Network Security

 

Network Security:

1. How does it works?

 

When a single computer connects to the other computer in network for data exchange it becomes member of computer network. Computer network is made up of number of different computer and components. There are different type of computer networks like LAN, WAN, MAN, ETHERNET, Fibre Optic etc. It runs on different communication protocol. An end user can connect to World Wide Web using internet connectivity. For that end user first connects to Area ISP (Internet Service Provider) and after providing their login details it connects to the web.

 

2. How do we get benefited?

 

When net communication happens there are chances of different type of damages and losses happens to the network. Network security ensures and prevent this type of losses and provides solution to prevent and minimise the damages to the network. Network security monitors communication and connectivity runs throughout the network. Also it looks for Data flow control, speed control, Timing and error free communication. For that security software applies different checksum and algorithms. 

There could be Data loss, Connectivity loss, loss due to failure of hardware and software. As soon we overcome this basic situation, we secure fast, reliable & error proof computer network.

 

3. Types of Network Security:

Network security problems can be divided roughly into four closely intertwined areas: secrecy, authentication, nonrepudiation, and integrity control. There are different kind of networks as we mentioned, so as different kind and level of security we requires for the network. Security we require within and outside network for inbound and outbound data movements. Also when we are connected to the internet we require online security of our system and connectivity.

 

     Network Access Control

Network Access Control is about user’s login to network and exploring the resources of network. For that user have to go through secured login process and their credential in detail. We require some of following network protocols while accessing network resources like,

Protocol Use

20, 21 FTP File transfer

22 SSH Remote login, replacement for Telnet

25 SMTP Email: Simple Mail Transfer Protocol

80 HTTP World Wide Web: Hyper Text Transfer Protocol

110 POP-3 Remote email access: Post office Protocol Version 3

143 IMAP Remote email access Internet Message Access Protocol

443 HTTPS Secure Web (HTTP over SSL/TLS)

543 RTSP Media player control: Remote Transfer Server Protocol

631 IPP Printer sharing

 

 

SSL/TLS: SECURE SOCKETS LAYER/TRANSPORT LAYER SECURITY

 

SSL builds a secure connection between two sockets, including

1. Parameter negotiation between client and server.

2. Authentication of the server by the client.

3. Secret communication.

4. Data integrity protection.

So using the secured protocols we can allow or restrict network resource’s access to user. We can restrict hackers attempt for data hacking, program interrupting, Network attacking etc. And so this way we can secure our Banking and Financial organization, Atomic and Space Premises, Scientific Laboratories etc.

 

b. Antivirus and Anti malware software 

Antivirus is only a computer generated specific program like other computer programs. Which allows routine program functioning properly without any errors. It removes unwanted harmful data bytes and malware bytes from functioning which causes disturbances not only to program software but also to operating system. Antivirus programs follows strict routine, it could be while system boots up for first time or periodically on fix time routine. It finds out bad bytes and delete its registry, remove it thoroughly from the system.

Antivirus program provides protection against Malware, Spyware, Theft, Intrusion and Ransomware. Also it provides parental guidance security for students. This kind of security available for Offline as well for online systems.

 

c. Application security

When we concern about Application Security in Network, it starts with what kind of network it is serving. Because the network is wide spread made of different smaller network inside of it. Also it growing rapidly. So application is driving force to the data flow through the network. So its functionality and availability at particular time is real issue to deal with. Because today all the network is application oriented and application dependent. In early days data resource was accessed from local data base like LAN network. But now a day’s network has become more complicated and same data base is access from number of resources. So the same data base should available to different resource at the same time. So the dedicated application which can avail all the data resources at the same time should be there, on both the end i.e. client & server. So the new network architecture should be able to adapt, manage and deploy the complicated application. So this requirement prompting the transition from traditional network to software defined network (SDN). Juniper Networks is building network infrastructure that will enable organizations to effectively make the transition to virtualized networks, while maintaining access to existing data and applications and preserving investments in network hardware infrastructure.   

These days’ data centres are migrated to cloud based infrastructure and so the applications used are cloud based only. The single product sale consumes whole cloud network, which includes a barcode marked product at sale terminal, which belongs to cloud base data centre and card swiping POS machine which tally the financial data of consumer with the store data centre which includes inventory and finance section. Also company sales online. This way this infrastructure becomes three tier which includes web front end, a business logic tier and backend data store. All running on rack of servers. T

he multi-tiered nature of the applications required additional network services ms to secure these applications. Which takes care of application security, its functionality and availability.

d. Behavioural analytics 

Behaviour of network should be very tactile towards its compatibility and adaptability to a new environment. I.E. Computer hardware/software devices & program added to the network. It should be quick responsive when incompatible part or malicious software program is added to network. Which discard it immediately. That way only balanced network maintained only.

There are multitier security concern over network behaviour, which starts from higher end network products Like VSAT, Mainframe computers, Servers, Routers, Modems, IPV4 & IPV6 devices to end user computer. These components belongs to different network like LAN, WAN, MAN, WIFI, FIBRE OPTIC, ETHERNET, CLOUD network.  These networks runs over different network communication protocols. Existing present network is only outcome of evolution. The major issue of network is its global presence and which requires large scale maintenance & care and its nature of expanding broad way. Which raises its compatibility issue towards existing network. The smallest incompatibility of cable can raise issue of communication malfunctioning throughout the network.

In 21^st century Network and Datacentre belongs to private, Public, Corporate, Defence, Educational Institution, Space organization or Scientific Laboratories migrates to Cloud based network. When these networks migrate to Cloud based network, issues like Data security, Data Integrity, Data Resource, Communication security, Cost Effectiveness is raised. Both network existing one and Cloud based have to go through compatibility issues which conclude behavioural analytics only.

                      

e. Data loss prevention

Computer Network is made of number of computer & network components. All they have common work function is secured loss less data flow. Network administrator do everything to overcome data loss problem. The data security requires multilevel counselling of network representative who is actually responsible to answer the kind of data, where data is traveling, type and level of data security breach should be stop. It includes different territory people belongs to different service networks and of different hierarchy. They belongs to Seller network and Buyer network and intermediate Service Provider network. In short with General Data Protection System we can secure the data. And Assessing security risks, Preventing attacks, Monitoring to detect breaches and Quality of protection is key ingredients of protection system. By reducing access to data by employing Privileged and Fine grained users where persons and purpose oriented data access is carried out, we can protect data. Also minimize data exposure we reduce chance of data loss. Data auditing can be fruitful to protect data.

To prevent the communication and data loss they employed various methods like Encryption of data to secure it from Hecker. By employing data scramble and less links we can hide data partially. So intentionally or accidentally we can make data less visible or invisible to entity. They employ different communication protocols, algorithm, topologies to prevent communication and data loss. They employ different transmission media and methods to speed up the network communication and to overcome communication loss. This way only we can obtain key security objectives. Three categories assessment, detection and prevention can reduce data theft and data loss. The data security should be inbuilt or by default in system and security should be centralized and comprehensive throughout the system.

Threats to data base is arises from some of entry points like Operating System, Database itself and applications. So threats arises need no to be from outside, also people associated to the organization can damage from inside of system through entry points. By locating personal data to secure, by creating security profile and by employing privileged users to data base we can secure the database perimeter. With data masking and sub-setting the address of data we can edit the data base for outside user to access. We provide them a copy of data base with tailored personal details in database.

Thus by securing our data base servers, application servers, data base firewalls, network encryptions, gateways and other devices we can restrict the data loss.

 

f. Email security 

E-mail is sent between two points. When e-mail is sent over network it is go through various computers before reaching to its destination. So various computer resources can read it. So it is not secured communication way. To make it secure we should find out secured way to handle it. By using PGP (Pretty Good Privacy) or S/MIME (Secure – Multipurpose Internet Mail Extension) protocol we can secure e-mail between two end points. I.E. Sender and Receiver.

PGP:

It is complete secure package for e-mail which provides security measure for e-mail like, Authentication, Privacy, Digital Signature and Compression. It is simple and open source, so comes with source code and no price available on internet. It is available for UNIX, LINUX, and WINDOWS & MAC OS.

PGP encrypts data by using a block cipher called IDEA (International Data Encryption Algorithm), which uses 128-bit keys. PGP supports four RSA key lengths. It is up to the user to select the one that is most appropriate. The lengths are:

1. Casual (384 bits): Can be broken easily today.

2. Commercial (512 bits): Breakable by three-letter organizations.

3. Military (1024 bits): Not breakable by anyone on earth.

4. Alien (2048 bits): Not breakable by anyone on other planets, either.

 

S/MIME:

It provides Authentication, Data Integrity, Secrecy and Non- Repudiation. It also is quite flexible, supporting a variety of cryptographic algorithms. Not surprisingly, given the name, S/MIME integrates well with MIME, allowing all kinds of messages to be protected. A variety of new MIME headers are defined.

 

 

g. Firewalls 

 

There are number of computers added to network every moment, in Corporate Houses, MNC’s, Government Organizations, Educational Institutions, Defence Organizations, and Scientific Laboratories etc. Adding of single new computer to network or LAN brings Virus or Bug threats to whole network. Any single computer can be responsible to destroy the whole network or LAN inside a company. Even IPSec cannot secure the bad bytes entering the network. It has nothing to do with it.

Firewall system protection is nothing but modern adaption of old medieval security standby. Digging a deep moat around a castle. Everyone passes through in or out of castle has to pass through a bridge where they inspected by I/O police. Same way in a company all LANs connected arbitrary way but the inbound and out bound traffic is passes through firewall only. Firewall is used as Packet Filter. Filter is designed with some rules where which bytes should allow go in or out. Also a table entry for source/destination location. Like TCP/IP protocol, where port number is allotted in IP address. We can define particular port address with data packets are allowed in or out to travel through firewall.

The other practice is like implementing Demilitarized zone. Where web server is put outside secured LAN. Then firewall is configured to block the requested data packets particular port number. And now webserver’s request to contact particular port number is turned down by firewall. This way firewall system is implemented. This is network layer filter for firewalls. Firewall can see into transport and application layer data for filtering. Where some peer to peer applications selects the port dynamically to avoid easily being spotted. And this way firewall security breach happens. So firewall has to see into data packets what they carry. And firewall is entry level check point only, but each system belongs network turned on their own firewall security.

Some time there is security breach carried out not to steal data but for shutting down the network. It is called Denial of Service (DOS) attack. Also there is Distributed Denial of Service attack is carried out where number of already hacked computers attacks common target computer. And in this case it is hard to find out attackers as they are unsuspecting user.

 

h. Intrusion prevention system

 

Intrusion detection and prevention is key ingredient of network security. In any network data availability, data security and data flow defines the network efficiency. When it comes to data security, it is bit or byte level. Security of data in various layers of OSI model. Also different data security protocol e.g. IPSec and secure login procedure like SSL/TLS is employed for entry point security. Where data integrity and security with secure data communication between client and server is carried out. This type of communication is carried out after secured authentication only.

Also we design and define special firewall system dedicated to intrusion prevention system. Where inbound and outbound data traffic is checked at bit level. Data auditing is carried out with operating system and system database. Alert is being issued to firewall system by this kind of auditing system if malicious software is trying intrude the database.

Also Data encryption, data encapsulation, data scrambling and data hiding program is being employed. And data is assorted in Public, Private and Protected class. That way we can restrict direct access to the database. We partially hide data to end user.  This kind of protection is necessary because threat is not from only outside but people associated to the system also brings or sends bad bytes through system. By enforcing privilege access level to priority database. We have to develop the intrusion counter measure system. Where we have to define the system rules and regulation. Also we can enforce penalties to the responsible, engaging in unlawful and suspicious activities. These days antivirus software is available which is capable handling malware byte, network intrusion, data theft for domestic and commercial users. But when we talk about large infrastructure we require security system is by default or within and throughout the system comprehensively. A security module within a network system.

 

I. Mobile device security

 

When we talk about mobile devices, as their name they are identified with mobile network only. These devices can be wireless Smart Cell phones, Smart Watches, Laptops, Printers, Telephony or Gaming devices. They can be connected to network wirelessly with cell phone network (3G/4G) or 802.11 Wi-Fi hotspot. Which is available at Malls, Theatres, Stadium, Offices, and Institutions etc. So one can get online or stay connected by staying away from home or offices. Where one is travel by Road, Air or Sea.

The Electronic Reader device downloads daily Newspapers, subscribed newsletter and articles. Mobile devices are GPS enabled and E-Cars and Taxi companies line UBER and other runs over Wi-Fi network through mobile applications. Even parking meter payments done with Wi-Fi enabled electronic parking meter. Today Web network becomes big online market where every small and big companies are selling their products online with Mobile Applications. We can order grocery through application. Even we can do the payment and get the receipt for the payment. So with the Wi-Fi networks we can do business, banking, financial transaction, stock purchase etc.,  in embedded system piece of computer hardware monitors data of system like Air conditioner or Geyser and communicate with mobile phone to turn it On/Off or update the status. In automation industry we can operate and monitor the data of the system even when we are away from the system. Also Wi-Fi network used in military and defence where single message or command can wedge a war in fraction of seconds. So the security measures taken to survive with this network is of very high level. We can track these device over network using their IP address under IPV4 and IPV6 devices.

We have 2G/3G/4G mobile network and with Wi-Fi hot spot for wireless communication. They are basically belongs to Advanced Mobile Phone system (AMPS), Global System for Mobile communication (GSM), Universal Mobile Telecommunication  System (UMTS), General Packet Radio Services (GPRS) , Long Term Evolution (LTE). Also Wi-Fi network like 802.11 and WiMAX network (Worldwide Interoperability for Microwave Access) 802.16 (Broadband Wireless). Which uses Orthogonal Frequency Division Multiple Access (OFDMA 802.16e mobile WiMAX, and OFDM 802.16a Fixed WiMAX).  To speed up the communication Wi-Fi network transmit four stream of data with four antennas at a time and can be managed at receiver side using Multiple Input Multiple Out (MIMO) techniques Security threat to these network arises as data transmitted through these devices can easily receive by other computers. So using Wi-Fi Protected Access (WPA2) advanced encrypted communication can be carried out. Using SSL/TLS, IPSec protocol we can carry out authenticated secure communication. In earlier days of Web, there were simple web pages with web sites. Now a days there are Java Applets, ActiveX control and JavaScript to download. So be the security issues arises with the downloading and executing the mobile application codes.

 

j. Network segmentation

 

Computer Network is made up of number of network components. All the network has their own identity, work function, priority, privilege and hierarchy. They all have role to play to make network run.  If we can differentiate network inside of network then we can also identify network components inside of that network.  We can differentiate them to bit or byte level data frames. We can call them Network Segments.

The environment of network segments changes as network infrastructure changes. Networks segments have one common goal i.e. speed up the data flow and error free data communication. And for that it is distributed throughout the network for data processing. We have different kind of networks like, Personal Area Network, Local Area Network, Wide Area Network, Metropolitan Area Network, Internet network and Cloud base network. Among Cloud base network is latest and state of art network infrastructure. Where each Repeater, Hub, Bridge, Switch, Router and Gateway is network segments. Each of this segment in network is well defined. Also different communication method is employed. Like Ethernet, Fibre Optic, DSL, VSAT etc. Each of this communication carried out with their own different communication protocols.

When it comes to cloud base infrastructure there is basically three types of cloud services 1. Public 2. Private and 3. Hybrid. Also three basic cloud service models are there. They are 1. Software as Service (SaaS) 2. Platform as service (PaaS) and 3. Infrastructure as service (IaaS). When we bring this infrastructure into practice and start doing business it is very costly. Because here each of segment or device belongs to network is charged on hourly basis for monthly billing cycle. Where Each CPU is counted for the services. E.G. if we look for IaaS, the network segment is Standard CPU and High speed CPU in virtual server, and with virtual private server at least two host is required. Same way it is employed for virtual server for SAP and Virtual private server for SAP. There is Operating system, Middleware, Storage and Networking component or segments are counted on hourly basis. Cloud service is very safe, secure and reliable data communication infrastructure.

It is good each segment of network is identical to each other. They have their own work definition. Due to network segments this property only, network becomes self-sustain once configured. As network is growing in nature, network maintenance & care is routine requirement. All the future model of network is designed in such a manner they can complement the existing network. They should be compatible. So each network segment can become a key to define the future networks.

 

k. Security information and event management

 

Event Management in the context of network security includes the securing data and data flow at particular point. For securing network data we employ different algorithm, topologies, protocols and communication media and methods. With modern equipment we implement layer based communication. We employ the peer to peer communication. And so we have to secure the data bit/byte level. We have to manage the event of data security and data communication where actually it is carried out. That way only we can do effective communication.

We have different communication junction where we carry out communication like routers, switches, bridges, tunnels, firewalls, gateways etc. So we are managing event ingredients like protocols, algorithms, topologies etc. at particular node. We may have security breach by intruder who can crack our data and to secure our data we have to take counter measure at basic level. We have IPSec protocol which do have security information in its frame header. Also using cryptography we can secure our data. We have encryption key and decryption key at sender and receiver end. The cipher text we transmit is being protected by these keys which have to change every time we use cryptography. We have antivirus software which can provide operating system level security.

As soon we draw a tunnel in Metropolitan Area Network where a company is having corporate offices at various location. Here office employee can stay in touch of office while he is roaming. So secure data login through SSL/TLS is employed. With firewall we can monitor inbound and outbound data and restrict unwanted data communication.

Thus security information and event management is a key parameter to efficient network communication & data protection.

 

l. VPN

 

The term VPN (Virtual Private Network) is highlighted for its functionality and features available of network security of Private Network while running over a Public Network. A private network is made up of computers and dedicated communication Leased Line across the company’s wide spread or global office network. Here data security is prime but it is very costly. While in case of Virtual Private Network we design or overlay our secured private network over a web or internet. I.E. Public Network a network is made up of Firewalls, Tunnels, IPSec and ESP (Encapsulating Secure payload) with Tunnels.

 We can dig a Tunnel between pair of Firewalls of office network. Where data has to pass through Firewalls Including services, modes, algorithms and keys. When system turns on each Firewall have to negotiate with the parameters of its SA. Using IPSec for Tunnelling we can manage all aggregate traffic between pair of firewalls over single, authenticated encrypted SA of office network. This provides integrity control, secrecy and even considerable immunity for data analysis. Using IPSec followed by IP in data frame separates data flowing through public network to a private network.

The other feature is laying a VPN across ISP network to pair of firewall point of office network. A network administrator can configure and monitor the VPN gateways, while ISP administrator configure MPLS (Multipoint Label Switching) path. Here VPN runs over internet with completely isolated security software. Which is transparent to all user software.

 

m. Web security

 

There are three major issues related to Web Security.

1.       How are objects and resources named securely?

2.       How can secure and authenticated connections be established?

3.       What happens when Web site sends client executable codes?

Web security is major chaos in web world. The problem arises with day to day expansion and upgradation of network. Major corporate houses like Cisco, SAP, Oracle, Citrix etc., publishes Whitepapers over the issue. They organizes Workshop and Seminars to overcome the threat provided by the network invaders. They are called hackers and more sophisticated word is Crackers. In their world they are more sophisticated programmers or ingenious.

Threat they provide is like changing of Web Pages of Web Sites, Slowing Down network traffic by flooding particular web site over number of computer with data packets. They Spoof into secured data base of the company, they crack the banking system codes and clear the account balance, and they can be responsible for fall of stock prizes of company.

Area related to Web Security is, a. Secure Naming b. DNS Spoofing c. DNSsec

Here DNSsec conceptually is extremely simple and based on public key Cryptography. DNSsec offers fundamental services.

1.       Proof of where the data originated

2.       Public key distribution

3.       Transaction and request authentication

Secure Sockets Layer (SSL)

After Secure Naming it is about secure connection. Netscape Communication Corp. come up with SSL solution where security of banking and financial data transaction is carried out. NETSCAPE, MOZZILA, INTERNET EXPLORER is using SSL.

SSL build a secure connection between two socket including

1.       Parameter negotiation between client and server

2.       Authentication of server by client

3.       Secret communication

4.       Data integrity protection

A browser uses SSL is going through following layers.

Application (HTTP)

Security (SSL)

Transport (TCP)

Network (IP)

Data link (PPP)

Physical (modem, ADSL, cable TV)

TLS is Transport Layer Security derived over SSL Version 3.

 

Mobile Code Security:

In earlier days of Web, there were simple web pages with web sites. Now a days there are Java Applets, ActiveX control and JavaScript to download. So be the security issues arises with the downloading and executing the mobile application codes.

Browser Extension:

There are Browser Extension, Add-ons and Plugins which provides the browser’s Compatibility with applications like PDF, Flash animations etc. There could be malicious software add-ons and plugins. They should be downloaded from trusted sources only.

Virus:

Virus is simple program which executes itself when it is called upon. It is unwanted element come up with unreliable web applications, e-mail attachments or malicious software program. When any application in system runs, next moment control transfers to virus program. Which infects other applications like e-mail and try to spread over other computer system. Some virus starts on booting of computer and destroy the computer system. So now the OS are come up with secure microkernels and tight compartmentalization of users, processes and resources.

 

n. Wireless security

 

System we design with VPN and Firewalls are secured ones. It provides enhance features of safe system. But when it comes to Wireless communication the wireless system transmit Radio packets right over fire wall in both direction. Wireless is snooper’s dream come true. It is free data without having to do any work. There for wireless system requires more security then wired systems.

Now 802.11 provides data link level security. 802.11i‘s function is to prevent receiving or interfering communication carried out by the another two nodes. It is also knows by its trade name WPA2. I.E. WIFI Protected Access 2. Plain WPA is interim scheme that implements subset of 802.11i. It should be avoided in favour of WPA2. 802.11i is used for corporate network as well for home use. While it is used for corporate use it is using client server application using 802.1x secure protocol. We can check the client-server authentication using Extensible Authentication Protocol. While we use 802.11i for home purpose we don’t use server instead single password issued to client for authentication. This way home use of 802.11i has less secured authentication and communication.

Bluetooth Security

Bluetooth security can also be breached. Bluetooth V2.1 on ward Bluetooth devices are protected with 4 security modes. It is starting from nothing to full data Integrity and Encryption control. Before Bluetooth V2.1 arrive, new device to Bluetooth allotted channel with predictable passcode like 1234 to enter in both devices. Which was less secured and breakable. After Bluetooth V2.1 master slave device allotted only a channel which is secured, integrity controlled and encrypted. Before communication starts master/slave make sure there is no other device is getting passkey.