Describe the different methods of network security.


Teaching Note:

Include encryption types, userID, trusted media access control (MAC) addresses.

S/E Wireless networks have led to concerns about the security of the user’s data.


Sample Question - FORMER CURRICULUM:

A small company has a LAN connecting its various desk-top computers and
peripheral devices.

(a) Explain, with an example, how handshaking might be used during data
transmission over this LAN. [2 marks]

The company is going to provide Internet access to its LAN.

(b) State the name of an additional hardware device that would be required to permit
Internet access. [1 mark]

(c) Explain how a firewall would help to provide security for the LAN. [3 marks]

(d) Suggest, with reasons, two further measures that the company should take to
safeguard its data from unlawful access via the Internet. [4 marks]


JSR Notes

Upon looking at the last curriculum question which related to this, I realize that to stick with the three "includes" of the Teaching Note really does not do justice to security. So, for sure, lets focus on encryption types, user-ID, trusted media access control (MAC) addresses, but lets expand things to be a bit more inclusive.

What I've therefore done (for the first time) is re-worked what I had before.

(Here, for the record is the former Assessment Statement: FORMER CURRICULUM - 6.4.5 Explain the need for network security and describe how this can be achieved.

The one thing to note with the new vs. the old assessment statement is the former one was more the "why" than the "what", but the new one is more "what")

So here are the re-worked notes:


Protection From Within a Network (LAN or Wireless)
It boils down to accounts, and permissions.

1.User ID (i.e. Accounts/Log-ins & Passwords) – different people have different levels of access, which is controlled by an overall accounts system, similar to the one that you probably use on your home computer, and like Mr Lewis does in his lab.  You log in as a specific user and are given a certain level of access to files.  There are actually various accounts on the computers in the Instructional Lab as well, it’s just that I keep them logged into an administrator’s account.

Here are the users on my computer. The only one that is an "Administrator", with the highest permissions, is me. All other accounts have very limited permissions.

(Adv.) Strengths - relies on human beings as the ultimate keeper of the "open sesame" key. And so someone who does a good job of making secure passwords, and keeps other good habits like not sharing them or writing them down anywhere, can help their own security cause.

(Disadv.) Vulnerabilities/Weaknesses - the same thing that makes user ID systems strong, can make them weak. People can have poor user ID/password habits, including losing them, and not having them be secure enough. Weak password are prone to "brute force" attacks, where all combinations of letters/numbers/symbols are tried until the password is determined. The number of characters in a password exponentially influences how long such attacks will take, as does then breadth of keys used in the password. Check out this link to see the effect of numbers of characters and breadth of characters in a password. And check out my own password management hints here.

2. Permissions
– When a file system works with "permissions" this means that each file (or certain files) has associated with it a set of permissions. Each registered user for that computer/device will have their specific permissions recorded. Permissions for files can be one of: “read and write”, “read only”, “write only” or “no access”.

The reason I’m able to keep the computers in the Instructional Lab logged into Administrator accounts is that I make abundant use of the second level of protection from within: permissions.  I make sure that sensitive files are “Read Only”, or need an the Administrator password to be able to be changed (i.e. “Written to”). 

Most modern operating systems use permissions extensively. Here is a screen-shot of the permissions of a file:

This is the file of my Progress Reports in December 2013. I would not want everybody to be able to access it at all (so "No Access" is its permissions for the user group defined "everyone". But I wouldn't mind if either students logged into my computer, or another teacher to at least see the progress reports, though I would not want them to be able to edit them - hence "Read only" permissions for those two users. The only user with both read and write permissions ("Read & Write) is my myself (my main account is called "adelaide".

(Adv.) Strengths - Allows multiple users to be able to access the same files on the network (or indeed a computer), but at different level; what one person can do with a file (in terms of reading and writing - i.e. editing) another may not be able to do.
- Works well with User ID (Accounts) systems.

(The same sorts of advantages of any "access" system, like keys to a building, with master keys and so on.)

(Disadv.) Vulnerabilities/Weaknesses - It can be a pain to manage various permissions, and an inconvenience and frustration when a user can see a file, but not be able to either read it or change it.
- Permissions are susceptible to being corrupted, as they are simple small amounts of data, and flipped bits can cause a Read to become a No Access, for example. The Permissions Repair ability of the Mac OS Disk Utility can restore permissions to their required state.
- If there is an incorrect permission on a crucial file, that alone can cause a whole process or program to freeze. (For example, if a Read for one of the System's "users" becomes No Access on a crucial file, that crucial file cannot be used at all.)

Here's an image that gives you a visual of how permissions can be very error prone. This is a screenshot of doing a "Permissions Check" on a Mac, and sure enough most times you run this, there will be multiple permissions which have gotten corrupted/changed.

Permissions problem

And actually, note that an accounts/log-in system is really just an organized way at managing permissions.  In fact, each and every file will have a certain set of permissions; one for each user account on the computer.  So an administrator account might have “read and write” for most of the data files, though actually “no access” for lots of other system files that area actually hidden from all accounts normally.  Meantime, a typical user account will have “read only” for all of the application programs, and “no access” for a bunch of utilities etc., but will have full “read and write” for their “Home” folder.  Yet inside that, they may have a “Public” folder that will have “read and write” access for all users on the computer.

This is the same idea as giving differnet permissions to documents and folders on Google Docs.



3. Trusted Media Access Control (MAC) addresses - The MAC address is the network address of a specific individual piece of hardware. It is based on a serial number or some other piece of information that is encoded permanently on the device's ROM chip. It therefore is unique. A network can therefore have a list of trusted devices, and allow only those to access its services.

(The MAC address differs from the IP address. Whereas the MAC address is a permanent number associated with a specific (entire) device, like a computer or a phone, an IP address is something that is assigned to a device for the purposes of transferring data through the TCP/IP protocol. So to begin with there's the difference in what layer of the OSI model each is used (the MAC address at the lower levels, and the IP address at the middle "network" layer). Furthermore, IP address are variable, and usually controlled from the network administrator, not the individual device owner. And, also, IP addresses are per service provided to that device; a computer could have more than one IP address for more than one service. On my computer, for example, I have two IP addresses, one for my server, and one for my Internet via the school's LAN.)

The huge problem with the MAC address is that it can be temporarily, but easily, spoofed. Through some very simple Terminal etc. commands, a user can change the way the MAC address is seen by other devices and servers on the network. "And that ain't right!"

(Adv.) Strengths - Devices can be kept track of as being trusted or not. So this can prevent all sorts of security breaches, as long as users of those machines are not allowed the administrator privileges to spoof the MAC address.

(Disadv.) Vulnerabilities/Weaknesses - The MAC address can be spoofed.

Protection From (and To) The Outside

It’s both from as well as to, since you often want to protect data being sent out from your computer or network to some other place.  So we’ll deal with that first:

4. Encryption – In a nutshell, this is simply the scrambling of the data before it is sent.  The only way the receiver of the data (intended receiver or otherwise…) can un-scramble the data is with a certain ‘key’ that only he/she is entitled to.  You could come up with all sorts of weird and wacky ways to scramble and unscramble words; it’s just a matter of coming up with a specific algorithm to do so, and also figuring out the algorithm to take it back to the way that it was. From the time of the Romans with their "stick and cloth" technique to the present day encryption methods used for BitCoin, people have always had a reason to hide information, which can later, or by someone else, be "un-hidden".

One simple example of an encryption "scrambling" technique would be to add 1 integer value to each character in s String. So "abc" would become "bcd". To reverse the encryption you would subtract 1 integer value from each character in the encrypted word. So "bcd" becomes "abc" again. You'll note that when encryption is done with a certain mathematical algorithm, even a simple one like this, that algorithm is called a "hash".

Another approach is to have a "key" which is required to decrypt the message, and only the sender and receiver know the secret key.
For example, the key could be 1 7 9 2 -3 4. That added to a string like "abcdef" would see 1 integer value added to the a, 7 added to the b, and so on.
This would result in an encrypted message: bilfbj. So since the receiver knows the key, their decryption would reverse the process, yielding the original "abcdef". See more at this link.

The following tabbed in paragraphs on hashing aren't as important as understanding encryption, but it's related, and does apply to network security, so I'll include it.

Associated with encryption is hashing, and both hashing and encryption can be used, often together, to ensure network security. Here is a good comparison of the two. But basically, whereas encryption scrambling can be unscrambled by anyone with the key, good hashing algorithms result in something which cannot be "un-hashed". The purpose of a hash is to be able to tell if a message has been tampered with (in this case as part of network activity). When the hash is applied before and after transmission, the result should be the same, but it will be very much different if a modification has been made, therefore acting as a flag to improper (in this case network) activity.

A lot of time and energy is spent by agencies like the US government's NSA (National Security Agency) to come up with increasingly secure hashing techniques which are as close to being un-crackable as possible. Examples are sha1, sha128, and sha256. To see how complicated these algorithms are, you can find the sha256 algorithm at this wikipedia page; it's in pseudocode half-way down.

Here is an image of the sha1 hash results to passwords on my website. I only keep the hash, so cannot "un-hash" them and know your passwords. When you type in your password, logging onto my website, the hash is applied, and it must equal the hash result I have stored for you to get in. (But, again, what is the starting point if this hash result is virtually impossible for me to ascertain.)

password hash

(Adv.) Strengths - As long as the encryption method used is strong, it can be virtually impossible to intercept and decipher communication. This is particularly important for wireless networks, in which it is easy to "pick out of the air" the communication. VPN tunneling relies on strong encryption.

(Disadv.) Vulnerabilities/Weaknesses - If encryption methods are used which are too weak, a good hacker can decipher
- Encryption is only as good as how often and consistently it is used. Slip ups by individuals taking chances with information, or just forgetting, can cause businesses and organizations a lot of embarrassment, and indeed money through industrial espionage.
- Sooner or later all encryption techniques are hacked or vulnerabilities found.
- It takes time to encrypt and unencrpyt (which is why sometime people can forgo encryption even though they know they should not.)

5. Firewalls – A firewall is basically a list of "bad" IP addresses which it will not allow access to the computer or network it is protecting. Often times the main firewall of a network will reside on the gateway computer, or even be a separate computer or piece of hardware working with the gateway in the Demilitarized Zone (DMZ), but usually all personal computers have their own software firewall as well.  The purpose is two-fold: one, to filter out and prevent access by a certain list of known malicious or infectious sites, and also to prevent hackers from directly accessing computers within the network.

(Adv.) Strengths - As long as it's kept up-to-date, and is high quality, with the latest technology, it can keep malicious people and devices at bay, not letting them through to the network at all.

(Disadv.) Vulnerabilities/Weaknesses - Can be breached, particularly if not kept perfectly up-to-date. Various firewall software and hardware varies to the degree which it is able to handle malware and attacks. The best firewalls and the services by technicians needed to keep them functioning safely, but also smoothly, without interfering with safe traffic too much, are expensive.


Later A Bit More About Wireless Network Security

(JSR note to self: from the CEH chapter on this.)


Jaime: TOR example - lots of servers around the world ddfasdfasdfasdfa

"Hash salting" adds bits randomly through the encryption