Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info

 

 

Security

Related Entries    Web Links    New/Updated Information

  
Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

Data and communications security is critical on today's networks. Hackers, Internet intruders, eavesdroppers, forgers, and other attackers are everywhere. Few people have not heard of some sort of computer and network attack. Many are victims.

An entire volume could be written on security issues. This section outlines general topics and points you to resources where you can further your research. Some security topics are covered under related topics. You may want to open RFC 2828 (Internet Security Glossary, May 2000). It provides a useful glossary of security terms.

Security Threats and Vulnerabilities

Network security threats are everywhere. Your internal users may be stealing data or inadvertently revealing sensitive passwords or other material to people who are attempting to infiltrate your organization. Attackers from the outside may be gaining access through dial-up Internet connections or external server-to-server connections.

I refer to attackers as hackers. This is common in the security community. The opposite of hackers is a "good citizen." Refer to "Hacking and Hackers" for more details.

An attack is an attempt to take control of a system (a computer, network server, Web site, and so on) using a variety of methods with the intent to take over the system, or simply to shut it down or prevent other people from accessing it (a denial-of-service attack). Attacks may also take place on cryptographic systems information that has been encrypted, such as password files, secure data files, and so on. There are two primary types of attacks:

  • Passive attack    Monitoring and collecting information about a system to be used in a later attack, or to attack another related system.

  • Active attack    An active attack is one in which the attacker actually attempts to gain access to a system through unauthorized or illegal means.

Hackers may monitor the sessions of other users (passive attack) and attempt to take over the session (active attack). In a replay attack, the attacker uses previously gathered information to gain access to a system by "replaying" it to the system, which thinks that it is dealing with a valid session.

An interesting paper related to this topic is "Simulating Cyber Attacks, Defenses, and Consequences," by Fred Cohen. It is available at http://all.net/journal/ntb/simulate/simulate.html. Also see "Security Auditing" for information about tracking and handling security incidents.

Security Concepts and Mechanisms

"Security" is an all-encompassing term that describes all the concepts, techniques, and technologies to protect information from unauthorized access. There are several requirements for information security:

  • Confidentiality    Hiding data, usually with encryption, to prevent unauthorized viewing and access.

  • Authenticity    The ability to know that the person or system you are communicating with is who or what you think it is.

  • Access control    Once a person or system has been authenticated, their ability to access data and use systems is determined by access controls.

  • Data Integrity    Providing assurance that an information system or data is genuine.

  • Availability    Making sure that information is available to users in a secure way.

Trust is an important aspect of security. There are many different forms and levels of trust between people and computer systems. Many exchanges and transactions on the Internet take place between people who have never met. A third party can provide this trust by verifying the authenticity of parties in an exchange. Traditionally, banks and escrow companies have provided this trust. On the Internet, it is provided by CAs (certificate authorities).

Trust management systems provide security services for users and free up applications from having to provide their own mechanisms for interpreting credentials, authentication, and policy. A trust management system can be queried by an application with questions about how trust should be handled. The KeyNote Trust Management System is discussed under the topic "Trust Relationships and Trust Management."

Security policies are an essential part of an organization's general operations. The often- quoted rule of "denying what is not specifically permitted" provides a good basis for defining any security policy. While this rule usually applies to firewalls, it also provides a good approach to overall security.

Physical Security Management

While security is usually associated with some form of cryptography, physical systems must be protected from theft, damage, and corruption. Data must be backed up. In addition, the availablity of data is important. Systems must be kept online, even in the event of fires, floods, and earthquakes. Therefore, some means of replicating systems to other sites is often necessary. Refer to "Backup and Data Archiving," "Data Protection," "Disaster Planning and Recovery," "Fault Management," "Fault Tolerance and High Availability," "Power and Grounding Problems and Solutions," and "Replication."

Cryptography, Keys, and Certificates

There are a number of security mechanisms, most of which are based on some form of cryptography. These mechanisms allow secure data exchange over corporate networks and the Internet. They can be used to hide data, ensure the integrity of messages, and authenticate users or systems.

Cryptography provides the basis for securing data. An encryption algorithm is a mathematical routine that scrambles data, based on a user key, in a way that can be recovered with the same key or key pair. There are two types of encryption algorithms. There are symmetric secret-key algorithms and asymmetric public-key algorithms. These are discussed under "Cryptography" and "Public-Key Cryptography."

The advantage of the public-key scheme is that it eliminates the problems of key exchange. A trusted third party holds the public key and makes it available to other people in the form of a certificate. Certificate authorities bind a person's public key with validated information about that person, thus creating a digital certificate. The structure of the certificate itself (layout and format) is defined by an international standard called X.509. See "Certificates and Certification Systems" and "X.509 Certificates."

Certificates (and their keys) can be used to digitally sign messages. A signed message provides proof that a message is authentic, that it has not been tampered with, and that it has no errors. See "Digital Signatures" and "Hash Functions" for more information.

The public-key cryptography scheme is an essential part of doing business on the Internet. By putting public keys in certificates, it is possible for parties who don't know each other to establish secure trusted connections. If both parties trust the certificates issued by a particular CA, then they trust the contents of those certificates. The public keys can then be used for authentication and to establish encrypted communication sessions. A PKI (public-key infrastructure) is an organized hierarchical structure (potentially global) for creating, managing, and distributing certificates. See "PKI (Public-Key Infrastructure)" and "Key Distribution and Management."

AAA (authentication, authorization, and accounting) schemes are required to verify the authenticity of users, and control and track how they access secure systems. There are basic authentication schemes such as shared secret authentication methods, as described under "CHAP (Challenge Handshake Authentication Protocol)." The public-key scheme provides asymmetric (two-key) authentication. Symmetric (secret key) authentication is accomplished with systems such as Kerberos. See "Kerberos Authentication Protocol."

See RFC 2903 (Generic AAA Architecture, August 2000) for information about the AAA architectures. Also refer to "Access Control," "Authentication and Authorization," "Biometric Access Devices," "One-Time Password Authentication," "PAP (Password Authentication Protocol)," "Smart Cards," and "Token-Based Authentication."

Securing Connections

A number of protocols exist to secure the connection between systems. Some of these protocols also provide authentication features. For example, PPP (Point-to-Point Protocol) includes the ECP (Encryption Control Protocol), which provides a method to negotiate an encryption method between the two points. See "PPP (Point-to-Point Protocol)" for more information. Secure connections across the Internet can be implemented with VPN technology. IPSec (IP Security) has emerged as the most important protocol for establishing secure connections. See "VPN (Virtual Private Network)" and "IPSec (IP Security)" for more information.

Additional protocols that provide secure links, secure transactions, or tunneling/VPN (virtual private networking) capabilities include "S-HTTP (Secure Hypertext Transfer Protocol)," "SSH (Secure Shell)," "SSL (Secure Sockets Layer)," "TLS (Transport Layer Security)," "L2TP (Layer 2 Tunneling Protocol)," "S/WAN (Secure WAN)," and "SET (Secure Electronic Transaction)."

Other Security Topics

There are a number of other security-related topics, including "Firewall," "Proxy Servers," "NAT (Network Address Translation)," "RADIUS (Remote Authentication Dial-In User Service)," "Virus and Antivirus Issues," "Security Auditing," "OPSEC (Open Platform for Security)," and "CDSA (Common Data Security Architecture)."

Security-Related Organizations

There are a variety of security specifications and initiatives, some developed by vendors and some developed by consortiums. Governments also define security specifications. Refer to the following sites.

NIST (National Institute of Standards and Technology)

http://www.nist.gov/

NSA (National Security Agency)

http://www.nsa.gov/

CERT (Computer Emergency Response Team)

http://www.cert.org/

CIAC (Computer Incident Advisory Capability)

http://ciac.llnl.gov/

FIRST (Forum of Incident Response and Security Teams)

http://www.first.org/

EFF (Electronic Frontiers Foundation)

http://www.eff.org/

NetSec Int'l (Network Security International Association)

http://www.netsec-intl.com/

IETF Working Groups and Important RFCs

There are a number of IETF working groups developing security specifications and protocols. Refer to the IETF Web site at http://www.ietf.org/html.charters/wg-dir.html and jump to the Security section. Following are some of the more general security RFCs available on the included CD-ROM. Refer to the individual security topics mentioned earlier for more specific RFCs.

  • RFC 1704 (On Internet Authentication, October 1994)

  • RFC 1984 (IAB and IESG Statement on Cryptographic Technology and the Internet, August 1996)

  • RFC 2084 (Considerations for Web Transaction Security, January 1997)

  • RFC 2196 (Site Security Handbook, September 1997)

  • RFC 2316 (Report of the IAB Security Architecture Workshop, April 1998)

  • RFC 2350 (Expectations for Computer Security Incident Response, June 1998)

  • RFC 2504 (Users' Security Handbook, February 1999)

  • RFC 2828 (Internet Security Glossary, May 2000)

  • RFC 3013 (Recommended Internet Service Provider Security Services and Procedures, November 2000)



Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.