI”
Open systems Interconnection: defines a systematic approach
to provide security at each layer
Defines a systematic way of defining and providing security
requirements
For us it provides a useful, if abstract, overview of concepts
we will study

9
 Aspects of Security
consider 3 aspects of information security:
security attack
security mechanism
security service

10
 Security Attack
Any action that compromises the security of
information owned by an organization
Information security is about how to prevent attacks,
or failing that, to detect attacks on information-based
systems
Often threat & attack used to mean same thing
We do have a wide range of attacks
Can focus of generic types of attacks
Passive
Active

11
 Passive Attacks
Have “passive attacks” which attempt to learn or make
use of information from the system but does not affect
system resources.
By eavesdropping on, or monitoring of, transmissions to:
+ obtain message contents (as shown above in Stallings
Figure 1.3a), or
+ monitor traffic flows
Are difficult to detect because they do not involve any
alteration of the data.

12
 Active Attacks
Also have “active attacks” which attempt to alter system
resources or affect their operation.
 By modification of data stream to:
+ masquerade of one entity as some other
+ replay previous messages (as shown above in fig)
+ modify messages in transit
+ denial of service
 Active attacks present the opposite characteristics of passive
attacks. Whereas passive attacks are difficult to detect,
measures are available to prevent their success.
 On the other hand, it is quite difficult to prevent active attacks
absolutely, because of the wide variety of potential physical,
software,and network vulnerabilities. Instead, the goal is to
detect active attacks and to recover from any disruption or
delays caused by them.

13
 Security Service
Enhance security of data processing systems
and information transfers of an organization
Intended to counter security attacks
Using one or more security mechanisms
Often replicates functions normally associated
with physical documents
Which, for example, have signatures, dates, need
protection from disclosure, tampering, or destruction;
be notarized or witnessed; be recorded or licensed

14
 Security Services
X.800:
“a service provided by a protocol layer of communicating open
systems, which ensures adequate security of the systems or
of data transfers”

RFC (Request for comments) 2828:

“a processing or communication service provided by a system
to give a specific kind of protection to system resources”

15
 Security Services (X.800)
1. Authentication - assurance that the communicating
entity is the one claimed
2. Access Control - prevention of the unauthorized use of
a resource
3. Data Confidentiality –protection of data from
unauthorized disclosure
4. Data Integrity - assurance that data received is as sent
by an authorized entity
5. Non-Repudiation - protection against denial by one of
the parties in a communication

16
 Security Mechanism
Feature designed to detect, prevent, or recover from a

security attack
No single mechanism that will support all services required

However one particular element underlies many of the

security mechanisms in use:

Cryptographic techniques

Hence our focus on this topic

17
 Security Mechanisms (X.800)
Specific security mechanisms:
Encipherment, digital signatures, access controls, data

integrity, authentication exchange, traffic padding, routing

control, notarization

Pervasive security mechanisms:

Trusted functionality, security labels, event detection,

security audit trails, security recovery

18
 Model for Network Security

19
 Model for Network Security
 This general model shows that there are four basic tasks in
designing a particular security service, as listed.
 Using this model requires us to:
1. Design a suitable algorithm for the security transformation
2. Generate the secret information (keys) used by the algorithm
3. Develop methods to distribute and share the secret information
4. Specify a protocol enabling the principals to use the
transformation and secret information for a security service
20
 Model for Network Access Security

21
 Model for Network Access Security
 Using this model requires us to:
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorised
users access designated information or resources
 Trusted computer systems may be useful to help implement
this model

22
Friends and enemies: Alice, Bob, Trudy
 Well-known in network security world
 Bob, alice (lovers!) Want to communicate “securely”
 Trudy (intruder) may intercept, delete, add messages

Alice Bob
data, control
channel
messages

data secure secure data

sender receiver

Trudy
Eavesdropping - Message Interception
(Attack on Confidentiality)
Unauthorized access to information
Packet sniffers and wiretappers
Illicit copying of files and programs

A B

Eavesdropper
 Integrity Attack - Tampering With
Messages
Stop the flow of the message
Delay and optionally modify the message
Release the message again

A B

Perpetrator
Authenticity Attack - Fabrication
Unauthorized assumption of other’s identity
Generate and distribute objects under this identity

A B

Masquerader: from A
 Attack on Availability
 Destroy hardware (cutting fiber) or software
 Modify software in a subtle way (alias commands)
 Corrupt packets in transit

A B

 Blatant denial of service (DoS):

 Crashing the server
 Overwhelm the server (use up its resource)
How to Make a System Trustworthy
Specification
A statement of desired functions
Design
A translation of specifications to a set of components
Implementation
Realization of a system that satisfies the design
Assurance
The process to insure that the above steps are carried out
correctly
Inspections, proofs, testing, etc.
 The Security Life Cycle
The iterations of
Threats
Policy
Specification
Design
Implementation
Operation and maintenance
 Summary
Have considered:
Definitions for:
 Computer, network, internet security

X.800 standard
Security attacks, services, mechanisms
Models for network (access) security

30
 Questions
What’s the OSI security architecture
What’s the difference between passive and active security
threats?
List and briefly define categories of passive and active
security attacks.
List and briefly define categories of security services.
List and briefly define categories of security mechanisms.

31