Site home page
Get alerts when Linktionary is updated
Book updates and addendums
Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)
Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!
Contribute to this site
Electronic licensing info
Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.
Data and communications security is critical on today's networks. Hackers, Internet intruders, eavesdroppers, forgers, and other attackers are everywhere. Few people have not heard of some sort of computer and network attack. Many are victims.
An entire volume could be written on security issues. This section outlines general topics and points you to resources where you can further your research. Some security topics are covered under related topics. You may want to open RFC 2828 (Internet Security Glossary, May 2000). It provides a useful glossary of security terms.
Security Threats and Vulnerabilities
Network security threats are everywhere. Your internal users may be stealing data or inadvertently revealing sensitive passwords or other material to people who are attempting to infiltrate your organization. Attackers from the outside may be gaining access through dial-up Internet connections or external server-to-server connections.
I refer to attackers as hackers. This is common in the security community. The opposite of hackers is a "good citizen." Refer to "Hacking and Hackers" for more details.
An attack is an attempt to take control of a system (a computer, network server, Web site, and so on) using a variety of methods with the intent to take over the system, or simply to shut it down or prevent other people from accessing it (a denial-of-service attack). Attacks may also take place on cryptographic systems information that has been encrypted, such as password files, secure data files, and so on. There are two primary types of attacks:
Hackers may monitor the sessions of other users (passive attack) and attempt to take over the session (active attack). In a replay attack, the attacker uses previously gathered information to gain access to a system by "replaying" it to the system, which thinks that it is dealing with a valid session.
An interesting paper related to this topic is "Simulating Cyber Attacks, Defenses, and Consequences," by Fred Cohen. It is available at http://all.net/journal/ntb/simulate/simulate.html. Also see "Security Auditing" for information about tracking and handling security incidents.
Security Concepts and Mechanisms
"Security" is an all-encompassing term that describes all the concepts, techniques, and technologies to protect information from unauthorized access. There are several requirements for information security:
Trust is an important aspect of security. There are many different forms and levels of trust between people and computer systems. Many exchanges and transactions on the Internet take place between people who have never met. A third party can provide this trust by verifying the authenticity of parties in an exchange. Traditionally, banks and escrow companies have provided this trust. On the Internet, it is provided by CAs (certificate authorities).
Trust management systems provide security services for users and free up applications from having to provide their own mechanisms for interpreting credentials, authentication, and policy. A trust management system can be queried by an application with questions about how trust should be handled. The KeyNote Trust Management System is discussed under the topic "Trust Relationships and Trust Management."
Security policies are an essential part of an organization's general operations. The often- quoted rule of "denying what is not specifically permitted" provides a good basis for defining any security policy. While this rule usually applies to firewalls, it also provides a good approach to overall security.
Physical Security Management
While security is usually associated with some form of cryptography, physical systems must be protected from theft, damage, and corruption. Data must be backed up. In addition, the availablity of data is important. Systems must be kept online, even in the event of fires, floods, and earthquakes. Therefore, some means of replicating systems to other sites is often necessary. Refer to "Backup and Data Archiving," "Data Protection," "Disaster Planning and Recovery," "Fault Management," "Fault Tolerance and High Availability," "Power and Grounding Problems and Solutions," and "Replication."
Cryptography, Keys, and Certificates
There are a number of security mechanisms, most of which are based on some form of cryptography. These mechanisms allow secure data exchange over corporate networks and the Internet. They can be used to hide data, ensure the integrity of messages, and authenticate users or systems.
Cryptography provides the basis for securing data. An encryption algorithm is a mathematical routine that scrambles data, based on a user key, in a way that can be recovered with the same key or key pair. There are two types of encryption algorithms. There are symmetric secret-key algorithms and asymmetric public-key algorithms. These are discussed under "Cryptography" and "Public-Key Cryptography."
The advantage of the public-key scheme is that it eliminates the problems of key exchange. A trusted third party holds the public key and makes it available to other people in the form of a certificate. Certificate authorities bind a person's public key with validated information about that person, thus creating a digital certificate. The structure of the certificate itself (layout and format) is defined by an international standard called X.509. See "Certificates and Certification Systems" and "X.509 Certificates."
Certificates (and their keys) can be used to digitally sign messages. A signed message provides proof that a message is authentic, that it has not been tampered with, and that it has no errors. See "Digital Signatures" and "Hash Functions" for more information.
The public-key cryptography scheme is an essential part of doing business on the Internet. By putting public keys in certificates, it is possible for parties who don't know each other to establish secure trusted connections. If both parties trust the certificates issued by a particular CA, then they trust the contents of those certificates. The public keys can then be used for authentication and to establish encrypted communication sessions. A PKI (public-key infrastructure) is an organized hierarchical structure (potentially global) for creating, managing, and distributing certificates. See "PKI (Public-Key Infrastructure)" and "Key Distribution and Management."
AAA (authentication, authorization, and accounting) schemes are required to verify the authenticity of users, and control and track how they access secure systems. There are basic authentication schemes such as shared secret authentication methods, as described under "CHAP (Challenge Handshake Authentication Protocol)." The public-key scheme provides asymmetric (two-key) authentication. Symmetric (secret key) authentication is accomplished with systems such as Kerberos. See "Kerberos Authentication Protocol."
See RFC 2903 (Generic AAA Architecture, August 2000) for information about the AAA architectures. Also refer to "Access Control," "Authentication and Authorization," "Biometric Access Devices," "One-Time Password Authentication," "PAP (Password Authentication Protocol)," "Smart Cards," and "Token-Based Authentication."
A number of protocols exist to secure the connection between systems. Some of these protocols also provide authentication features. For example, PPP (Point-to-Point Protocol) includes the ECP (Encryption Control Protocol), which provides a method to negotiate an encryption method between the two points. See "PPP (Point-to-Point Protocol)" for more information. Secure connections across the Internet can be implemented with VPN technology. IPSec (IP Security) has emerged as the most important protocol for establishing secure connections. See "VPN (Virtual Private Network)" and "IPSec (IP Security)" for more information.
Additional protocols that provide secure links, secure transactions, or tunneling/VPN (virtual private networking) capabilities include "S-HTTP (Secure Hypertext Transfer Protocol)," "SSH (Secure Shell)," "SSL (Secure Sockets Layer)," "TLS (Transport Layer Security)," "L2TP (Layer 2 Tunneling Protocol)," "S/WAN (Secure WAN)," and "SET (Secure Electronic Transaction)."
Other Security Topics
There are a number of other security-related topics, including "Firewall," "Proxy Servers," "NAT (Network Address Translation)," "RADIUS (Remote Authentication Dial-In User Service)," "Virus and Antivirus Issues," "Security Auditing," "OPSEC (Open Platform for Security)," and "CDSA (Common Data Security Architecture)."
There are a variety of security specifications and initiatives, some developed by vendors and some developed by consortiums. Governments also define security specifications. Refer to the following sites.
IETF Working Groups and Important RFCs
There are a number of IETF working groups developing security specifications and protocols. Refer to the IETF Web site at http://www.ietf.org/html.charters/wg-dir.html and jump to the Security section. Following are some of the more general security RFCs available on the included CD-ROM. Refer to the individual security topics mentioned earlier for more specific RFCs.
Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.