Security in Computer Networks

8.1 What Is Network Security?

Home | Introduction | 8.1 What Is Network Security? | 8.2 Principles of Cryptography | 8.3 Authentication | 8.4 Integrity | 8.5 Key Distribution and Certification | 8.6 Access Control: Firewalls | 8.7 Attacks and Countermeasures | 8.8 Security in Many Layers: Case Studies

Identifing the following desirable properties of secure communication.
  • Confidentiality. Only the sender and intended receiver should be able to understand the contents of the transmitted message.  Because eavesdroppers many intercept the message, this necessarily requires that the message be somehow encrypted (its data disguised) so that an intercepted message cannot be decrypted (understood) by an interceptor.  This aspect of confidentiality is probably the most commonly perceived meaning of the term secure communication.
  • Authentication.  Both the sender and the receiver should be able to confirm the identity of the other party involved in the communication--to confirm that the other party is indeed who or what they claim to be.  Face-to-face human communication solves this problem easily by visual recognition.  When communicating entities exchange messages over a medium where they cannot see the other party, authentication is not so simple. 
  • Message integrity and nonrepudiation.  Even if the sender and receiver are able to authenicate each other, they also want to ensure that the content of their communication is not altered, either maliciously or by accident, in transmission.  Extensions to the checksumming techniques that we encounterd in reliable transport and data link protocols can be used to provide such message integrity.
  • Availability and access control.  The complelling need for network sceurity has been made panifully obvious over the past several years by numerous denial-of-service (DoS) attackes that have rendered a network, host, or other pieces of network infrastructure unusable by legitimate users; perhaps the most notorious or these DoS attacks have been against the Web sites of a number of high-profile companies.
Confidentiality, authentication, message integrity, and nonrepudiation have been considered key components of secure communication for quite some time.  Availability and access control are more recent extensions to the notion of secure communication, no doubt motivated by the very real-world concerns of securing the network infrastructure against a potential onslaught by the "bad guys."  One of the surest ways to ensure that "bad guys" can do no harm is to make sure their packets do not enter the network in the first place.  A firewall is a device that sits between the network to be protected and the rest of the world.  It controls access to and from the network by regulating which packets can pass in networks ranging from small hone networks to networks belonging to the largest corporations on earth.  Firewalls have rapidly become a commonplace component in networks ranging from small home networks to networks belonging to the largest corporations on earth.
 
Our definition of secure communication has focused primarily on protecting communication and network resources.  Network security involves not only protection, but also detecting breaches of secure communication and attacks on the infrastructure, and then responding to the attacks.  In responding to atacks, a network administrator may deploy additional protection mechanisms.  Network security is achieved through a continuous cycle of protection, detection, and response.
 
All or some of these messages will typically be encrypted.  All passive intruder can potentially perform
  • eavesdropping--listening to and recording control and data messages on the channel.
  • modification, insertion, or deletion of messages or message content.
Unless appropriate countermeasures are taken, thses capabilities allow an intruder to mount a wide variety of security attacks; snooping on communication, impersonation anoter entitity, hijacking an ongoing session, denying service to legitimate metwork users by oberloading system resources, and so on.