Networking 8
Networking 8
11/05/24 1
Even though any digital communication is
secure, attackers will test the security method
and attempt to breach the system. To stay one
step ahead of the hackers and protect your
organization's data, you will need to have an
understanding of the fundamentals of data
protection and the choices you have for
implementing them on your network.
User ID authentication
•This is one of the most basic authentication methods. It involves comparing a
user name and password against those stored in a database. If the credentials
match, the user is authenticated. If not, the user is denied access. However, this
method may not be very secure because credentials are often transferred in
plaintext.
Multifactor authentication
•This requires validation of at least two possible authentication factors. Thus, it
can be any combination of what you know, what ou have, and who you are. A
common example is that of word verification, involving a graphical character
string displayed along with the user name and password fields. So, apart from
providing the user name and password, you need to enter the string verbatim.
11/05/24 4
Authentication Methods
Mutual authentication
•This requires each communicating party to verify its identity.
First, a service or resource verifies the credentials of the client,
and then the client verifies the credentials of the former. This
prevents the client from inadvertently submitting confidential
information to a server that is not secure.
Biometric authentication
•Biometrics is the science of measuring biological information.
Thus, biometric authentication involves validating information
based on the physical characteristics of an individual. This
includes using a fingerprint scanner, a retinal scanner, or voice-
recognition and face-recognition software. However, biometric
authentication is very expensive to implement, and so is not
widely adopted as other authentication methods.
11/05/24 5
Encryption
Encryption is a security technique that converts data from plain form to coded
form. The data in plain form is known as cleartext or plaintext, and the data in
encrypted form is known as ciphertext. Only authorized parties with the
necessary decoding information can interpret and read the encrypted data. This
process is known as decryption. Encryption can be one way or two way. One-
way encryption is designed to hide only cleartext that is never decrypted. In
two-way encryption, ciphertext is decoded as cleartext.
11/05/24 6
Key-Based Encryption Systems
11/05/24 7
Encryption and Security Goals
Encryption is used to promote various security goals, as described in the
following table.
11/05/24 8
Digital Certificates
11/05/24 9
Public Key Infrastructure
Public Key Infrastructure (PKI) is a hierarchical system used for the purpose of
authenticating and validating data and entities to secure transactions over the
Internet. A PKI consists of digital certificates, CAs, a registration authority, and
a certificate management system, and issues and maintains public or private key
pairs and certificates.
11/05/24 10
Antivirus Software
Antivirus software is an application that scans files for executable code that
matches patterns, known as signatures or definitions, that are common among
viruses. The antivirus software also monitors systems for activity associated
with viruses such as accessing the boot sector. Additionally, it deletes viruses
that may have already infected the computer. Antivirus software is typically
deployed on gateway computers at the perimeter of the network and on
individual desktop systems.
11/05/24 11
Guidelines for Protecting Data
11/05/24 12
Guidelines
• To protect data on your network, follow these guidelines:
– Deploy intruder-detection and virus-protection software to
monitor unauthorized activity, such as the presence of
viruses, password-cracking software, or Trojan horses.
– Limit access to the network to prevent the introduction of
hardware-based sniffers or unauthorized hosts.
– Use strong and complex passwords. Change passwords on a
regular basis.
– Employ strong authentication and encryption measures on
data stored on network servers.
11/05/24 13
Guidelines (Contd)
11/05/24 14
Part 2
11/05/24 15
Local Security
11/05/24 16
An organization's quest is to ensure security
for its users, systems, and data, they will need
to implement security measures at different
levels and on various components of their
network. Configuring appropriate security on
local network components is an important part
of an overall security plan.
An important component of a security plan is
implementing security measures on the local
network. In this section, we will identify the
components of local network security.
11/05/24 17
Share-Level and User-Level Security
Rights
A right is a security setting that controls whether or not a user
can perform a system-wide function such as shutting down a
computer or logging on to a server. Rights are assigned to
users or group accounts, not to a particular object or resource.
Figure
11/05/24 : Users and groups on a network. 20
Internet Security
11/05/24 21
Every organization today wants to connect to
the Internet. At the same time, every
organization has a valid concern about the
risks involved in connecting to this huge,
open, public network. You need to be aware
of the specific tools and techniques that
companies use to protect themselves from
outside attacks and from Internet misuse
internally.
We will look at the primary techniques that
are used to secure Internet connections.
11/05/24 22
Network Address Translation
Network Address Translation (NAT) is a simple form of Internet security that
conceals internal addressing schemes from the Internet. A router is configured
with a single public IP address on its external interface and a nonroutable address
on its internal interface. A NAT service running on the router or on another
system translates between the two addressing schemes. Packets sent to the Internet
from internal hosts appear as if they came from a single IP address, preventing
external hosts from identifying and connecting directly to internal systems.
11/05/24 24
Demilitarized Zones
A demilitarized zone (DMZ) is a small section of a private network that is
located between two firewalls and made available for public access. A DMZ
enables external clients to access data on private systems, such as web servers,
without compromising the security of the internal network. The external
firewall enables public clients to access the service and the internal firewall
prevents them from connecting to protected internal hosts.
11/05/24 27