Logout

3.1.15

Describe the different methods of network security.

 

Teaching Note:

Include encryption types, userID, trusted media access control (MAC) addresses.

S/E Wireless networks have led to concerns about the security of the user’s data.


 

Sample Question - FORMER CURRICULUM:

A small company has a LAN connecting its various desk-top computers and
peripheral devices.


(a) Explain, with an example, how handshaking might be used during data
transmission over this LAN. [2 marks]

The company is going to provide Internet access to its LAN.

(b) State the name of an additional hardware device that would be required to permit
Internet access. [1 mark]

(c) Explain how a firewall would help to provide security for the LAN. [3 marks]


(d) Suggest, with reasons, two further measures that the company should take to
safeguard its data from unlawful access via the Internet. [4 marks]

 

JSR Notes

This is a huge area. So for sure, we'll focus on what the Teaching Note refers to: encryption types, user-ID, trusted media access control (MAC) addresses, but we'll add other important secuirty measures too, noting that the Teaching Note says "include..."

And note that a fair amount of this applies to the security of wired networks too, in the same way that there was a lot of overlap with wired networks when we did hardware associated with wireless networks.

Wireless Security

Wireless networks are much more susceptible to hackers than wired networks. Wireless network devices use radio waves to communicate with each other, and these, freely flowing through the air, can be intercepted. So any information that is unencrypted can be read, including passwords, which, when obtained can allow the hacker access to your on-line services, gaining your personal and confidential information, and/or stealing your identity.

 

I. Security Within a Network (LAN or Wireless)

It boils down to accounts, and permissions.

1. User ID (i.e. Accounts/Log-ins & Passwords) – different people have different levels of access, which is controlled by an overall accounts system, similar to the one that you probably use on your home computer, or have used in computer labs at other schools.  You log in as a specific user and are given a certain level of access to files. 

The Mac System Preference Users & Groups showing the various accounts

Here are the users on a lab computer I once used for teaching various courses. The only user account that is an "Administrator", with the highest permissions, is my own account. All the other student accounts had very limited permissions and access, since students weren't supposed to be changing system-wide preferences or doing other whole-computer management, nor were they meant to looking at, or editing the work of other students in the other classes.

Disclosure of a user account not presently logged into
Its Desktop and Documents have Write permissions for the current user, but all others are No Access (see below)

 


2. Permissions – When a file system of a certain OS works with "permissions", as the Mac OS file system does, this means that each file and folder has associated with it a set of permissions. Each registered user for that computer/device will have their specific permissions recorded for that file or folder. Meaning, basically, that each user can or cannot work with that file/folder. But permissions for files/folders can acually be be one of: “read and write”, “read only”, “write only” or “no access”.

So even if you have a system of users on a computer, and you leave it logged into the Administrator account, you can still keep files and folders "locked" by having set certain permissions to them. This is a second layer of security.

When I used to run a lab of computers, sometimes students would have to be logged into Administrator accounts to do certain things, so I make sure that sensitive files were “Read Only”, or that they needed an the Administrator password to be able to be changed (i.e. “Written to”). 

Most modern operating systems use permissions extensively. Here is a screen-shot of the permissions of a file:

This is the file of my Progress Reports in December 2013. I would not want everybody to be able to access it at all, so "No Access" is its permissions for the user group defined "everyone". But I wouldn't mind if either students who were logged into my computer, or another teacher could open and see the progress reports; I just woudn't want them to be able to edit them - hence "Read only" permissions for those two users. The only user with both read and write permissions ("Read & Write) is my myself (my main account is called "adelaide".

 

3. Trusted Media Access Control (MAC) addresses - The MAC address is the network address of a specific individual piece of hardware. It is based on a serial number or some other piece of information that is encoded permanently on the device's ROM chip. It therefore is unique. A network can therefore have a list of trusted devices, and allow only those to access its services.

The MAC address differs from the IP address. Whereas the MAC address is a permanent hardware number associated with a specific device, like a computer or a phone, an IP address is something that is assigned to a device for the purposes of transferring data through the TCP/IP protocol. So to begin with there's the difference in what layer of the OSI model each is used (the MAC address at the lower levels, and the IP address at the middle "network" layer). Furthermore, IP addresses can be variable, and are usually controlled by the network administrator, not the individual device owner. And, also, IP addresses are per service provided to that device; a computer could have more than one IP address for more than one service. On my computer, for example, I have two IP addresses, one for my server, and one for my Internet via the school's LAN.

The huge problem with the MAC address is that it can be temporarily, but easily, spoofed. Through some very simple Terminal etc. commands, a user can change the way the MAC address is seen by other devices and servers on the network. "And that ain't right!"

If you want to get technical, the Media Access Control (MAC) Layer is one of the two sub layers that make up the OSI model’s Data Link Layer, in which data packets are moved to and from one Network Interface Card (NIC) to another through a shared channel.

An "dynamic" IP address assigned by the network DHCP server, above.
vs.
The permanent MAC Address of the device, below.

 


II. Security From (and To) The Outside


It’s protection both "from" as well as "to" the outside, since you want to both keep bad stuff out of your device, but also protect data being sent out from your device or network to some other place.  So we’ll deal with that first:

4. Encryption – In a nutshell, this is simply the scrambling of the data before it is sent.  The only way the receiver of the data (intended receiver or otherwise…) can un-scramble the data is with a certain ‘key’ that only he/she is entitled to.  You could come up with all sorts of weird and wacky ways to scramble and unscramble words; it’s just a matter of coming up with a specific algorithm to do so, and also figuring out the algorithm to take it back to the way that it was. From the time of the Romans to present-day encryption methods used for BitCoin, people have always had a reason to hide information, which can later, or by someone else, be "un-hidden".

One simple example of an encryption "scrambling" technique would be to add 1 integer value to each character in s String. So "abc" would become "bcd". To reverse the encryption you would subtract 1 integer value from each character in the encrypted word. So "bcd" becomes "abc" again. You'll note that when encryption is done with a certain mathematical algorithm, even a simple one like this, that algorithm is called a "hash" (*see details in the Not Necessary section at the bottom of this page).

With public key encryption, a "key" is shared only by the sender and receiver, and is necessary to be used as part of the decryption algorithm to decrypt the message.

For example, the key could be 7 5 9 2 3 4. That, used in conjunciton with a simple encryption algorithm, could encrypt a string like "abcdef" by doing the following with the key: take each of the integer values of the key, and shift the ASCII values of the characters in the message, one after the other, by those values. So 'a' gets shifted by 1 to 'h', 'b' gets shifted by 5 to 'g', and so on.
This would result in an encrypted message: bglfbj. So since the receiver knows the key, and the decryption algorithm to follow using it, decryption would reverse the process, yielding the original "abcdef". See more at this link.

Wireless Encryption Protocols

(We have already encounterd non-wireless encryption that is used in the following protocols: PPTP, L2TP, and SSL. And a few of specific cryptographic hashing algoritms you might encounter include Blowfish, MD2, Sha 1 and Sha 256.)

And finally, with encryption, do note that strong encryption can have a tendency to slow down things, but with modern computers, this shouldn't disuade the use of the strongest encryption possible.

5. Firewalls – A firewall is basically a list of "good" IP addresses to which it will allow access to the computer or network it is protecting. This list is often referred to as a "whitelist". Often times the main firewall of a network will reside on the gateway computer, or even be a separate piece of hardware working with the gateway in the Demilitarized Zone (DMZ). (The DMZ is the unprotected entryway of a network; the subnetwork which can interface with outside untrusted networks, i.e. the Internet).

And for individual personal computers, the firewall is usually only a software firewall, either part of the operating system, or one that comes with a security suite such as Avast or MacAfee.  By only allowing white-listed addresses to access the device/network, the firewall filters out and prevent access by a known and unknown malicious or infectious sites, and it also prevent hackers from directly accessing the device or network.

 

6. Other/Miscellaneous (beyond what we need to cover, but included for a sense of completion)

Example of a separate device for a "One time password" as an additional step for authentication

 

 

Jaime: TOR example - 7000 or so volunteer servers around the world have made an "onion" layer over the Internet for those who want to remain anonymous.

"Hash salting" adds bits randomly through the encryption

------------------ NOT NECESSARY - EXTRA -------------------

*Hashing

The following tabbed in paragraphs on hashing aren't as important as understanding encryption, but it's related, and does apply to network security, so I'll include it.

Associated with encryption is hashing, and both hashing and encryption can be used, often together, to ensure network security. Here is a good comparison of the two. But basically, whereas encryption scrambling can be unscrambled by anyone with the key, good hashing algorithms result in something which cannot be "un-hashed". The purpose of a hash is to be able to tell if a message has been tampered with (in this case as part of network activity). When the hash is applied before and after transmission, the result should be the same, but it will be very much different if a modification has been made, therefore acting as a flag to improper (in this case network) activity.

A lot of time and energy is spent by agencies like the US government's NSA (National Security Agency) to come up with increasingly secure hashing techniques which are as close to being un-crackable as possible. Examples are sha1, sha128, and sha256. To see how complicated these algorithms are, you can find the sha256 algorithm at this wikipedia page; it's in pseudocode half-way down.

Here is an image of the sha1 hash results to passwords on my website. I only keep the hash, so cannot "un-hash" them and know your passwords. When you type in your password, logging onto my website, the hash is applied, and it must equal the hash result I have stored for you to get in. (But, again, what is the starting point if this hash result is virtually impossible for me to ascertain.)

password hash