Logout

Home Topic 3 Last Next

3.1.15

Describe the different methods of network security.

 

Teaching Note:

Include encryption types, userID, trusted media access control (MAC) addresses.

S/E Wireless networks have led to concerns about the security of the user’s data.


 

Sample Question - FORMER CURRICULUM:

A small company has a LAN connecting its various desk-top computers and
peripheral devices.


(a) Explain, with an example, how handshaking might be used during data
transmission over this LAN. [2 marks]

The company is going to provide Internet access to its LAN.

(b) State the name of an additional hardware device that would be required to permit
Internet access. [1 mark]

(c) Explain how a firewall would help to provide security for the LAN. [3 marks]


(d) Suggest, with reasons, two further measures that the company should take to
safeguard its data from unlawful access via the Internet. [4 marks]

 

JSR Notes

This is a huge area. So for sure, we'll focus on what the Teaching Note refers to: encryption types, user-ID, trusted media access control (MAC) addresses, but we'll add other important security measures too, noting that the Teaching Note says "include..." Those, though, I'll dark-grey out. Your strategy could be to learn these, if you already have an idea about them, and so you can have them ready too, for a big question on network security.

Wired and Wireless Security...

Note that a fair amount of this applies to the security of wired networks too, in the same way that there was a lot of overlap with wired networks when we did hardware associated with wireless networks. ***And***, an important note in the Teaching Note, is that it says "network security", not just "wireless network security", so even though this part of the curriculum focuses on wireless, we're back to wired too.

Though, keep in mind wireless security issues are still more concerning than wired security

Wireless network devices use electromagnetic waves (usually radio waves or microwaves) to communicate with each other, and these, freely flowing through the air, can be intercepted. So any information that is unencrypted can be read, including passwords, which, when obtained can allow the hacker access to your on-line services, gaining your personal and confidential information, and/or stealing your identity.


JSR teaching note: start with a nice board diagram of "Me & My Device/data, with an arrow away: data encrypted, and three arrows in, blocked: bad folks, bad devices, bad websites (authentication, MAC addresses, firewalls)...

1. Authentication using User ID & Passwords / Biometrics

One means of achieving network security is by controlling who has access to devices and files. "Authentication" is the process of a user proving who they are. Authentication can be used to grant access to:

Authentication, can be achieved with either a combination of user ID & password, or via some sort of biometric, either of which can confirm the user's identity.


Passwords
- If the system uses passwords for authentication, the user needs to do a good job of choosing secure passwords, and keeping other good habits like not sharing them or writing them down anywhere.

Biometrics - Forms of biometric authentication you may be familiar with, include facial recognition, and the Touch ID of your laptops, but there are many others.


User Accounts
allow management of access to files

Once access has been granted via authentication at login, access to files and services is controlled by an overall accounts system, similar to the one that you probably use on your home computer, or have used in computer labs at other schools.  You log in as a specific user and are given a certain level of access to files. 

The Mac System Preference Users & Groups showing the various accounts

Above are the users on a lab computer I once used for teaching various courses. The only user account that is an "Administrator", with the highest permissions, is my own account. All the other student accounts had very limited permissions and access, since students weren't supposed to be changing system-wide settings, or working with of other students' files.

And below is a screen shot showing how, when logged in as one user ("johnr" in this case), other users' files are inaccessible (like the files of the user "justtesting").

Folders of a user account not presently logged into


1B. Permissions – Firstly, note that this is not likely meant to be very much of a focus with this assessment statement. Never-the-less, knowing how permissions work will help your overall understanding of accounts systems, since they play a key role.

The security of the above system of login and passwords is practically implemented via various files having certain permissions, which, for a particular user allow:

And even when logged in as a certain user, specific permissions of files can be altered to add extra security, for example in a case where you regularly let someone else be logged into your account, but want to prevent them from accessing certain folders.

Below is a screen-shot of the permissions of a file (bottom part, greyed out):

The above file cannot be opened by "everyone", but the "teacherpresenter" and "students" users can "Read only" it, meaning that they can open it but not make changes. And the user "adelaide (Me)" can both read and write to it, meaning that user account can make and save changes to the file.

This is the same basic idea as giving different permissions to documents and folders on Google Docs.

 

2. Trusted Media Access Control (MAC) addresses

Another way of assuring network security is to be very careful about which devices (not necessarily which people) access the network. This is done by limiting the devices that can connect to the network to devices know to be safe. This is done via monitoring their MAC address.

The MAC address is the unique address of a specific individual piece of hardware. It is based on a serial number or some other piece of information that is encoded permanently on one of the device's ROM chips. A network can therefore have a list of trusted devices, and allow only those to access its services.

Technically, the Media Access Control (MAC) Layer is one of the two sub layers that make up the OSI model’s Data Link Layer, in which data packets are moved to and from one Network Interface Card (NIC) to another through a shared channel.

Note that the MAC address differs from the IP address. Whereas the MAC address is a permanent hardware number associated with a specific device, like a computer or a phone, an IP address is something that is assigned to a device for the purposes of transferring data, through the TCP/IP protocol. IP addresses of individual devices can vary, depending on the system being used, and one device, which has various functions, may have more than one IP address.

Also note that there is a problem with the MAC addresses, and that they can be temporarily, but easily, spoofed. Through some very simple Terminal etc. commands, a user can change the way the MAC address is seen by other devices and servers on the network, though, fortunately spoof detection is also possible.


The permanent MAC Address of the device, below.
vs.
An "dynamic" IP address assigned by the network DHCP server, above.

 

3. Firewalls

To assure network security, not only can you monitor and control the people, and the devices connecting to your network, but you can also montor and limit the networks and websites your network is allowed to interact with. This is done via a firewall.

A firewall is basically a list of "good" IP addresses to which it will allow access to the computer or network it is protecting. This list is often referred to as a "whitelist". Often times the main firewall of a full LAN will reside on the gateway computer, or even be a separate piece of hardware working with the gateway in the Demilitarized Zone (DMZ). (The DMZ is the unprotected entryway of a network; the subnetwork which can interface with outside untrusted networks, i.e. the Internet).

And for individual personal computers, the firewall is usually only a software firewall, either part of the operating system, or one that comes with a security suite such as Avast or MacAfee.  By only allowing white-listed addresses to access the device/network, the firewall filters out and prevent access by known and unknown malicious or infectious sites, and it also prevents hackers from directly accessing the device or network.

 

4. Encryption – In a nutshell, this is simply the scrambling of the data before it is sent.  The only way the receiver of the data can un-scramble the data is with a certain ‘key’ that only he/she is entitled to.  You could come up with all sorts of weird and wacky ways to scramble and unscramble words; it’s just a matter of coming up with a specific algorithm to do so, and also figuring out the algorithm to take it back to the way that it was. From the time of the Romans to present-day encryption methods used for BitCoin, people have always had a reason to hide information, which can later, or by someone else, be "un-hidden".

One simple example of an encryption "scrambling" technique would be to add 1 integer value to each character in a String. So "abc" would become "bcd". To reverse the encryption you would subtract 1 integer value from each character in the encrypted word. So "bcd" becomes "abc" again. You'll note that when encryption is done with a certain mathematical algorithm, even a simple one like this, that algorithm is called a "hash" (*see details in the Not Necessary section at the bottom of this page).

One common method to achieve encryption is symmetrical encryption, where both parties share a key. To do this securely, one way is to convey they key over the phone. To get around this need, there is public key encryption (also known as asymmetric encryption). With this, a public and private "key" is shared only by the sender and receiver, and is necessary to be used as part of the decryption algorithm to decrypt the message. How the private key is kept private, yet able to be shared is complicated, but possible (see videos below if you want to try to understand it.)

For example, the key could be 7 5 9 2 3 4. That, used in conjunction with a simple encryption algorithm, could encrypt a string like "abcdef" by doing the following with the key: take each of the integer values of the key, and shift the ASCII values of the characters in the message, one after the other, by those values. So 'a' gets shifted by 7 to 'h', 'b' gets shifted by 5 to 'g', and so on.
This would result in an encrypted message: hglfbj. So since the receiver knows the key, and the decryption algorithm to follow using it, decryption would reverse the process, yielding the original "abcdef".

     

Above, two basic explanations of private key encryption.

And a more sophisticated way of looking at it. Plus, the actual sophisticated mathematics of it.


Wireless Encryption Protocols

(We have already encounters (non-wireless) encryption that is used in the following protocols: PPTP, L2TP, and SSL. And a few specific cryptographic hashing algorithms you might also encounter include Blowfish, MD2, Sha 1 and Sha 256.)

And finally, with encryption, do note that strong encryption can have a tendency to slow down things, but with modern computers, this shouldn't dissuade the use of the strongest encryption possible.

 

5. Other/Miscellaneous (likely beyond what we need to cover, but included for a sense of completion)

Example of a separate device for a "One time password" as an additional step for authentication

 

 

Jaime: TOR example - 7000 or so volunteer servers around the world have made an "onion" layer over the Internet for those who want to remain anonymous.

"Hash salting" adds bits randomly through the encryption

------------------ NOT NECESSARY - EXTRA -------------------

*Hashing

The following tabbed in paragraphs on hashing aren't as important as understanding encryption, but it's related, and does apply to network security, so I'll include it.

Associated with encryption is hashing, and both hashing and encryption can be used, often together, to ensure network security. But basically, whereas encryption scrambling can be unscrambled by anyone with the key, good hashing algorithms result in something which cannot be "un-hashed". The purpose of a hash is to be able to tell if a message has been tampered with (in this case as part of network activity). When the hash is applied before and after transmission, the result should be the same, but it will be very much different if a modification has been made, therefore acting as a flag to improper (in this case network) activity.

A lot of time and energy is spent by agencies like the US government's NSA (National Security Agency) to come up with increasingly secure hashing techniques which are as close to being un-crackable as possible. Examples are sha1, sha128, and sha256. To see how complicated these algorithms are, you can find the sha256 algorithm at this wikipedia page; it's in pseudocode half-way down.

Here is an image of the sha1 hash results to passwords on my website. I only keep the hash, so cannot "un-hash" them and know your passwords. When you type in your password, logging onto my website, the hash is applied, and it must equal the hash result I have stored for you to get in. (But, again, what is the starting point if this hash result is virtually impossible for me to ascertain.)

password hash

 

A Couple More Miscellaneous Security Approaches