Security implementation & management

Chapter 3 – Data Security &Integrity

Contents
 Fundamentals of secure networks
 Cryptography
 Encryption and privacy
 Authentication
 Authorization  
 Firewalls
 Virtual private networks
 Transport layer security
 Integrity
 Software considerations
 New technology considerations
Introduction
 The integrity of encrypted data was a cause for concern in the
banking industry in the 1970s. They wanted to be sure that attackers
were not able to modify data especially since the data, in this case,
was financial.
 As a result many standards for integrity and authentication as well as
authenticated encryption (Bellare et al. 2003) have been established
(FIPS180-3 2008; FIPS198a 2002) and are being developed (SHA-3
2008).
 In general, if confidentiality and assurance or authentication of
confidentiality of data is important then authenticated encryption
schemes should be used.
 Cryptographic hash functions and message authentication codes
(MACs) are discussed in this chapter.
 Integrity trees will also be discussed as an application of these
integrity functions. Some initial terminology is provided below as an
aid to understanding concepts which will be developed in this
chapter.
 Encryption and privacy

 Symmetric cryptography
 Encrypted and decrypted — need access to the same key.
 The tricky part is how to store the key and make it
available only to the software that needs it.
 Best uses
1. In services that store encrypted data on behalf of a user
(like cloud backup services)
2. To encrypt computer or device storage(Computer
password)
3. To create a secure channel between two network
endpoints, provided there’s a separate scheme for
securely exchanging the key
…Cont.
 Asymmetric cryptography (public key cryptography)
 Known as public key cryptography, uses public and
private keys to encrypt and decrypt data.
 Either of the keys can be used to encrypt a message; the
opposite key from the one used to encrypt the message is
used for decryption.
…Cont.
Hash
 Hashing is used only to verify data
 the same input will always produce the same output
 it’s impossible to reverse it back to the original data
 given knowledge of only the hash, it’s infeasible to create
another string of data that will create the same hash (called
a “collision” in crypto parlance)
Physical access control
 The main points about the importance of physical access
control policy include:
 Protects equipment, people, money, data and other assets
 Physical access control procedures offer
employees/management peace of mind
 Reduces business risk substantially
 Helps safeguard logical security policy more accurately
 Helps getting the compliance of physical access control
rules by ISO, PCI and other organizations
…Cont.
 Helps improve business continuity in natural disasters or
destructive sabotage situations
 Improves effective tracing of culprits
 Reduce financial losses and improve productivity
 Fast recovery from any loss of assets or disaster
 Helps to take preventive measures against any possible
threat
Authentication
 Authentication is about making sure that a given entity
(with whom you are interacting) is who you believe it to be.
 In that sense, you get authenticity when integrity and
authentication are joined together.
 If you prefer, authenticity is authentication applied to a
piece of data through integrity
 In information security, message authentication or data
origin authentication is a property that a message has not
been modified while in transit (data integrity) and that the
receiving party can verify the source of the message.
 Message authentication does not necessarily include the
property of non-repudiation.
Authorization
 Confidentiality, integrity and availability, also known as the
CIA triad, is a model designed to guide policies for
information security within an organization.
 The model is also sometimes referred to as the AIC triad
(availability, integrity and confidentiality) to avoid
confusion with the Central Intelligence Agency.
 In a strong sense, any processing means corruption, that is
digital data to be authentic must be only the outcome of an
acquisition process of a real world scene without any
successively processing; but in a wide sense, authentic data
must accordingly represent a real world scene and even if
some processing has been.
Authorization
 Authenticity is assurance that a message, transaction, or
other exchange of information is from the source it claims
to be from. Authenticity involves proof of identity. We can
verify authenticity through authentication.
 Data authenticity— Another term for the genuineness of
data. In the case of metering accounting and performance
records, this means that the data received at the collection
server is original and was received exactly as it was sent by
the meter's export process.
 Data integrity— The data records are real and were not
faked or modified.
Accounting and performance
 Accounting and performance management strongly
depend on the integrity of the collected data records.
Accounting management provides the foundation for
billing services and is directly related to revenue.
Performance management supplies business-critical
information for network monitoring and planning,
which is indirectly related to revenue as well.
 Therefore, accounting and performance management
are potential subjects for fraud in the areas of device
configuration and transmission of data records. If an
unauthorized person has access to the meter, he can
easily modify the meter configuration.
…Cont.
 Enterprises as well as service providers may suffer
financially and lose reputation if intruders modify
accounting and performance data records. Distorted
accounting records can result in erroneous customer
invoices and potentially legal implications.
 Even if the devices are protected against unauthorized
access and the data transfer is encrypted, network elements
and servers are targets for denial-of-service attacks.
Although an attack does not modify the collected data
records, it has an impact on the service quality, which in
the end helps the attackers achieve their goals.
 The objective for each operator is to protect the accounting
and performance management infrastructure from security
threats.
Source Authentication
 In contrast to network element discovery, in which new
devices show up after a discovery run, new meters should not
pop up by surprise. Instead, the operator needs to identify the
right location in the network for placing meters and then
enable the required functionality. From this perspective, new
or unknown meters can be considered suspicious.
 The real authentication challenge relates to device
authentication. Does the mediation device receive data
records generated by the original device or a faked device?
Digital signature solutions offer authentication of the sender.
 Another security aspect is the connection mode between the
source and destination: connection-oriented or
connectionless.
…Cont.
 Connectionless sessions introduce potential risk, because
no authentication is executed before data is transmitted.
Connection-oriented sessions are established between the
two parties before any data records are sent, so there is
usually no authentication problem. Examples are the
security add-ons of SNMPv3, which provide three security
modes:
Ensuring Data and Device Integrity
 Assuming that the device identity has been authenticated, the
next step is to inspect the content of the data records. Is the data
genuine? Was it modified during the transmission from the
device to the management station? To prepare for these
questions, you should first secure the access to the device.
 Configure access control lists (ACL) that restrict management
traffic to the NMS stations, but do not forget to include an entry
for your backup servers at each network element! Instead of
authenticating users at the device level, deploy a central AAA
server and change administrative passwords regularly, at least if
NOC staff leave your company. Disable all device services that
you do not need, such as open ports. Then verify the results by
running a network security scanner, which reports potential
vulnerabilities that you should deal with immediately.
…Cont.
 Next, secure the communication between a meter and a collection server.
Unauthorized people or devices must not be able to read or modify data
records. While read access (eavesdropping) does not have an immediate
impact on the performance or billing applications, the information
provided by data records can be an excellent source for an intruder to
learn many details about the network infrastructure and prepare an attack
against sensitive areas.
 Forgery of flow records is another concern. With the push model (such as
NetFlow), someone might send spurious data records that contain
negative values. Even though no instance between the meter and the
application should expect negative values, and therefore process only
positive integer fields, without a clear verification, this idea remains
possible.
 Certainly, a hacker could send horribly oversized volume values in the
data records (for example, a total volume that is above the available link
bandwidth). This would prove that the ISP's billing system works
incorrectly and therefore that the invoice is incorrect.
…Cont.
 The best solution for transmission confidentiality is to use
IPsec encryption between the meter and the collection server.
Unfortunately, this can have a severe performance impact on
the device. Here is an example:
 Activating NetFlow services introduces a performance impact
at the device, which becomes even bigger if all exported flow
records need to be encrypted.
 This might lead to situations in which the performance impact
of metering is higher than the benefit.
 An alternative to data encryption is out-of-band
communication, as provided by a DCN. Even when using a
DCN, digital signatures should be applied to ensure that data
was not modified on the way from the sender to the receiver.