CH 17

Computer Networking
CHAPTER 17 NETWORK MANAGEMENT

The first section Exercises Online lecture
2
3
Department of Computer Networking Application
CHAPTER 17 NETWORK MANAGEMENT PART THREE INTRODUCTION

CHAPTER 17 Examines the vital topic of network security and explains many ways in which networks can be made more secure. CHAPTER 18 You will cover encryption, digital signatures, and digital certificates in detail, and you will understand the importance of user IDs and strong passwords. CHAPTER 19 You will investigate the threat of viruses and other network perils as well as steps that can be taken to minimize their impact.
www.gxmu.edu.cn

Text Books and References Books Cryptography and
Atul Kahate ISBN7-302-114900/TP7540
Network Security
by Atul Kahate
ISBN7-302-099677/TP6855
www.gxmu.edu.cn

Chapter 18
Explains network design and implementation process. Learn that designing a new or changed network is a multiphase activity That requires user involvement along the way . Study the various steds in the process, sted that are described and illustrated.
www.gxmu.edu.cn

Chapter 19
Describes network management and operations process. Explore the reasons for managing a network and the standard management functions that are put into a network context. Learn the practical issues of day-to-day operation of a network problem management,
performance management , configuration management, change management
www.gxmu.edu.cn

Chapter 17 Network Security 17-1 Introduction
17-2 Why is needs

17-3 Management's responsibility 17-4 types of threat
Security Architecture Security attacks Security services
www.gxmu.edu.cn

17-1 OBJECTIVES
Explain why it is necessary Discuss management's responsibility; Describe key elements of a network security policy;
List the types of security threats; Explain purpose, pros, and cons of encryption;
www.gxmu.edu.cn

17-1 OBJECTIVES
Describe how symmetric and asymmetric key-based encryption system work; Digital signatures and certificates; Describe various types of network accesss control Discuss disaster recovery planning
Describe the security of home network

www.gxmu.edu.cn

17-1 INTRODUCTION
Describes network security .
Explains the types of security threats. The various measures to increase a network's security. It also includes being able to recover from security incidents.
www.gxmu.edu.cn

17-2 Security Is NOT Enough
No longer can a business be operated without having access to information and a reliable communication system. Usually, the value of the data stored on networked computers far exceeds ,The cost of the networks themselves
.
Security
www.gxmu.edu.cn

17-2 Why Security

Hacker HIGH
TOOLS
Seconds
threats Massive LAN worm Days driven Distribute DDoS d denial of LAN Weeks service Damagin Macro LOW Blended g payload viruses 2000 threats 1995 worms 1980 1985 1990 pc Boot
Cybercrime and Cyberterror

www Flash
Attacks on the scope and time

viruses
Denial of service
Minutes
1980s
Bug 1990s Today
Future
www.gxmu.edu.cn

17-2 Why Network Security is Needed
large and small organizations of all types are becoming increasingly dependent on networks to carry on their activities. In the past, networks were main private. easy to control. with the rise of the Internet and its use for conducting business, network are more open. It is virtually impossible to eliminate all network security .
www.gxmu.edu.cn

17-2 Why Internet Is NOT Safe?
Internet originated in the military,it were mainly private. With the rise of the Internet, networks are more open. TCP / IP protocol is open
www.gxmu.edu.cn

17-3 MANAGEMENT`S RESPONSIBILITY
Network management must see that appropriate security measures are implemented Senior management must understand network security issues and indicate to all employees that network security is important to the organizations well being. The network management staff has a very Important security responsibility.
www.gxmu.edu.cn

17-3 Adequately manage network security
A network security policy Clearly defined roles and responsibilities A security implementation plan An effective implementation of appropriate security hardware and software A plan to deal with any security breaches that do occur Periodically ensure that the security policies and standards are effective
www.gxmu.edu.cn

17-3 Network security policy
It is management's statement of the importance of and their commitment to network security. It needs to describe in general terms will be done. Need to clearly state management's position about the importance of network security It does not deal with the security protection is to be achieved. Network security officer who is responsible for seeing that security policy and practies are carried out.
www.gxmu.edu.cn

17-3 Elements Of Network Security Policy
Importance of network security

What are to be protected MANAGEMENT`S RESPONSIBILITY
www.gxmu.edu.cn

17-4 TYPES OF THREATS
Security threats to a network can be divided into those that involve some sort of unauthorized access and all others.
www.gxmu.edu.cn

17-4 5 type of security threats
5 types of security threats to a network are
eavesdropping altering message contents Masquerading denial of service planting viruses or worms.
Eavesdropping: monitor network traffic Altering message contents
Masquerading
www.gxmu.edu.cn

17-4 Denial of service (DoS)
DoS occurs when someone floods a site with messages faster than they can be handled DDoS Distributed Denial of Service, DDoS TCP DoS attack SYN flood attack Land attack UDP DoS attack UDP Flood DoS attack ICMP DoS attack
Teardrop attack Ping of Death

www.gxmu.edu.cn

17-4 DoS - Syn Flooding
Three-way Handshake
A B
syn ack, syn ack
www.gxmu.edu.cn

17-4 Planting viruses
The most common ways: Through an attachment to an e-mail By downloading software containing a virus.

Internet /HTTP
HTTP

www.gxmu.edu.cn

17-4 Planting viruses
www.gxmu.edu.cn

17-4 Other types of security threats include
Physical damage Nonmalicious disruptions Disasters
More Samples ...
www.gxmu.edu.cn

17-4 Attacks, Services and Mechanisms
Security Attack: Any action that compromises, the security of information. Security Mechanism: It is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
www.gxmu.edu.cn

17-4 Security Attacks
www.gxmu.edu.cn

17-4 Passive and active attacks
Passive attacks No modification of content or fabrication Eavesdropping to learn contents or other information. Active attacks Modification of content and/or participation in communication to Impersonate legitimate parties Modify the content in transit Launch denial of service attacks
www.gxmu.edu.cn

17-4 Security Attacks
www.gxmu.edu.cn

17-4 Passive Attacks
www.gxmu.edu.cn

17-4 Active Attacks
www.gxmu.edu.cn

17-4 Security Mechanism
A mechanism that is designed to protectdetect, Protection Detection reaction, and restore from a security attack.
PDRR MODEL Protection Detection Reaction Restore information Security Protection Detection Restore information Reaction Security Restore Reaction

www.gxmu.edu.cn
attack
Protect
succeed failure
Detect
succeed
React
succeed failure Recove
failure
www.gxmu.edu.cn

Protection system is based on the known security issues may take some preventive measures from the successful invasion of the attacker. Detection If the attacker through the protection systems, detection systems will be detected. Recover After the incident, the system back to the original state or more secure than the original state.
www.gxmu.edu.cn

17-4 Security Services
A security service is a service provided by the protocol layer of a communicating system (X.800)
5 Categories
Authentication Access Control Data confidentiality Data Integrity
Nonrepudiation (and Availability)

www.gxmu.edu.cn

information security
Reliability
Availability
Authenticity
Confidentiality Integrality Forbidden deny
Sample
www.gxmu.edu.cn

17-5 ENCRYPTION
Encryption is the transformation of data into a meaningless form unreadable by anyone without a decryption key. Encryption prevents someone from eavesdropping on a network. F Plaintext: unencrypted information
Ciphertext: encrypted information Secret Key the input to encryption/ decryption algorithm
www.gxmu.edu.cn

17-5 Decryption
Conversion of Cipher Text to Plain Text
This is a book !@#$~%^~&~*()-
!@#$~%^~&~*()This is a book
www.gxmu.edu.cn

17-5 Symmetric encryption techniques
This is a book
!@#$~%^~&~*()
!@#$~%^~&~*()-
This is a book
www.gxmu.edu.cn

17-5 The history of cryptography
Prior to 1949, classical cryptography Data security to rely on algorithm confidentiality 1949 to 1976, modern cryptography Data security to rely on key In 1976, public key cryptography Public-Key Cryptography makes sending and receiving-end side without key transmission of confidential communications possible
www.gxmu.edu.cn

17-5 Caesar cryptogram
Ancient Rome
CAESAR c= m+ 3
Caesar was a great soldier Fdhvdu zdv d juhdw vroglhu
www.gxmu.edu.cn

17-4 Sparta cryptogram
The fifth century BC cryptogram stick
www.gxmu.edu.cn

17-5 Polybius Checkerboard
205~123 B.C.
1 1 2 3 4 5 A F L Q V 2 B G M R W 3 C H N S X 4 D IJ O T Y 5 E K P U Z
plaintext:POLYBIUS cypher:3534315412244543
www.gxmu.edu.cn

17-5 U.S. Civil War
Input direction Output direction
C O A U N U Y N
Plaintext
Can you understand
D
T
E
A
R
N
Ciphertext
D
codtaueanurnynsd
www.gxmu.edu.cn

17.5 Mono Alphabetic Ciphers
It is a simple symmetric encryption scheme in which one plaintext character is replaced by another character. A secure encryption system should mask the frequency with which letters occur and should also mask the word lengths.
www.gxmu.edu.cn

17-5 Caesar Cipher
Only have 25 possible ciphers A maps to B,..Z
Could simply try each in turn

a brute force attack
given ciphertext, just try all shifts of letters
do need to recognize when have plaintext

www.gxmu.edu.cn

17.5 Poly Alphabetic Ciphers
Define: If a given letter of the alphabet will not always be enciphereed by the same Ciphertext character. It changes letter frequencies An important example :
Vigenre
www.gxmu.edu.cn

17-5 Features
Features:
A set of related mono alphabetic substitution rules is used A key determines which rule is used for a transformation.
Figure 17-3
A Vigenre square.
www.gxmu.edu.cn

17-5 Poly alphabetic Ciphers example
writes the plaintext out
writes the keyword repeated above it encrypts the corresponding plaintext letter
eg using keyword deceptive
key:
deceptivedeceptivedeceptive
Plaintext:
wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
www.gxmu.edu.cn

17.5 Transposition Ciphers
Define: Rearrange the letters in the plaintext message rather than substituting cipher characters for them.
* Error:rearrange
the characters in the encrypted message.

www.gxmu.edu.cn

17-5 Sample
c
n
o
y
m l
r c
p
r
A
E
s
a p d
u
a s e
t
e e t
S
X E
www.gxmu.edu.cn

17-5 Bit-level Encryption
This technique ignores the characters that make up the message to be transmitted and instead works with the individual bits that make up the characters, uses a key key. Bit level encryption uses a key. encryption and decryption keys are the same key. Problem: how to sent key ?
www.gxmu.edu.cn

17-5 A simple encryption algorithm - XOR
Either A or B, but not both.
www.gxmu.edu.cn
C=P
Figure 17-4 Bit-level encryption using the XOR operation. For simplicity, only a 16-bit substring of text and a 16-bit encryption key are used.
P=C
Figure 17-5
Decryption is a repetition of the encryption process using another XOR operation.
www.gxmu.edu.cn

17-5 Data Encryption standard
DES was developed by IBM in 1970s.
DES(Data Encryption Standard ) Encrypts blocks of 64bits plaintext using a 56-bit key that yields 2 56 .or >72 2 64 bits as a group.
www.gxmu.edu.cn

17-5 Speed
DES can be designed into hardware. VLSI Company VM009 1993 200M Bytes/s software 80486 CPU 66Hz, 43000 DES grouping /sec 336K Bytes/s HP 9000/887 ,CPU 125 Hz, 196,000 1.53M Bytes/s
www.gxmu.edu.cn

Plaintext Initial Permutation Roud1 Roud1 Round16 IP-1 ciphertext
Permuted Choice2 Permuted Choice2
64bits
Permuted Choice1 Left Circular Shift Left Circular Shift
Permuted Choice2
Left Circular Shift
17-5 DES algorithm summary

64bits
www.gxmu.edu.cn
www.gxmu.edu.cn

17-5 Triple DES
The original DES is vulnerable to a brute force attack. Triple DES is an improvement over DES because the key length is doubled from 56 to 112 bits, and the data is encrypted three times. Key length:112BIT, k=k1k2
2112
m
DES DES-1 DES
DES-1
DES
DES-1
k1
k2
k1
k1
k2
k1
www.gxmu.edu.cn

17-5 Key management
In many situations, managing the key is a highcost overhead to an encryption system.
Key sharing still represents a weakness in any other symmetric encryption system
www.gxmu.edu.cn

17-6 Advanced Encryption Standard
DES is vulnerable to a brute force attack AES is the U.S. National Institute of Standards and Technology (NIST) is to replace of the DES encryption standard . 128bit key
www.gxmu.edu.cn

17-6 Asymmetric Key Encryption
PKE (Public key encryption) Messages are encrypted with one key that can be made public.the recipient uses a separate private key to decipher. Advantage: It solves the problem of key management & exchange. Symmetric key encryption is much faster than PKE,but PKE is more safe.
www.gxmu.edu.cn

17-6 Asymmetric Key
The key used for encryption and the key used for decryption are not the same. Public key is one that is used for encryption and can be Private key known by anyone. Private key is used for decryption and is kept secret. The keys used with an asymmetric key encryption system are normally very large prime numbers.
Public key www.gxmu.edu.cn

17-6 Asymmetric Key Encryption
www.gxmu.edu.cn

RSA(Rivest, Shamir and Adleman)
www.gxmu.edu.cn

17.6 PGP
PGP (Pretty Good Privacy) Inventor, Phil Zimmerman An asymmetric encryption/decryption program for email, computer data, and voice conversations that was developed by a private individual is called PGP Internet e-mail encryption: a de-facto standard PGP is in the public domain. The most common ways to protect data on the Internet.
www.gxmu.edu.cn
www.gxmu.edu.cn

17.7 Other Encryption System
Microsoft :encrypting file system NTFS Winzip 128 256 AES Winrar Hardware encryption Software dog
www.gxmu.edu.cn

17-7 Voice Scrambling
Voice scrambling makes the voice transmission
unintelligible to anyone who does not have a descrambler.
Scrambler
www.gxmu.edu.cn

17-7 DIGITAL SIGNATURES
It is the network equivalent of signing a message and guaranteeing that the contents have not been changed. For electronic commerce ,key component of most authentication systems. Purposes: Guarantee that the individual sending the message The message has arrived intact The sender cannot dispute Time stamped
www.gxmu.edu.cn

17-7 Hash Function
Crunches the data and calculates a unique Value for the docment. Message digest or hash
Ensure that the contents of the message are not changed.

B*U@9374392l;qHUHW
Hash
www.gxmu.edu.cn

17-7 Cryptography hash of several basic requirements for
Input :any length Output: Fixed length
One-way function
www.gxmu.edu.cn

17-7 Usage method
To sign a message with a digital signature, the sender simply invokes a software routine that builds the signature using a private key known only to him.
www.gxmu.edu.cn

1.Copy contract to email 2.Calculates hash for email
1.Calculates the hash of received message

2.Decrypts hash using public key 3.Hashes match ,message is valid
Figure 17-6 The digital signature process.
3.Encrypts hash using private key
Digital signatures :the encrypted hash

www.gxmu.edu.cn

17-7 Digital fingerprint
File checkout
To prevent the malicious destruction of file.

UNIX tanajiya.tar.gz tanajiya.tar.gz.md5 MD5 (tanajiya.tar.gz) = 0ca175b9c0f726a831d895e269332461
www.gxmu.edu.cn

17-7 DIGITAL CERTIFICATES
It is a password-protected,encrypted data file that identifies a transmitting entity and certifies that it is who it say it is.
Usually installed in the e-key

Digital certificates similar to the real-life identity. CA certificate allthoritiy
www.gxmu.edu.cn

17-7 CA's role
Guarantee that the organization or individual granted the certificate is who he claims to be. Guarantee that the holder`s public key really belongs to him. Trust-worthy CA will issue a certificate onl y after verifying the identity . A certificate is valid only for the perid of time specified by the CA that issued it.
www.gxmu.edu.cn

17-7 X.509.CCITT
www.gxmu.edu.cn

17-7 Digital certificate Content
Certificate Authority
Name
CA logo
Subject: Mr Tom Issuer: INET CA1 Subjects Public key:
Public key
Serial Number: 29483756 Not Before: 10/18/99 CAID Not After: 10/18/04 Secure Email Client Authentication Signed: Cg6&^78#@dx
Effective Date
(CA)
www.gxmu.edu.cn
www.gxmu.edu.cn

17-7 The principle of digital certificates
CA
Certificate Application Certificate Application Public key
Public key Private key
Private key
Digital certificates used public-key mechanism CA provide the program for the user, have a pair of keys: public key,be stored in CA. private key, l be stored on the user's computer.
www.gxmu.edu.cn
CHAPTER 17 NETWORK MANAGEMENT 17-7 CA structure

Return request terminal request
RA
Submit a certificate application
CA
apply for the certificate
To obtain a certificate
certificate Library
www.gxmu.edu.cn

17-7 PK typical application
Web
CA
Internet/Intranet

/Client
/Client
www.gxmu.edu.cn

17.8 IP SECURITY
IETFInternet Engineering Task Force IPSEC(IP security): Security for Internet communications protocol, known as IPsec. In the IP layer to provide identification and security services Ipsec acts at the network layer,protecting and authenticating IP packets between Ipsec-compliant devices Compatible with IPv4 and IPv6
www.gxmu.edu.cn

17-8 IPSec in TCP/IP
Sender Receiver
Original message Application Transport IPSec Internet Data link Transmission medium
Original message Application Transport IPSec Internet Data link
www.gxmu.edu.cn

17-8 Based on TCP / IP protocol network security architecture
PEM MOSS PGP S/MIME SHTTP SSH Kerberos SNMPv2 TCP SSL UDP
IPv6 IPSEC ISAKMP
www.gxmu.edu.cn

17-5 IPsec content
Sending and receiving must share a public key. ISAKMPInternet Security Association and Key Management Protocol
www.gxmu.edu.cn

17-8 IPSEC architecture
IPSec
ESP
AH
DOI
IKE
SA
www.gxmu.edu.cn

17-8 IPSec Provides services
Data Confidentiality Data integrity
Data origin Authentication Anti-reply

www.gxmu.edu.cn

17-8 IPSec Uses
applicable to use over LANs, across public & private WANs, & for the Internet
www.gxmu.edu.cn

17-9 Virtual Private Network
Uses the Internet as if it is a private network Far less expensive than a leased line Uses IPSec protocol
www.gxmu.edu.cn

17-9 SECURE SOCKET
Web server be encrypted. Netscape is the first to use. SSL is a transport level technology for authentication between a WEB browser and a WEB server. SSL runs above TCP layer and below application layer. Establish an encrypted connection. (shttp/https).
www.gxmu.edu.cn

17-9 SSL includes two subprotocols
SSL record protocolformat data
SSL handshake protocol first establish connection Use techniques include DES,Triple DES,RSA etc.
SSL allows a user to confirm a servers identity.

www.gxmu.edu.cn

17-9 SSL-based Web access a complete process
1. Client bowser `s digital certificate and public key 2. server`s digital certificate and public key
6. decrypt information by client browser `s private key 4. decrypt information By Server`s private key
Server
3. encryption of information by server`s public key

client
5. encrypt session key by client's browser `s public-key 7. Encrypt of data transmission by Session key
www.gxmu.edu.cn

17-9 (shttp/https).
Both Netscape and Internet Explorer support SSL.

www.gxmu.edu.cn

17.10 VIRUSES
Viruses become a network issue.
The single best thing an organization or user can to protect themselves against viruses is to install antivirus software on its computers.
Program files that have a virus attached are said to be infected.
www.gxmu.edu.cn

17-10 Antivirus program
It work by looking for virus signature that is unique to the virus. Virus signature:a sequence of computer instruction that is unique to the virus.
Antivirus programs have reduced the overall risk of network security problems in the past few years. F
www.gxmu.edu.cn

17-10 Virus Signature
A sequence of computer instruction that is unique to the virus.
Viruses Spread Computer viruses spread much like their biological counterpartby sharing.
www.gxmu.edu.cn

17-10 Typical network virus
Netstat -a
Trojan
A computer virus is similar to the instructions set it in the general parasitic programs, and secretly carry out some of the destructive operation or theft of data.
More
www.gxmu.edu.cn

17-10 Computer Worm
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and it may do so without any user intervention. It does not need to attach itself to an existing program. Worms almost hub always Internet to the network, if only by cause harm consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. NEXT
www.gxmu.edu.cn

17-10 ARP CACHE POISONING
ARP CACHE POISONING

www.gxmu.edu.cn

17-10 NETWORK ACCESS CONTROL
Network access adds another dimension to the protection of data and information.
New question : How to know who is at the terminal If is the person authorized to access data. What operations are user authorized to perform. If is Lines tapped?
www.gxmu.edu.cn

17-10 3 primary way unauthorized access
From another network such as Internet.
Dialing directly into network

Using workstation located
www.gxmu.edu.cn

17-10 User Identification and Passwords
One common method of network access control is user IDs and passwords.
www.gxmu.edu.cn

17-10 Password status quo
No password use the system's built-in default password and account number Use easy to guess the password Name birthday
Not to replace passwords on a regular basis Crack password method: Brute attack
www.gxmu.edu.cn

17-10 Password cracking technology
Comparison
Attack types
Dictionary attacks Violent attacks Combination of attack
speed of attack fast low
number of password cracking
All Dictionary words all

Only to find the words to the dictionary-based password
www.gxmu.edu.cn
Medium

17-10 Strong Password
At lease 7 characters length. Include upper and lower case letters,numerals,and symbols. Have at least one symbol character in the second . Have at lease four different characters. Look like a sequence of random letters and numbers.
z@ h7 O8ng
www.gxmu.edu.cn

17-10 They should not
Contain any part of the users user ID Use any actual word or name in any language Use numbers in place of similar letters Reuse any portion of an old password Use consecutive letters or numbers Use adjacent key on the keyboard. Abcdefg 234567 Mothed: Complete record is kept of all users of system. Restricted the number of Sign
www.gxmu.edu.cn

17-10 CALL BACK
Other: Monitor computer ports Reading a printed log

www.gxmu.edu.cn

17.11 Firewalls
It isClose a combination of hardware and software that
enforces boundary between two or more networks.

A relatively effective technique for limiting Samples unauthorized access to an organizations network from outside networks to which it is connected is to install a firewall.
Figure 17-7
A firewall at the boundary of two networks.
www.gxmu.edu.cn

17-11 Firewall Function
Special type of router provides perimeter defence
Firewall can not be anti-virus. imposes restrictions on network services only authorized traffic is allowed
Firewalls normally log all of the activity so that information about network access and detail is available for later analysis
.
www.gxmu.edu.cn

17-11 Firewall Types
Firewalls
Packet Filters
Application Gateways
www.gxmu.edu.cn
www.gxmu.edu.cn

17-11 Packet Filter (Screening filter)
Internal (Private) Network Protected zone
Internet
Packet filter
foundation of any firewall system examine each IP packet (no context) and permit or deny according to rules restrict access to services (ports)
www.gxmu.edu.cn

17-11 Packet Filter Operation
Outgoin g packets
Incoming packets
Receive each packet. Apply rules. If no rules, apply default rules.
www.gxmu.edu.cn

17-11 Attacks to security of packer filter
IP address spoofing Source routing attacks
Tiny fragment attacks

www.gxmu.edu.cn

17-11 Packet Filter Defeating IP Spoofing Attack
178.29.10.89
Source address: 178.29.10.91
178.29.10.90
Incoming packet 178.29.10.91
Packet filter
STOP!
Internal network and the IP addresses of the hosts
www.gxmu.edu.cn

17-11 PROXY SERVER
HTTP SMTP FTP TELNET
Inside connection
Application gateway
Outside connection
Network Address Translation

Internal Network Address
192.168.0.x
PROXY Network Address Translation
External network / Internet address
202.11.196.16
www.gxmu.edu.cn

17-11 DMZ
Demilitarized Zone
In computer networking, DMZ is a firewall

configuration for securing local area networks (LANs).
Inter net
Firewall
Internal private network
Demilitarized Zone (DMZ)
www.gxmu.edu.cn

17-11 IDS
IDS(Intrusion Detection System) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems.
Analysis of events, find violation of security policy.

www.gxmu.edu.cn

17-11 IDS principle
Network Data Flow
Real-time response
Real-time
analysis
of the invasion
The formation of alarm records
Event Database
www.gxmu.edu.cn

17-11 IDS deployment
www.gxmu.edu.cn

Firewall and IDS linkage
Next page
www.gxmu.edu.cn

17-11 Product
IDS
www.gxmu.edu.cn

17-12 UTM
UTM: Unified Threat Management It said in a hardware platform integrated security features such as firewall, VPN, gateway anti-virus, intrusion detection and intrusion prevention, traffic
analysis, content filtering, and so on.
www.gxmu.edu.cn
CHAPTER 17 NETWORK MANAGEMENT IPS

FIREWALL
ANTI-VIRUS
UTM
Anti-Spam
VPN
content filtering
www.gxmu.edu.cn

17-13 PHYSICAL SECURITY
Emphasis : Prevent authorized access to communications room Network operations center Communication equipment Equipment room should be kept locked PCs can employ screen savers
physical security as it relates to a network means, among other things, that the equipment rooms should be kept locked.
www.gxmu.edu.cn

17-13 PERSONNEL SECURITY
security conscious and well trained to use security tools Method
Screening or security checking for new employees Identifying employees and vendor personnel by IDs Reminding employees about their security responsibilities. Have a good job duties. Error prevention techniques
www.gxmu.edu.cn

17-14 DISASTER RECOVERY PLANNING
Disaster is defined as a long-term outage that cannot be quickly remedied. 5 kinds of network paralysis can be a disaster Fire flood hurricane earthquake terrorism
www.gxmu.edu.cn

17-14 Disaster Recovery Plans
1. An organization should have a disaster recovery plan in order to ensure that it knows how it will recover its network (and computing) assets if disaster should strike. 2.whatever plan is developed for disaster recovery, it must be specific for different kinds of disasters. 3.Disaster recovery plans must be tested. 4.Constantly Reassess disaster 5.A generic disaster recovery plan will not cover all kinds of disasters.
www.gxmu.edu.cn

17-14 Checklist for disaster recovery planning.
www.gxmu.edu.cn

17-14 Network Backup System
www.gxmu.edu.cn

17-14 Remote disaster emergency
Remote disaster emergency use of the Internet system to provide cross-boundary synchronized backup systems.
www.gxmu.edu.cn

17.15 WIRELESS NETWORK SECURITY
Wireless networks are especially prone to security violations
because they can broadcast far outside a home or office building.

Unless proper security measures are installed, anyone sitting
nearby can passively scan all the data flowing in your wireless network using an antenna, and some widely available hacking software. Bad viewWireless networks are invulnerable to security breaches because they transmit data at ultra high frequencies.
www.gxmu.edu.cn

17-15 Wireless network security can be implemented by
a. adjusting the signal strength of the wireless
access point b. c. d. using strong passwords authenticating users installing a firewall
e.
encrypting transmissions
www.gxmu.edu.cn

17-15 Use strong passwords to protect AP
SSID: Service Set ID Only correct SSID can access AP Open system authentication e.g. Windows XP
www.gxmu.edu.cn

17-15 authenticating users
Limit the number of user addresses. Encrypt transmissions. Use 128-bit WEP security protocol does not in itself provide adequate protection for wireless networks. But may discourage the casual hacker
www.gxmu.edu.cn

17-15 SECURITY FOR HOME NETWORK
For winxp Allows multiple users login to a machine Install firewall program Kill virus program and regularly update
Buy routers with built-in firewall

www.gxmu.edu.cn

SUMMARY
Has highlighted the need for network security Described the security techiques that are most
often.
Anti-virus Network access control techniques. etc
www.gxmu.edu.cn
Exercises
1.Managements statement of the importance of and their commitment to network security is called the ( C ).
A network security standard B network security strategy
Cnetwork security policy
Dstatement of network intent Redo Next Answer
Exercises
2. A digital signature ( B ).
A has no place in electronic commerce
B is the network equivalent of signing a message
C must be able to be imitated by someone else D None of the above Redo Next Answer
Exercises
3. Examples of passive security attacks are ( D ).
A altering message contents B masquerading C denial of service D None of the above Redo Next Answer
4. A firewall ( D ).
A is usually a combination of hardware and software B enforces a boundary between two or more networks C normally logs all transactions that pass through it
Exercises
DAll of the above

Redo Next Answer
5. DES ( B ).
Exercises
A was developed by the Department of Defense B is vulnerable to a brute force attack
C encrypts blocks of 56 bits using a 64-bit key D has been implemented only in software because of its complexity Redo Next Answer
Exercises
Network 6. ___________
management must see that appropriate security measures are implemented. Answer 7. The network security policy needs to describe in general terms ___________ will What Answer be done. private 8. In an asymmetric key system, the ________ key is used for decryption and is kept secret.
Answer
Exercises
9. The primary advantages of an asymmetric key system over a symmetric key system are key management that it solves the problem of _____________ and exchange. Answer 10. To sign a message with a digital signature, the sender simply invokes a software _____ routine that builds the signature using a private _____ key known only to him.
Answer
www.gxmu.edu.cn

CH 17

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CH 17

Hochgeladen von

Copyright:

Verfügbare Formate

Computer Networking

CHAPTER 17 NETWORK MANAGEMENT

Department of Computer Networking Application

CHAPTER 17 NETWORK MANAGEMENT PART THREE INTRODUCTION

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

17-2 Why is needs

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

Describe the security of home network

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

Cybercrime and Cyberterror

Attacks on the scope and time

Bug 1990s Today

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

Importance of network security

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

Eavesdropping: monitor network traffic Altering message contents

CHAPTER 17 NETWORK MANAGEMENT

Teardrop attack Ping of Death

CHAPTER 17 NETWORK MANAGEMENT

syn ack, syn ack

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

More Samples ...

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

17-4 Security Mechanism

CHAPTER 17 NETWORK MANAGEMENT

succeed failure Recove

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

Nonrepudiation (and Availability)

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

This is a book !@#$~%^~&~*()-

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

CHAPTER 17 NETWORK MANAGEMENT

Could simply try each in turn