Network Security

Networks can be classified as network (WAN) or local area networks

(LAN). Safety is a need for both. Computers in a WAN can be thousands of miles away;

computers in a LAN is generally close, as in the same building or facility. Data switch

devices can be used in local area networks, WAN, but not as often.

Internet security is necessary to prevent unauthorized changes to your website. Business

sales-related information products online such as software companies that allow their

paying customers to download updates, need a method to differentiate between paying customers and

visitors not to pay.

Security administrators face the risk that the attacker is able to enter the network. The

Attacks can vary directly affect both hackers and employees with automated attacks

network worms. As an attacker can:

Read access: read or copy confidential information.

• Write access: write a Trojan on the network can infect the system with a virus or a plant

or backdoors. The attacker can also destroy confidential information by deleting it or by writing more

it.

• Denial of service: denying authorized users the normal network services. An attack can consume CPU

time or the bandwidth of the network, or fill in the memory.

The security risks using an Internet server misconfiguration include FTP (File

Transfer Protocol) settings. If access to your FTP server is allowed to set to avoid

unauthorized changes to files.

Must be secure telecommunications link between the transfer of data between the host

computer network systems. One important form of network security is the encryption

preserve the confidentiality of transmitted data. Encryption algorithms can be symmetric (private

key) or asymmetric (public key).

The two encryption methods are popular in the links and end to end security. Old security

traffic independently of each communication, it ensures the messages from the source to

destination. Link layer occurs at the level of communication line a little ', explaining how it moves

nodes. Entry of information from beginning to end sales to the network through its decryption

starting point, providing information on the safety of the interior nodes.

You should have a list of authorized users, generally or specifically:

• Who is authorized to structures?

• When can they come from?

• For what purposes can they go?

There are several tools to help IT managers to implement a security plan, including

encryption tools, packet filtering and routing, and firewalls.

You must have a security policy of the network. Your company must also internal security companies

policy, once you decide how important it is to protect the integrity of the computer system and

the security of your website.

The plan for internal security should be distributed to all who use the facility, written

instructions to the workers the correct use of passwords. Tell them what kind of words that are not

be used as passwords and policies on how passwords should be changed often.

It must be positive before authentication, a user can access a terminal, an online application, or

network, and we recommend that the date and time constraints. Employees must be

access to information on a need to know. Unauthorized use to disable or lock a

terminal. Diskless workstations can provide a safer environment.

Passwords

Most software packages on the LAN or communication, including encryption and security features. Passwords

included in most packages. However, people generally do not have to choose good passwords or

change them often enough. Hackers can easily breach of security by guessing passwords.

The password strength is significantly reduced when users choose good passwords.

People tend to make some mistakes. To share with others or write them. If

You must enter a password to remember that to be defeated. These are good

Guidelines on choosing passwords:

• Do not choose a password that is a word or a name in English or other. Hackers often

use dictionaries to discover the passwords.

• Avoid patterns, 123456, 12468, ASDF or QWERTY (keyboard).

• Do not use names like Las Vegas or Florida.

• If your system requires that the password contains letters and numbers, not just add a number

of a word. Hackers know that most people choose a word and add digital (eg CAT1

or 1CAT).

• Encourage a mix of uppercase and lowercase. Non-alphabetic characters are also

more difficult for hackers to guess passwords.

• an excellent technique is to use the first letter of sentences to create a password. Esimerkiksi''I

He was born in New York "would give the IWBINY password. Although it is not a word that is easy to

guess it's easy to remember.

• Change passwords on a regular basis, to encourage the planning of information systems will require new

passwords. The system must maintain a history of old passwords and controls to ensure that users

use the same password or choose to have used recently.

Allows users of safety guidelines and to give new users a safety course and how to choose a

correct password. Users must understand why a good password is required. The Symantec Web site,

manufacturers of security software, advice on choosing a good password, so that users can assess

the strength of those who choose:

http://www.symantec.com/avcenter/security/passwords/passwordanalysis/html

Passwords provide good protection against casual hackers and amateur hackers but experience can

generally bypass the system password, especially in the UNIX environment. The software is

ready to help new hackers, even if they have a little 'knowledge, to find or guess the password.

The goal of most hackers is to get unlimited access to the computer system, usually by:

• Finding mistakes or errors in the software system

• Enjoy a faulty installation

• The search for human error

Many hackers are authorized users limited access to try to get unlimited access. These pirates

is a valid user name and password and looking for weaknesses in the system.

In most UNIX systems, passwords are stored in an encrypted file. Some systems use a shadow

password file with the original data are stored. Passwords are usually encrypted data

Encryption Standard (DES) algorithm.

The encryption method used is essentially irreversible. While it is easy to encrypt a password is

very difficult, almost impossible to decipher, but hackers can find the password over the

brute force, especially those consisting of only six little letters. Passwords for accounts

that may attract hackers should not, obviously, is in lower case only.

A serious design flaw can sometimes lead to the creation of a "universal" password, which

meets the requirements for registration in the program, without the attacker does not know the correct

password. In one case, for example, a hacker can get a very long password. Could crush

real password, allowing access of pirates.

Modem connections

Each time a user connects to the network via a modem, additional risks are introduced into the

system. These can be minimized by the modem dial-in.

Simply keep a secret phone number is not enough. Many of the hackers who plays in all

phone numbers on a full time code could discover.

In the past, many companies are using a dial-back can reduce the risk of a modem. Nowadays, caller ID

achieves the same goal. In essence, the network allows access only from pre-identified

phone numbers. The obvious disadvantage is that the phone numbers of authorized users must

be known in advance. This makes it difficult for users who travel.

Another way to minimize dial the modem to use hardware encryption devices on both

at the ends of the connection, but these are usually expensive.

Good communication software program has a number of protocol options, enabling

communication between different types of devices. Some programs check the error in the data or

software. Desirable features of communication programs, menus

assist the storage of the phone book, and redial the connection and automatically.

Saboteur Tools

While recent years have developed ingenious methods to preserve safety

many systems is still surprisingly unclear. Saboteurs have on hand a wide variety of

techniques to overcome safety, including:

Trojan Horse: The saboteur places a hidden agenda in the regular company.

The system operates normally when the program collects data hidden programs, change and

files, destroyed data, or causes, including the complete shutdown of operations. Trojans can be

programmed to destroy all traces of its existence after the execution.

Techniques of salami: The author adapts a computer to cause very small changes,

It is unlikely to be discovered, but whose cumulative effect can be significant. For example

attacker could steal 10 cents from the wages of every person and transfer it to your own

account.

Back Door or hatch: the development of a computer program, sometimes the programmers to add code

allow them to circumvent standard security procedures. Once you complete the programming code,

accidentally or deliberately, may remain in the program. Attackers use this add-on code

bypass security restrictions.

Time Bomb / Logic bomb: A code can be inserted into a computer program that causes harm when a

pre-condition occurs.

Masquerade: A computer program was written to simulate a real program, perhaps the display of the journal

and related dialogue. When a user tries to connect, the program captures the user ID and

password and displays an error message prompting the user to log in again. The second time, the

The program allows the user to log on, the user may never know that the first log-in was wrong to seize

access code.

Cleaning System: Generally, when you "delete" the data, that data is not actually destroyed;

Instead, space is available to write the computer later. Scavenger may be an opportunity to

to steal sensitive data that the user thought had been deleted but are actually still available.

Viruses: Viruses are like Trojan horses, except that the code to repeat itself illegal. The virus can

spread rapidly throughout the system to its eradication can be expensive and inconvenient. To defend

against viruses, be careful using the programs from floppy disks or copy software newsletter

tables, or outside the company. Use only discs to verify the sources. The best precaution is to use

commercial antivirus on all downloaded files before using them.

Data Manipulation: The most common and easier to commit fraud is to add or change data

before or during breastfeeding. The best way to determine this is to use control software to investigate transactions

and the review of pathways, which shows additions, deletions and changes to data files. Using the total number of lots,

total number of hash, and the review can also prevent this type of crime.

• A lot of them all is a reconciliation of total daily transactions processed by the micro-and

Manually totals determined by a person other than the operator of the computer. The team must deviations

be studied.

• A total of hash is obtained by adding the values ​​that would not normally be added, such as employees

product numbers and the total has no other meaning than for control purposes.

• A check digit is used to check if an identification number (eg, account number, the employee

number) has been entered correctly by adding an estimate of the identification number and compare

result of a check digit.

Vehicles for road transport: physical transport of road vehicles to reach areas controlled by occurs when an authorized

employee goes through a door with a magnetic card and a worker is not allowed behind

Also entering the premises. Unauthorised use is capable of committing a crime. In

e parasite, an authorized employee leaves a terminal or a desktop computer and unauthorized

individual to use to access it.

Design secure networks *

Architecture of network hardware, software, data link control, standard

topologies and protocols. A protocol regarding the release of the computers and transfer

information. There must be one of the security control measures in each component architecture to ensure

the exchange of reliable and accurate information. Otherwise, system integrity may be compromised.

In designing the network, it is necessary to take into account three factors:

1. The user must get the best response time and performance. Minimize response time

reducing the delay between transmission and reception of information, this is especially important for interactive

sessions between user applications. Average flow to transfer the maximum amount of data

unit time.

2. Data must be transmitted over the network along the way leastcost as long as other factors,

whose reliability is not compromised. The path of least cost is usually the shortest path between

devices with as few intermediate components. Low-priority data can be transmitted through

Telephone lines are relatively inexpensive, high priority data can be transferred via broadband cost

satellite channels.

The third reliability should be maximized to ensure the correct reception of all data. The reliability of the network include

the ability not only to deliver error-free data, but also to recover errors or data loss. The

network diagnostic system should be able to locate problems and can even isolate component

A faulty component from the network.

Media Network

When you select a media network, you must consider:

* Shim et al. Information Systems Management Manual (NJ: Prentice-Hall, 1999).

• Technical reliability

• The type of business you are in

• The number of people who need to access data simultaneously

• Number of Microphones

• appearance of existing equipment

• Frequency of update

• Compatibility

• Costs

• Geographical spread

• operating software support and network

• Software Applications

• Extensibility (adding workstations)

• Restricted to a PC (or terminal can be used more cheaply?)

• Easy access to share material and information

• The need to obtain a variety of devices, including other networks and mainframe

• Refinery operations

• Speed

• Storage

• Maintenance

• Noise

• The mechanisms for connectivity

• Network capacity to perform tasks without corrupting the data

Network structures

Network configuration or topology is the physical form of the layout of the network connection

stations. A node is a workstation. A bridge is a connection between two similar networks. Networking

The protocols are the software implementations to support data transfer network. The server is

micro-, or devices in performing such tasks as data storage within the LAN.

Network servers are of several types. A dedicated server is a central computer used only to manage

network traffic. A computer used simultaneously as a local work station is known as non-dedicated

server. In general, dedicated servers offer faster performance of the network, since no

demands of local users, and network drives. In addition, these machines are not likely to

accidents caused by errors of local users. Dedicated servers are expensive, can not be disconnected

the network and use the stand-alone computers. No dedicated servers are higher in terms of price performance

ratio for companies who need occasional use of the server as a local workstation.

The most common types of network topology are:

• The hierarchical topology (also called vertical or tree structure) is interesting for several reasons.

Software to control the network topology is simple and provides a focal point for

control and troubleshooting. However, it also presents potential bottlenecks and reliability problems.

Network properties can be completely lost if there is an error to the next level.

• The horizontal (or bus) topology popular in LANs offer easier movement between devices. This

topology allows all units to receive each transmission, in other words, only one station broadcasts

more stations. The biggest disadvantage is that since all computers share a single channel,

failure results in loss of channel network. One way to avoid this problem is

redundant channels. Another drawback of this topology is that a lack of concentration points

makes it difficult to isolate the fault. A bus network generally requires a minimum distance between

taps to reduce noise. To identify a problem, each element of the system must be revised. A bus topology is

proposed for shared databases, but not too simple message switching. It employs at least topology

to cover a geographic area, while at the same time with full connectivity.

• The star topology is widely used for data communication systems. The software is not complicated, and

traffic control is simple. All traffic coming from the center or center of the star. Although

similar to a hierarchical star topology network, however, is divided into narrower

processing capabilities. Polar routes data traffic to other components. It will also isolate faults

this configuration is relatively simple. Potential bottleneck of a hub can cause serious

reliability problems, however. One way to increase reliability is to establish a redundant backup

center node.

A star network is the best when there is a need to capture and process data at multiple locations with end of day

distribution to various remote users. It is easy to identify errors in the system, since each

communication must go through a controller. Maintenance is easy, if a central computer

the network fails. It has a high initial cost, because each node is connected to the host

computer in addition to the price of the host. Expansion is simple: You only need to run a wire

new terminal to the host computer.

• Ring topology sends the data flow in a circular direction. Each station receives the data and then

send it to the next. A major advantage is that the bottlenecks, such as hierarchical or star

networks are relatively rare. The structure is organized. The main disadvantage is that

The entire network can be lost if the channel between two nodes fails. The creation of a backup channel can be

usually alleviates this problem. Other ways to remove it automatically switches to route traffic

around the failed node, or redundant cables.

A ring network is more reliable and less expensive when there is a communication between a minimum of

terminals. This type of network is the best, when you have multiple users in different locations, which are

access to updated data permanently, because the data transmission may occur many

simultaneously. The ring network allows users to create and update shared databases. With a ring,

However, the greater the probability of error with respect to the star, because of the numerous intervening parties

manage data. In light of this, the information should ring to make the whole cake before it was removed

network.

• The mesh topology is very reliable, although complex. Its structure is relatively safe

bottlenecks and other flaws. Variety of paths to make a relatively easy route to carry

around the faulty components or nodes busy.

LAN and WAN

WAN and LAN topologies often take different forms. WAN structure tends to be more

irregular. When an organization is usually rented lines at considerable cost, he tries to keep

fully utilized. To do this, data for a geographic area, often conducted through a channel;

irregularly shaped WAN.

The topology of the network tends to be more structured. Since the local network channels in a relatively

homeowners low-cost, usually not related to the maximum use of channels.

In addition, because local networks usually live in one building, the situation is inherently

structured. Local networks are flexible, fast and compatible. They maximize equipment utilization, reduce

processing costs, reduce errors and facilitate the flow of information.

LAN uses ordinary telephone lines, coaxial cable, fiber optics, or other devices such as interfaces. Fiber

to produce a good performance and reliability, but are expensive. LAN performance depends

physical design, supported, and the bandwidth of transmission. Bandwidth of the band

for a channel, it reflects the transmission speed over the network. As more devices are part of a LAN,

transmission rate decreases.

Two or more LANs can be connected. Each node is a group of stations (subnet).

LAN communicate with each other. Benefits of network interface is:

• The total cost of the network are lower.

• the different sub-networks to meet specific needs, by increasing flexibility.

• The cost of sub-networks more reliable and higher can be used for critical activities.

• If one LAN fails, the other still works.

The disadvantages are as follows:

• The complexity is increased.

• Some network functions may not be able to cross the borders of the network.

Communications security

Communication systems used to link data between two or more sites must be reliable, private,

and secure. Communication systems are easily affected by environmental factors, the team

malfunctions and software problems. Attacks on computers that do not require physical access drop

under the control of communications security.

The increasing use of information technology has increased the dependence on telecommunications. All

types of data, voice, video and transferred to the traditional networks. Communication

Security means that the physical connections to networks running at all times.

It also means that during the data transfer failures, delays and disruptions

blocked. Ensure that unauthorized interception, modification, or otherwise

interception of communications.

Six aspects of communications security are:

1. Online Security: Restrict unauthorized access to communication lines connecting the various

parts of computer systems.

2. Transmission Security: prevent the unauthorized interception of communications.

3rd Digital signatures: authentication of the sender or the integrity message to the recipient. A Secure Digital card

The signature process consists of (1) The method to sign the document, making it impossible to counterfeit,

and (2) to validate that the signature is that if it claims to be.

4. Security Encryption: Rendering the data unintelligible, if the transmission is intercepted by

unauthorized persons. Security coding (encryption) of sensitive data is required. When

information should be used, can be decoded. A common method is the DES encryption. For more

security, the double encryption can be used: Encryption is processed with two different keys.

(You can also encrypt files on a hard drive to prevent an intruder to read data.)

5th Issue of security: prevents electromagnetic radiation from electronic devices. These emissions

Wireless communications may be intercepted by unauthorized persons.

6th Technical security: prevention of the use of equipment such as microphones, transmitters, or intercepts

intercept the data transmission. Security modems allow only authorized users access to confidential data

information. The modem can be a degree of security. Different users can be classified into different

safety codes. There can be a password and has memory. Can be integrated into the audit trail,

allowing you to control who has access to private files.

RVA provides communications services at a time and specialized data processing. Usually, a company

no direct control over the security of a truck. However, Van safety has a direct effect on the client

global security.

Communications security can be in the form of:

• Access control to protect against misuse of the network. For example, Kerberos

authentication software business can be added to a security system to verify the existence of a user

encrypt passwords sent over the network. Password and user authentication control other

devices such as SecurID from Security Dynamics (800-SECURID) Basque Data Security and Access

Key II (800-238-2726).

Do not accept a prepaid card, if not by a user of the network. Hackers tend to spend their own

funds. Review of billing data communications and check all connections from one host to another. Check all dial

terminal users. Phone numbers confidential and changed periodically? Control specialists

should attempt to gain unauthorized access to the network to check if the security is working properly.

• Identification, which identifies the origin of a message in the network, digital

signals or legalization.

• Data confidentiality, which prevents unauthorized transmission of information within

communication process.

• Data Integrity, which protects against unauthorized changes (eg addition, deletion) of data at a time

the points of origin and destination, such as cryptographic methods. Anti-virus software should be

installed on the network server and workstation to alert users when the virus tries to enter

system.

• Authentication, which justifies the identification of an original entity or user within the network,

Check that the company is actually one is asserted and the data transferred

is appropriate. Examples of passwords for security checks, time stamping, synchronized with the controls,

Non-repudiation, and multi-way handshake. Biometric identification methods for measuring body

characteristics. The dynamic typing is another possibility for identification.

• Digital Signature, the private key to sign messages.

• Routing control, which inhibits the flow of data to the network elements identified as hazardous, such as relays,

links or subnets.

• Traffic padding, data analysis, and reasonableness.

• minimize interference, eliminating or reducing radar / radio transmission interference. To

a small network, a workstation can be used for backing up and restoring other nodes. Great

network, you can back up multiple servers, because failure could have devastating effects

the entire system. Access to backup files should be carefully monitored.

Token-Ring and Ethernet Networks

Traditional Token Ring and Ethernet networks operate on the principle of diffusion, transmitting information in

units called frames. Each box contains information on a variety of items, including the sender

and the receiver responds. The sender transmits a framework that each receiver can see.

At one point a single computer network, radio and all the other sheep.

A second computer to send, when the first was completed. Even if all the machines on the network can be seen

the spread of the computer chassis, under ideal conditions, the computer whose address is

address of the recipient's body must be able to use the contents of a frame.

Sniffer

Snifters are programs designed to capture certain information. Network managers use to snifters

analyze network traffic and network statistics. The pirates, however, can be used to steal drinks

information such as passwords.

Some actions may be to minimize the risk of sniffing. The most obvious is to limit access. If a hacker can

internet access, snifters can not be used. But because it is often possible to restrict access to

tight networks, alternatives must be considered.

Connected to the versions of the Token Ring and Ethernet networks are able to minimize the smell. When power

LAN, each user has its own switch port. A virtual connection is established with the

destination port for each frame sent. If the destination address in the not mach, the risk

sniffing was associated with significantly reduced. Networks generally more expensive;

networks, are quite rare.

Probably the best way to minimize the risk sniffing is data encryption. It is important that the key does

sent over the network. Traditional details such as time spent to improve encryption

system.

Data flow

The data switched data paths through the network equipment of destinations. For example, these

equipment to route data around the devices not occupied or channels.

Routers at each site are used to communicate with routers on other sites. Routers provide information

on individuals and the resources available in the LAN. They are responsible for directing the flow

information. You can configure the router for some types, such as FTP or Telnet

provide access into or out. It is also possible to enable or disable certain routers

receive data only from certain network addresses.

The path and packet filtering requires considerable technical expertise and time. Most routers

not to provide an audit trail and security, although you should know:

• Who tried to break into the computer system

• How many times it was

• What are the ways they used to try to break into

Data

The transfer of data between computers on the network used in three ways:

• The transfer is simple in one direction. An example is radio or TV broadcast.

Simplex transmission is rare in the networks.

• Half-duplex transmission, which is found in many systems that can flow in both directions, but not both at the

same time. In other words, once a request is transmitted to a device, you should expect a response to

returns.

• full-duplex transmission can transmit information in both directions at the same time not

stop-and-wait aspect of the system of half-duplex. Because of its large capacity and fast response

time, two-way communication is common.

Layers of Security

It must be ensured in different layers. As well as opportunities for networking and communications

items should be safe. Make sure you have control of host computers and subnets.

Network traffic can be more subnets, each with its own security levels, according

confidentiality and importance. Each may require security services and the different commands. Note that

safety aspects of each subnet must be distributed to gateways to integrate

safety factors in routing decisions.

Network Backup

Backup feature is particularly important in networks, so that if a computer is not another can take

load. This can be critical in certain areas, such as financing.

Secure Sockets Layer

When Secure Sockets Layer (SSL) is enabled (see

http://developer1.netscape.com/docs/manuals/security/sslin/contents.htm), a Web browser,

showing a lock or a similar symbol to indicate that data transfer is secure. Another way to know if a

Web site is secure is to look at: par''https Start: / / "instead of" http:// ".

Most Web-based monetary transactions are secured by SSL. Many heavy web / Client Products

support SSL connections. In order to do business on the Internet, you must have access to such a server and

as a digital certificate.

When using SSL encryption will significantly improve the security and confidentiality, does not slow down

InterChange Communications: All information is encrypted and then discharged.

The SSL protocol was developed by Netscape. It acts as a security protocol layered on top

transport protocol underlying connection such as HTTP, Telnet, NNTP, FTP, and TCP / IP. SSL

integrated into the Netscape client and server products.

When building a website, you can enable SSL by configuring a security-enabled secure http (https) process

on the server. Web pages that require SSL access can be specified. Common Gateway Interface

(CGI), the routines can be written on the server side SSL for integration with existing applications.

SSL provides data encryption, integrity checks of data, and provides the server and, if necessary,

client authentication for a TCP / IP. SSL is open and the property. Encryption,

encryption and authentication, are open to applications with SSL.

SSL is widely used to encrypt and authenticate communications between clients and servers

On the Web. Standard Transport Layer Security (TLS) is an Internet Engineering Task Force (IETF) has

based on SSL.

You can confirm and authenticate the identity of the SSL server when sending sensitive information, such as

as the number of credit card to the server. The digital certificate is used to prove the authenticity of the key functions

SSL. Anyone with the right software can become a certification authority (CA), but usually

Only some of the trusted certificate that the browser is programmed to accept, VeriSign, Inc. is one of

better known.

The techniques of public key cryptography can be used to verify a server certificate and public ID are

valid. Similarly, a server can verify the client certificate and public ID are valid. Without

public key cryptography, encrypted communication could take place between two or more users

If shared keys. Each user would have to maintain several keys to communicate with

different users.

Public key encryption (see Chapter 4) allows parties to communicate securely without sharing

secret keys. Each party will set up a pair of keys: a private key and public key. The public key is

available to all nodes in a network, is used to encrypt messages for the node. The private key used to

decrypt the messages never leave the node.

TCP / IP (Transmission Control Protocol / Internet Protocol) provides rules for transport and

routing data over the Internet. Protocols such as Hypertext Transport Protocol (HTTP) use TCP / IP

perform tasks such as displaying Web pages. SSL works in the middle between the TCP / IP

higher level protocols such as HTTP, SSL allows clients and servers to authenticate

themselves and make a secure connection possible.

"Strength" of an SSL connection depends on the level of bits: 40 bits SSL connections tend to be

low, 128-bit SSL connection is extremely strong. 128 bits is about 340 times septillion

(340,000,000,000,000,000,000,000,000) larger than 40 bits.

Currently it is illegal for U.S. companies to export anything at international level over a 56-bit encryption.

Security software companies are trying to overcome these limitations by developing encryption

technology outside the United States.

The SSL protocol includes two subprotocols. SSL record format will be defined

used for data transfer. SSL Handshake Protocol defines how the protocol registration

the exchange of data between client and server when the SSL connection is first established. It is used to

or authenticate the server to the client or the client to the server. It also allows client and server

select encryption algorithms or encryption supported by the client and server.

Public key encryption and symmetric key used by SSL. Although symmetric key

encryption is generally faster than public-key encryption provides better authentication. The common ciphers

are:

• Data Encryption Standard (DES). Triple DES is triple DES, and supports 168-bit

encryption. Its basic dimensions makes it one of the strongest figures supported by SSL.

• Digital Signature Algorithm (DSA) for authentication of digital signatures.

• Key Exchange Algorithm (KEA) for key exchange.

• Message Digest (MD5) is used to create digital signatures. It 'is commonly used as a zero.

• RSA, a trade name for authentication and encryption. RSA key exchange is common

for SSL connections, the figure is the most popular for commercial applications.

• Secure Hash Algorithm (SHA-1), secure data transmission.

• Skipjack, a classified symmetric-key algorithm used in the Fortezza-compliant hardware. The

Fortezza encryption system is used by U.S. government agencies, sensitive but unclassified

data. FORTEZZA numbers instead of RSA KEA. FORTEZZA cards and diets are used for client

approval.

Performance can be affected when using public key cryptography, which is generally limited to digital

signatures and small amounts of data. Symmetric key encryption such as DES, are generally used to

data in bulk.

The security administrator must decide which cipher to turn plans

nature of the data, the need for privacy and security, and speed of the encryption algorithm. The national

the origin of the parts is another consideration, some data may be used only in the United States and

Canada. So if your organization off the lower figure, you automatically restrict access to

customers in the United States and Canada.

SSL Handshake

The following sequence of events is a typical SSL connection:

• The customer provides the server with its own SSL version number, cipher settings, and other

related to data communications.

• The server provides the client SSL version number, cipher settings, and other

communications information.

• The server sends its certificate, asking the client certificate if necessary.

• The client authenticates the server. If the server can not be authenticated, the client is notified that

encrypted and authenticated connection can not be established.

• The client creates a "pre-master" secret SSL connection, and encrypts with the server

public key. Encrypted pre-master is then sent to the server. You may also ask to sign

and send data, and its certificate to authenticate.

• The session will be terminated if the server can not accept clients.

• Server uses its private key to end the pre-master secret and produce the "master"

pre-master.

• Using the master secret, session keys are generated by the client and server. These symmetrical

keys used to encrypt and decrypt data. The keys and data is not tampered

with between the time sent and time received.

• The SSL session begins once the handshake is complete. The client and server use the session

key to encrypt and decrypt data and verify the data integrity.

Authentication

Approval of two clients and servers need to encrypt data with a key of a public-private partnership

key pair and decrypt with the other. For server authentication the client encrypts the pre-master

The secret is the server's public key. Its private key alone can not remove the pre-master

secret. This provides reasonable assurance about the identity of the client server.

To authenticate the client-bit random number data using its private key. In other

In other words, it creates a digital signature that can be validated using the public key in the client

certificate if the corresponding private key was used. If the server can not validate

digital signature, the session ends.

SSLRef

SSLRef has developed a software developer tool-kit to help the security features of the TCP / IP

applications using SSL. ANSI C source code is provided for built-in TCP / IP

applications. SSLRef can be downloaded free for noncommercial use only. Although there is no license

SSLRef restrictions, restrictions on exports.

Kerberos

The Kerberos protocol is used in a client / server to authenticate the client to the server

and the server to the client. After confirming the identity, Kerberos authentication can then be used to encrypt data.

Kerberos does not send through any data that could allow an attacker to mimic the user.

Kerberos is available as source code of the Massachusetts Institute of Technology

and is also sold by several vendors of commercial software products.

When a client accesses a network server, the client claims to be running on behalf

an authorized user. Without authentication, there is virtually no security. Kerberos

authentication, the client verifies your identity on the server.

In a traditional setting, the user identity is verified by checking the password during the

process connection. Kerberos authentication without the user would enter a password to access

each network service. At least, difficult, and it still does not provide security during

access to services on a remote machine. Without encryption, it would be easy for anyone to intercept

password during transport.

Kerberos eliminates the need for passwords. Instead, the key used to encrypt and decrypt the short

messages and provide a basis for approval. The client to prove its identity, has a ticket

issued by the Kerberos server. Secret information, such as a password, that only

authorized user is known on the ticket.

Kerberos is not effective against attacks, password guessing. An attacker who captures a pair of encrypted

Messages can launch an attack of random passwords, trying to see if the decrypt messages.

Kerberos assumes that the workstations or machines are reasonably safe and only the network

connections are more vulnerable. A trusted path for the password. For example, if the password is

entered into a program containing a Trojan horse (ie, the program was modified to capture

certain information), Kerberos will not give any protection. Furthermore, if the transmissions between

user and the authentication program can be intercepted, Kerberos will not work.

Both user and service network must have the keys stored with Kerberos authentication

server. The user key is derived from a password selected by the user. Network key is selected

randomly.

Many types of software used by the international community has to Kerberos. Because the United States

restricted export of cryptography, a version of Kerberos is called bone are available at International

users. OF all the routines have been stripped of Bones, which is used to "trick" other programs

to believe that Kerberos is installed.

To use Kerberos, a Kerberos principal must be established. This principle is as a normal account

a machine, some information such as your username and password associated with it. The

information is stored encrypted in the Kerberos database. To be effective, must be Kerberos

An integrated computer system. It protects only the information about the software, which is configured to use it.

The server, if possible, must be physically secure. Ideally, the machine must be dedicated to

running an authentication server. Access is strictly limited to the machine.

Initial password for each user must be registered with the authentication server. Registration

the procedure depends on the number of users. Personal registration is the best control, if

number of users is low. Consider other procedures, such as a record in the program on a trusted system,

when the number of users is very large.

Several tools can improve the security provided by Kerberos. Passwords generated by a single use

The device is particularly useful. Commercial products are available that combine one-time passwords, Kerberos.

No comments:

Post a Comment