Network security

Network security (including network security ) is not a single fixed term, but includes all measures for the planning, execution and monitoring of security in networks. These measures are not only technical, but also relate to the organization (eg policy shall be governed in which what the operator of the network may be), the operation ( How I can apply security on the network, in practice, simultaneously without interfering with the flow of the operation? ) and finally on the right ( What measures should be used? ).

Depression

Safety per se is always relative to see and not a fixed state. On one hand, we must consider how valuable the data is circulating on the network and on the other hand the network through expansion and technical development is always subject to changes that need to be reflected in an amended security architecture. Increases in the area of security are often accompanied by increasing barriers to use.

The issue of safety often begins with the question of how a network can be protected against access from outside ( firewall / DMZ). Users can use the resources of the network identification and only after a subsequent authentication and authorization. Thus, a compromise of a computer can be detected on the network, computers are often monitored. This can be internal ( If the data is still consistent? Are changes occur) or externally ( Are the services of the computer still accessible and functional? ) Happen. Potential data loss caused by faulty software, misuse, negligence or age wear on the hardware is prevented by a backup, which is then stored separately. Software vulnerabilities can be countered by the timely install firmware updates. Additional security can be further increased by the use of certain software which is considered safe because it is subject, for example, an open- source license. Also, the opposite case may occur: software that is considered unsafe may be banned. By training the users, a need for security or awareness caused by conveyed that the data of a network are very valuable. This allows the user to apply an understanding of the actions and not undermined by writing complicated passwords on pieces of paper and stuck it to his monitor. Finally, the physical access to the network itself may still be limited by means of access control.

Because the cross-linking of the internet is increasing more and more, the network security plays an increasingly important role. The infrastructures of companies become more complicated, more and more information must be available online and / or managed ...

Possible attacks

As diverse as networks are so varied are the possibilities of attack on a network. In many cases, several attacks are combined to achieve a goal.

Attacks on software ( implementations )

As communication networks always consist of a (large ) set of systems, are often attacked precisely these systems via the communication network. In this aim, many attacks on weaknesses in software ( implementations ):

  • Buffer overflow - especially in programs in the C programming language is often found the error that is written out via a buffer and this other data or control information is overwritten
  • Stack Smashing - overwriting eg a buffer overflow the stack of a program, thereby damaging code can be introduced and executed ( Exploit )
  • Format string attacks - output routines like printf use a format string to modify an issue. Through the use of very specific formatting instructions in this case memory areas can be overwritten.

Attacks on network protocols

  • Man-In - The-Middle attack - if mutual authentication is performed, an attacker deceives the communication partners each to the others ( for example, telnet, rlogin, SSH, GSM, Cisco XAUTH)
  • Unauthorized use of resources - if no secure authentication and secure authorization exists (eg rlogin )
  • Monitoring of data and control information - all unencrypted protocols, such as POP3, IMAP, SMTP, Telnet, rlogin, http
  • Smuggling of data or information - all logs without adequate message authentication, such as POP3, SMTP, Telnet, rlogin, http
  • Tunnels can be used to approved protocols (eg HTTP ) embed data traffic. This firewall rules can be circumvented. A more detailed description can be found among them. For example, the SSH client builds over https and proxy to connect to a server outside of the internal network on. This bypassing the rules that control SSH traffic to the outside. This compound can also be reversed, whereby a connection from the outside is connected to the internal network.
  • The fight requires appropriate rules in the proxy, the effect of restricting the methods CONNECT or POST. The url - filter UfdbGuard makes it possible to detect https tunnel and block.

Attacks on the network structure

  • The congestion of services is referred to as DoS attacks ( Denial of Service). Especially distributed DoS attacks are also known as DDoS attacks (Distributed Denial of Service). Are very effective attacks that get by with only one package, such as TCP SYN attack, since in this case the sender address and hence the origin can be faked.

Camouflage of attacks

  • Fragmentation of packets, especially in overlapping fragments, can be used to hide attacks against Angriffserkennern
  • Spoofing - faking sender addresses mostly to disguise the origin of packages (see also firewall)

Related attacks ( are the distributed structure rather favors )

  • Social engineering is called the procedure to bring a person into revealing a password or key.
  • Passwords can be obtained in order to obtain access to services. If this happens it is called by trying all possibilities of a brute- force attack.
  • Inadequate installations can make an attack with default passwords successfully.
  • From the outside world coming data is not checked for validity, but as a " correct" accepted ( Tainted Data or Cross-Site Scripting and SQL Injection).
  • Flooding with meaningless or unsolicited e- mails is called UBE ( "unsolicited bulk e-mail" ), and particularly when it comes to advertising, as UCE ( "unsolicited commercial e-mail" ).
  • Worms, trojan horses, dialers and viruses pose.
  • Credulity and the slight technical possibility of feigning false websites can be exploited by phishing.
  • Gullibility lets users run unknown programs that have been sent by mail.

Provision

The preventive measures are as varied as the opportunities for attack. With the help of an authentication of the user is recognized and there are the rightful rights assigned (authorization). We speak of a single- sign-on, this should only be a one-time registration may be necessary to use all permitted resources. Very common case is Kerberos, which now forms the basis for the Windows networks. It was originally developed by MIT.

The security of computer networks is the subject of international standards for quality assurance. Important standards in this context, in particular the U.S. TCSEC and ITSEC European standards as well as the more recent Common Criteria standard. The certification of the security in Germany is usually by the Federal Office for Security in Information Technology.

Protocols, architectures and components

  • Kerberos - authentication, authorization, and accounting
  • X.509 - standard for certificates and their infrastructure
  • IPsec - the most powerful ( and complex ) protocol for protecting connections
  • SSL / TLS - the most widely used security protocol. Protects example, http, which is then called with https.
  • S / MIME, PGP - standards for the protection of e- mails
  • EAP - a modular protocol for authentication in eg WPA, TLS and IPsec.
  • Firewalls - to filter packets. This can be discarded deliberately forged packets.
  • Idse detect attacks.
  • Honeypots - for rapid discovery of known security vulnerabilities and attack vectors.
DMZ (computing) Connectedness Uncontrolled format string Secure Shell Post Office Protocol Denial-of-service attack Social engineering (security) Trojan horse (computing) Kerberos (protocol) Trusted Computer System Evaluation Criteria Wi-Fi Protected Access Clifford Stoll
598732
de