LECTURE 6 – TELECOMMUNICATIONS, NETWORK, AND INTERNET SECURITY PART 2

Virtual Private Networks (VPNs)
VPN is a network technology that makes it possible to establish private “tunnels” over the public Internet
IP security (IPSec) operates at both the Network Layer and Session Layer of the TCP/IP protocol stack
IPSec VPNs are the most common form in use today and are widely available from network and firewall providers

IPsec – Performs both encryption and authentication to address the inherent lack of security on IP-based networks

Three characteristics – Sender authentication, message integrity, and data confidentiality

Security Association (SA)
AH and ESP require a number of parameters that both senders and receivers must agree on
An SA is used to manage these parameters
An SA is a secure “connection” between two end-points that applies a security policy and keys to protect information
An SA is uniquely identified by the combination of three fields: IP destination address, security protocol identifier (AH or ESP), and security parameter index (SPI)

IPSec Key Management
Manual key exchange (IETF RFC 1825): Using the manual exchange, a person manually configures each system with its own keys and those needed to communicate with other VPNs
Simple Key Interchange Protocol (SKIP): SKIP is based on the generation of a shared secret using Diffie-Hellman with already authenticated public key values
Internet Security Association and Key Management Protocol (ISAKMP)/Oakley: ISAKMP is needed to negotiate, establish, modify, and delete security associations and their corresponding data

SECURING MULTI-PLATFORM SYSTEMS

Networks are increasingly heterogeneous, containing different types of hardware and software and running multiple operating systems that all need to be able to communicate with one another.
There are fewer and fewer pure Windows (or pure UNIX) shops, with many companies running Windows domains side-by-side with UNIX web servers, accessed by client computers running Windows, Linux and Mac. Add to the mix a variety of smart phones (Windows Mobile, iPhone, Android, Symbian and more) that need to download mail and possibly access other network resources, and you have a real challenge.
The same basic security concepts apply to both heterogeneous and homogeneous networks, so it goes without saying that, regardless of the platform(s), you should:
Secure the edge with a good firewall/threat management gateway and intrusion detection/prevention system
Use anti-virus and anti-malware software (including on non-Windows systems) and keep definitions updated
Implement security auditing/monitoring to detect attempted breaches
Harden systems by turning off unnecessary services
Close unused ports
Restrict physical access to the systems
Restrict administrative/root access to those who really need it; on UNIX systems, restrict root access to secure terminals
Implement file level permissions; on UNIX systems, partition the file system and use read-only partitions for storing files that don’t change often, and use ACLs (Access Control Lists) for complex permissions management
On UNIX systems, limit the access processes have on the file system by using the chroot and ulimit interfaces
Enforce strong password policies
In high security environments, require two-factor authentication
On UNIX systems, use SSH (Secure Shell) for remote command line access
Use encryption: to protect files on the drive, to protect data crossing the network, to protect the operating system from unauthorized access
Implement a public key infrastructure to issue digital certificates
Hire an outside security auditor
A third party security audit can be useful to evaluate and advise on the security implementation in any complex network, but that goes double for a heterogeneous network. A company that does security audits for a living will have personnel experienced in reviewing many different types of systems and will be current on new vulnerabilities and new solutions that your IT personnel may not have the time to keep up with. They can perform penetration testing for a real-world assessment of where the vulnerabilities lie, and they can advise you on the most effective and most cost-effective ways to close the gaps.

Summary
The Telecommunications, Network, and Internet Security domain is one of the most important areas that security practitioners must understand well
We can begin to mix and match the building blocks of network security tools and techniques to implement defense in depth in preserving confidentiality, integrity, and availability
It is important to know how to find security information and how to decide which security architecture is most appropriate for a given situation

Comments