Network Security. Task 1 Security Measures

Transcription

1 Task 1 Security Measures Connecting your computer to a network, particularly the Internet, can put your computer and your data at risk. It is important, therefore, that you take some steps to secure your system and files. There are three main ways of securing your computer system and its data. You can protect it with physical security, by implementing password protection and by assigning different levels of access to different users and groups. Physical security is a security mechanism based on hardware components, e.g., door locks, camera or a pass card reader, or personnel e.g. a security guard. These measures provide physical protection of resources against deliberate and accidental threats. The most common method of data access security is password protection. A password may be required to start a machine, to log on to a network, to run particular programs or to access individual folders or files. Passwords are not foolproof, however. There are several basic rules that apply to use of passwords, aimed at ensuring that unauthorised users cannot discover them. Passwords should not be written down or shared with others; they should be changed regularly; they should be a reasonable length around 8 characters and not obvious; they should be a mix of lower and upper case letters, numbers and symbols; and the system must restrict the number of times an incorrect password can be entered. Finally, you can further protect data on a computer system by applying different levels of access rights to different users or groups of users. You can offer no access to your personal folders or files, other files may be set to read only for viewing files or public files can have read/write or full access (which also allows the deletion of files or folders) to allow collaborative work. Questions 1. Should network administrators be able to find out individuals passwords? 2. State two examples of bad passwords and describe why they are unsuitable. 3. State two examples of good passwords and describe why they are suitable. 4. Describe types of physical security you may have seen in films or on television. 5. Which type of access do pupils have to the Central Resource Library? 6. Which type of access do you have to your My Documents folder? 7. Which type of access does your teacher have to your My Documents folder? 8. Which type of access does your teacher have to the Central Resource Library? Page 1

2 Task 2 Encryption Encryption is the transformation of data into a form unreadable by anyone without a secret decryption key. Its purpose is to ensure privacy by keeping the information hidden from anyone for whom it was not intended, including those who can see the encrypted data. Encryption may be used to make stored data private or to allow a non-secure communications channel to serve as a private communications channel. A cryptographic system uses two keys - a public key known to everyone and a private key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them and it is virtually impossible to deduce the private key if you know the public key. Public-key systems, such as Pretty Good Privacy (PGP), are becoming popular for transmitting information via the Internet. They are extremely secure and relatively simple to use. The only difficulty with public-key systems is that you need to know the recipient's public key to encrypt a message for him or her. Of course, it is possible to decrypt data by brute force, trying out every possible key until you get readable text. This however takes huge amounts of time depending upon the size of the key. The idea of a super computer designed to decrypt data is described in Dan Brown s novel, The Digital Fortress. Task To encrypt data, you must perform an operation on these binary codes. For example you might perform a logical XOR operation with a key. 0 XOR 0 = 0, 1 XOR 0 = 1, 0 XOR 1 = 1 1 XOR 1 = 0 E.g. FRED = XOR each character using a key, e.g = FRED XOR = EQFG To decrypt the data you must know the key and perform the same operation. If you try with another key the data will be garbled. Using ASCII codes, encode a four letter word using an 8 bit encryption key. Attempt to decrypt a classmates code. Page 2

3 Task 3 Security Requirements and Threats There are certain requirements of any network when transmitting data: Confidentiality user to user communication must be secure from unauthorised users viewing or accessing the data. Data Integrity data must be received without any changes being made to the data. Mathematical checks can be carried out to ensure that the binary data is not altered during its transmission. Availability the network must be reliable so that when users wish to make use of any network service, it is available. There are two main types of security threat when connected to a network. Passive threats where data transmissions are covertly monitored without a users knowledge and then using information without authorisation. Active threats when the data transmission is modified or a false stream is created. Questions 1. Describe a situation where the confidentiality of data is essential. 2. Describe a situation where the integrity of data is essential. 3. Describe a situation where the availability of a network is essential. 4. Describe a situation where a data stream could be under threat from a passive attack. 5. Describe a situation where a data stream could be under threat from an active attack. Page 3

4 Task 4 Denial of Service (DoS) Attacks In recent months there have been a series of news stories about criminals attempting to blackmail large companies by threatening to launch a Denial of Service attack on their website. The cost to a large e-commerce site of losing one day of trading can run into the hundreds of thousands of pounds as well as damaging their reputation and credibility. There is also the expense of restoring the server to full working order and securing it from further DoS attacks. In a DoS attack, you flood an Internet server with such a volume of traffic in a short time that it simply cannot cope and stops accepting requests for data. Typically, this would be a company s web or server and in severe cases can force the server to completely cease operating. DoS attacks can also be used as a weapon against spammers, software pirates and other cyber criminals. Controversially, the search engine Lycos made available a screensaver which, when installed on a users machine, launched a distributed DoS attack on servers which persistently send junk or spam s. Examples of denial of services are: Winnuke, Teardrop, Land, Nestea, Fraggle, Ping of Death, SYN flood, IP spoofing and Smurf attacks Task Investigate either one of the DoS examples named above or an example of a DoS attack against a large company. Prepare a presentation about your findings. Questions 1. Why would Amazon be wary of DoS attacks? 2. If no data is changed or deleted and if no viruses are released, could anyone conducting a DoS attack be charged under the Computer Misuse Act? 3. Do you agree with Lycos and their use of a DoS attack against spammers? Explain your decision. 4. How can cyber criminals make money through DoS attacks? 5. A mirror site is an exact replica of an Internet server. How can a mirror site help protect against. 6. What is meant by spoofing? 7. What is meant, therefore, by IP spoofing? Page 4

5 Task 5 Content Filtering Almost everyone with any experience or knowledge of the Internet will be aware of the volume of inappropriate and undesirable content on the World Wide Web. However there also exists a wealth of useful, educational and enjoyable content which you should be able to access easily. It is possible to by software programs which filter the content that can be viewed on a web browser. It screens out data by checking, for example, URLs or key words and blocking undesirable, dangerous or inappropriate Internet content. For home use the software can be installed on a single machine or organizations can block content at the server level. An alternative to trying to block the huge number of inappropriate sites is to create a walled garden. This is a sub-section of the Internet where users can only view a limited number of approved sites and all other content is blocked. While this ensures all content is suitable for the audience it does restrict the value of being able to actively research and exploit the huge number of valuable sites on the Internet. Task Search the web for information on either CyberSitter, NetNanny, CyberPatrol or similar. Write a short paragraph describing the product, how it works, how much it costs and how it can be customised to protect web users from being exposed to inappropriate content. Questions 1. In content filtering software, what are whitelists and blacklists? 2. Are there any drawbacks to installing and using content filtering software? 3. Why is content filtering important in educational settings? 4. Why is content filtering important in business settings? 5. What facilities are already available in Windows XP to filter Internet content? Page 5

6 Task 6 - Firewalls A firewall is a device that connects a local area network to the outside world and shields the network from unauthorised users. A firewall protects your network from unwanted Internet traffic by letting good traffic pass through while bad traffic gets blocked. When installed, a firewall exists between your computer(s) and the Internet. The firewall lets you request web pages, download files, chat, etc. while making sure other people on the internet can not access services on your computer like file or print sharing. Some firewalls are pieces of software that run on your computer. Other firewalls are built into hardware and protect your whole network from attacks. Software firewalls are programs that run on your computer and nestle themselves between your network card software drivers and your operating system. They intercept attacks before your operating system can even acknowledge them. Everyone connected to the Internet should be running some sort of firewall. Programs can be downloaded on the Internet that can scan huge ranges of IP address for vulnerabilities like file sharing services and exploit or harm your computer. Any kind of firewall will keep you safe from these types of attacks. Task Identify one software firewall and write a paragraph outlining the cost and main features of the program. Identify one hardware firewall and write a paragraph outlining the cost and main features of the device. Page 6

7 Task 7 Network Failure From your previous study, you should be aware of the main topologies: star, ring, bus and mesh. Each topology can fail if there is a problem with one of the nodes, the cabling linking the nodes or the software running on the nodes. Different topologies, however, react to these failures in different ways. Copy and complete the following table or amend your table from the previous module, describing the effect of node, channel and software failure in different topologies. Topology Node Failure Channel Failure Software Failure Star Ring Bus Mesh Page 7

8 Task 8 Avoiding Network Failure In task 7, you saw that a network can fail if there is a problem with a computer system, its software or its cabling. It is important that you do your best to protect your system. You may do this by installing anti-virus software, using fault tolerant hardware, using a UPS or regularly maintaining your hardware. There are different types of virus: Viruses infect other files; Worms make copies of themselves; Trojans perform malicious actions but do not spread; Malware is an all-encompassing term that describes any malicious software program or file operating without the users explicit consent. Anti-virus software can perform a system scan to search for viruses or run permanently, scanning s and downloads to prevent your system from becoming infected. One of the most important components of a server is the hard disk. Since it contains the operating system, users files and all installed programs, any problem with the server hard disk can render the network unusable. To help prevent this, you may implement a Redundant Array of Independent (formerly Inexpensive) Disks, RAID. The basic idea behind RAID is to combine multiple small, inexpensive disk drives into an array to minimise the risk of data loss from hard drive failures. By mirroring data, i.e. having multiple copies on separate disks, you can reduce the dependence on a single hard disk. It is vitally important that any servers on your network are not shut down unexpectedly or incorrectly. To protect this from happening you may install an Uninterruptible Power Supply, UPS. This also regulates the voltage supply, protecting your hardware from voltage surges. Finally, a regular programme of maintenance should be undertaken. This may include such tasks as scanning and defragmenting disks, running a virus check and installing any updates or patches for operating systems or software programs. Also, when purchasing hardware you must consider the warranty options, for example is there a same day replacement service or a 24 hour hotline to help you deal with hardware problems? Task With your teacher s help, investigate which strategies are in place to avoid network failure in your school network. Prepare a presentation on this topic. State whether you feel the precautions are adequate and what additional measures, if any, you would add. Page 8

9 Task 9 Backup Strategies In a client server network, the server controls which users can log onto the network, which resources they may access and which files they may use. An effective backup strategy, therefore, is to have a backup server, often known as a mirror. With a backup server in place, mirroring exactly the contents of your main server, as soon as there is a problem with your main server the backup server can immediately replace it. This is not cost effective, however, since an expensive server might never be used. An alternative solution might therefore to only keep a mirror disk, an exact copy of the server s hard disk so that in the event of any disk failure the disks can be swapped over. This mirror disk must be synchronised at regular intervals to minimise data loss in the event of a disk failure. Large capacity hard disks are also expensive and so, for less critical information, a backup may be made onto magnetic tape. This is the cheapest form of backing storage but is not suitable for primary backing storage as it is a sequential medium rather than offering direct or random data access. Finally, when making duplicate copies or backups, it is important that a backup schedule is in place to ensure that a minimum of data is lost in the event of a network failure. It is recommended that three generations of backup are kept, these are called the grandparent, parent and child file according to their age. Backups should be kept in a secure location, away from the server and away from each other. Questions 1. What is meant by sequential data access? 2. What is meant by random or direct data access? 3. Name a sequential access medium. 4. Name two direct access data medium. 5. Does your school network use a backup server, a mirror disk, magnetic tape backups or a combination of all three to ensure the security of data? 6. What advice would you give to a pupil working on an important essay at home? 7. Why should backups be kept in different locations? 8. If a backup server is such an expensive option, why would some networks use them? Page 9

10 Homework Exercise 1 1. Describe, with examples, three levels of access which can be set on a file. (3) 2. Describe two types of physical security. (2) 3. (a) What is meant by a key in relation to data encryption? (1) (b) Describe one disadvantage of data encryption. (1) 4. A school pupil wants to obtain information as part of a homework exercise. She finds a suitable file which can be downloaded but when she tries to download the file in school, she finds that the FTP access has been barred. (a) Why might FTP access be barred by the school? (1) (b) Which application on the school network has barred FTP access? (1) 5. Network users will be able to delete and save files to their home directory but may not be allowed to change other files which they would need to access. How could a network administrator implement this? (1) 6. Describe the threats to network security posed by the following people: (a) Pupils accessing the staff network (1) (b) Employees in a law firm (1) (c) Accountants working for a company (1) (d) Ex-employees of a company (1) 7. What is meant by data integrity? (1) TOTAL(15) Page 10

11 Homework Exercise 2 1. An online music store is worried about network security. (a) Why might it be worried about passive network threats? (1) (b) How could it ensure the confidentiality of data saved on its servers? (1) The store receives a threatening requesting payment of a large sum of money or else they will be subjected to a DoS attack. (c) What is meant by a DoS attack? (1) (d) Why would a DoS attack be damaging? Give two reasons. (2) 2. A school office has a local area network of desktop computers. Each office worker has arranged for one folder on their local hard disk to be shared so that other workers can copy files out of that folder. This allows workers to transfer files and messages between their computers. (a) (i) What name is given to this type of networking? (1) (ii) How can each worker ensure that only certain workers can access the shared folder on their computer? (1) (iii) How can they ensure that the other workers can only copy out of the folder and not into the folder? (1) (b) The school management have decided that it would be better to store all shared files on a central computer so that all office staff can access them from there. This was decided on the grounds of data security and data integrity. (i) What name is given to this type of networking? (1) (ii) Name one additional item of software and one additional item of hardware that would be required to implement this new system. (2) (c) For the type of network described in part (b): (i) (ii) Explain how this mode of networking provides data security and data integrity. (2) Describe an additional service which could be provided by this new networking mode and explain why it could not be provided before. (2) TOTAL(15) Page 11

12 Homework Exercise 3 1. A large insurance company makes extensive use of the Internet and . The company also has computer based networked information systems and its own intranet. Some of the company s staff have access to the entire network from home using a dial-up connection. (a) (b) (c) Suggest two reasons why access to the company s network is slower from home than it is from the office. (2) The IT manager is worried that the company s network might be broken into by unauthorised people. Describe two ways a firewall could prevent unauthorised access. (2) The dial-up server offers a callback facility. When an employee dials from home, the dial-up server checks their user name and password, terminates the connection and then re-establishes the link to the employee s home number. Give two reasons why this feature is used in addition to the firewall. (2) 2. A college is planning the installation of 200 new computer workstations. Unlike its original suite of computers, these will be networked. (a) Explain how the security of user files may be ensured in this network. (1) (b) Explain why a backup strategy is necessary for this network. (1) (c) Describe a suitable backup strategy, and explain how it could be implemented. (2) 3. Why would a UPS be an important part of any large network? (1) 4. Why is a firewall described as a two way security device? (1) 5. Which network topology is most resistant to network failure? Explain your answer. (1) 6. (a) Why is Internet filtering software desirable? (1) (b) How does this software work? (2) TOTAL(16) Page 12