Show MoreABSTRACT : This paper describes the basic threats to the network security and the basic issues of interest for designing a secure network. it describes the important aspects of network security. A secure network is one which is free of unauthorized entries and hackers INTRODUCTION
Over the past few years, Internet-enabled business, or e-business, has drastically improved efficiency and revenue growth. E-business applications such as e-commerce, supply-chain management, and remote access allow companies to streamline processes, lower operating costs, and increase customer satisfaction. Such applications require mission-critical networks that accommodate voice, video, and data traffic, and these networks must be scalable to…show more content…
They are usually achieved by hackers sending large amounts of jumbled or otherwise unmanageable data to machines that areconnected to corporate networks or the Internet. Even more malicious are Distributed Denial of Service (DDoS) attacks in which an attacker compromises multiple machines or hosts. According to the 2001 Computer Security Institute (CSI) and FBI "Computer Crime and Security Survey," 38 percent of respondents detected DoS attacks, compared with 11 percent in 2000.
Historically, password attacks, attacks in which a perpetrator gains unauthorized access to network passwords in order penetrate confidential information, have been the most common type of attacks. When a hacker "cracks" the password of a legitimate user, he has access to that user's network resources and typically a very strong platform for getting access to the rest of the network. For example, in December of 2000, a hacker stole user passwords from the University of Washington Medical Center in Seattle and gained access to files containing confidential information regarding approximately 5000 patients. Hackers can often easily obtain passwords because users typically choose common words or numbers as their passwords, enabling the hacker's use of software programs to methodically determine those passwords. Hackers also deploy social engineering techniques to gain access
A beginner's guide to data, computer and network security
Ronja Addams-Moring, 36750E, TiN
4th November 1997
Home assignment # 7 of 11
Course Tik-110.300 Telecommunication architectures, Fall term 1997
Helsinki University of Technology
Table of Contents
The intended audience and scope of this essay
This essay is primarily intended as a practical starting point for such students, faculty and guests at Helsinki University of Technology (HUT) who at the moment find the Finnish language in the Computing Centre (CC) guide "Tietoturva TKK:ssa" too demanding. However, I hope that this essay could be useful for others, too. Any English speaker who wishes to get started with issues concerning data, computer and/or network security and has little prior knowledge of this area should be able to benefit from this text, especially from the References and the Link list.
This essay discusses almost exclusively UNIX computers and TCP/IP networks related issues, often in relation to how things are currently done in the HUT CC campus network (HUTnet). Some short references to Windows 3.1 and Windows 95 based PCs might also be made, but this is definitely not a text on PC security.
Why I wrote this essay
Firstly, I could not find a practical beginner's guide on security issues in English on the Web when a friend needed one. I did find on general tutorial on basic security concepts and issues, though. The searches were done between 22nd October and 3rd November 1997, first in the hut.fi area, then covering "the whole world". Both Yahoo, HotBot and AltaVista were used with several variations of the basic search expression: "(guide or tutorial or beginner) and (data or computer or network) and security".
Secondly, I need to write an essay for my course this week, too. So why not try to get two flies with one blow. As this is a weekly home assignment it is not a complete presentation of the subject of security. However, the References and the Link list seem to have turned out rather nicely. All that Web searching gave something, even if it was not exactly what was originally sought.
Note! If you know of any other documents like this or have other comments, please send me email.
Why should I care about security, anyway?
It is easy to claim that one does not need to worry about computer security, if one does not have anything to hide. By this is often meant that if you are not doing anything questionable and/or the data you have on a computer is not sensitive or valuable, you would not need to "waste your energy" on "being paranoid". Before I became a student of computer networks, I, too, was inclined to buy this argument.
However, over the years I have come to believe that all arguments which are based on the assumption that the innocent and honest do not need any formal or technical protection are plain wrong. Such arguments grossly oversimplify complex issues about our computer networks - and about our communities.
In computer networks, there are at least four basic issues to consider when one tries to assess the need for security measures. The first is the question of how important the information you have on a computer is for you personally, for your group or your laboratory. How much labor would go into reproducing the information if it was destroyed? How big an inconvenience would it be if the information became inaccessible for some length of time? How much damage could result from the information being tampered with, say, altered without your knowledge? 
The second big issue is whether you can put others at risk by following relaxed security practices yourself. In a multi-user multi-computer environment, such as the HUTnet, the answer is always an emphatic yes. If an intruder gets hold of one account on one computer, they can use it as a stepping stone to attack other accounts in the same computer or other computers reachable through the network. Any computer is only as strong against attacks as its most weakly guarded user account or service. 
The third issue, which is especially important in large organizations such as HUT, is who owns and controls the equipment you use. Do you know those people and how much do you trust them? Computer administrators are required by Finnish law as well as the legislation of the EU and other areas of the world, to work ethically - but so are politicians, bank clerks and judges, too. Yet we have seen that every once in a while one of them can slip. So blind trust in unknown people is seldom likely to be a wise policy. 
The fourth issue is akin to the third. Who else uses the computer or the network you are using? Do you know those people and how much do you trust them? Could some other user be curious about, say, your email and try to get to read those files? What about files containing next weeks exam questions? Or could someone try to copy your link list for an essay or your program code to get easier points on a home assignment? If they succeeded, could they get you in trouble?
Your personal answers to these questions will naturally vary depending on what your role is at a given time and what kind of data you are handling. In my opinion, though, it would be short-sighted if you did not to consider them at all.
Detailed examples of risks related to data, computer and network security are well covered in, for example, the Stoll and Garfinkel books, the Langley guide and RFC 1244. They are warmly recommendable for further study.
Basic security tools, measures and mechanisms
Together with "static" passwords, the file protection mechanisms in UNIX are your two most basic and best standardized security tools. That is why they are presented more in depth in this guide than the other tools.
Passwords are one of the oldest security measures on multi-user computers. They can be compared with a key or a passport: an active user id (login) together with the correct password for it is enough to convince your generic UNIX computer. It will allow the person or program presenting this electronic ID to log on and use the full privileges of the user in question. .
When using the computers on HUTnet, you might have several "static" passwords, i.e. passwords you change yourself. These "static" passwords might include (but are by no means limted to):
- Your UNIX password for the CC general use computers
- An optional network password, if you log onto the HUTnet from home using the PPP protocol modems (numbers 6180911 and 451 4380)
- Your home computer password, if it has one
These "static" passwords are usually relatively long-lived. For example, the HUT CC expects you to change your general purpose computers' password every six months. You should therefor choose your passwords with care. In six months time it is quite possible to crack a poor quality password, either by guessing (based on information about you personally) or by systematically going through word lists .
A good password fills all the following criteria [4, 5, 6]:
- Is at least 8 characters long (only the first 8 are significant, but some additional ones may make the password more logical for you and hence easier to remeber)
- Can not be found in any dictionary or other word, name or acronym list in any language. Avoid misspelled words as well - there are several "bad spellers dictionaries".
- Can not be guessed on the basis of your everyday life (not your lisence number or student number, not a family member's, pet's nor a favourite actor's name or equivalent)
- Can not be derived from your user information (e.g. not your home directory path, not your user id number)
- Can not be found in any historical timeline concerning any culture (names of important places, wars, peace treaties, warlords, diplomats, ships, geniuses, artists, works of art etc.)
- Does not consist of numbers only
- Does not consist of lower case letters only
- Does not consist of UPPER CASE letters only
- Is never written down anywhere
- Is never the same on different systems (say, on the CC computers and on the CS department computers, e.g. Niksula)
- Is easy and fast for you to type, preferably without your looking at the keyboard
Note that a bad password does not become noticeably better by any of the following letter or syllable replacements:
1 = i or L, 2 = Z, 3 = E, 4 = A, 5 = S, 6 = G, 0 = O,
4 = "for", 2 = "to" or "too", 8 = "ate" or "eigh"
In short: use password with lower case and UPPER CASE letters and numbers mixed. You may also throw in some punctuation character(s) - but do chose them from the ones that can easily be found on most keyboard layouts, for example: , . ! # % .
Here are a few examples of methods which, combined with the above described letter or syllable replacements and/or some inserted numbers or punctuation marks, produce good quality passwords [4, 5, 6]:
- Choose a line or two from a song or poem, and use the first letter of each word
- Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words which are usually pronounceable, and thus easily remembered.
- Choose two short words from two different languages and concatenate them together with one or more punctuation characters and/or numbers between them.
File and directory protection in UNIX
In UNIX, unlike many personal computer operating systems, you have a home directory, a place of your own in the computers directory tree (often called "file system"). This is the place where you end up when you log on to the computer and where all your files and subdirectories are stored, unless you explicitly tell the computer to do otherwise.
To see what you have under your home directory, type the command "ls -la" in one of the CC UNIX computers (alpha, beta, gamma, delta, vipu, oboe, kantele, setri, kastanja, safiiri or other). The output should resemble this:gamma ~ 14 % ls -la total ... drwx------ 23 yourid users 8192 Nov 4 21:58 . drwxr-xr-x 141 root users 8192 Oct 13 11:05 .. -rwx------ 1 yourid users 1814 Sep 18 17:44 .cshrc -rw------- 1 yourid users 3043 Nov 4 21:44 .history -rwx------ 1 yourid users 351 Mar 23 1993 .login drwx------ 2 yourid users 8192 Oct 31 15:56 .netscape -rw-r--r-- 1 yourid users 10351 Oct 20 15:18 .pinerc -rw-r--r-- 1 yourid users 1073 Sep 18 18:01 .plan drwx------ 38 yourid users 8192 Nov 3 16:08 mail drwx------ 2 yourid users 8192 Sep 10 16:03 News drwxr-xr-x 11 yourid users 8192 Oct 23 20:09 public_html -rw------- 1 yourid users 21167 Sep 12 1996 topi.log gamma ~ 15 % where "yourid" is your user name (your login). The name of the file or directory is always the last "word" on a line.
The first 10 characters on each line of output (for example: "drwxr-xr-x") tell you each file's or subdirectory's mode. The first of these 10 characters tells you whether the object is a directory "d" or a file "-". The next 9 characters are actually three groups of three characters each (rwx) which tell the rights different users of the computer have to that file or directory.
The characters from second to fourth report what rights you have yourself. The next three are related to the group (in the example above "users") and the last three describe what "others" (not you nor your group) may do with that file or directory. Within these groups of three:
- r means the right to Read the file or list the contents of a directory
- w means the right to Write the file or change the contents of a directory by e.g. adding or deleting files in it
- x means the right to execute the file (necessary for files that contain programs you want to use) or move into a directory with the "cd dir" command, where "dir" is the directory name
So, in the example above, as the rights on the first line are "drwx------", only the user in question may look into her/his home directory. Nobody else may do anything within this user's home directory. (The current directory is called "." ).
In this case, however, this seems rather counterproductive, because the user in this example appears to have intended some material to be world-readable. Yet they cannot be seen if the home directory is "closed".
The file ".plan" has the mode "-rw-r--r--", meaning that the user may read and write it and both the group members and others may read it (but not write). The subdirectory "public_html" has the mode "drwxr-xr-x" meaning that everybody (user, group and others) may read the contents and even the contents of the sub-subdirectories under "public_html", if there are any, but the user is the only one who may write (change) the directory.
To change the mode of a file or directory, one uses the command "chmod". The "chmod" command takes as its first argument a three-part character combination, where the first character is one of four letters: u, g, o or a (for "user", "group", "other" or "all", respectively), the next is either + (to add rights) or - (to limit rights) and the last is one of the mode characters, r, w or x. As its second argument "chmod" needs the name of the file(s) or directory/ies to change the mode of.
For example, if this user wants her/his .plan file to show, when other's use the "finger" command on her/him or wishes to have a home page on WWW, (s)he should alter her/his home directory mode. The command would be "chmod a+x ~", adding the right to execute (access) the home directory ("~" for shorters) for all.
On the other hand, after making that change, (s)he may feel that it is unnecessary to let anyone else see what the email program's control file ".pinerc" contains. So (s)he can give the commands "chmod g-r .pinerc" and "chmod o-r .pinerc" to take away the right to read from both group and other.
If you want to learn more about the "ls" and "chmod" commands, you can type the command "man ls" or "man chmod" in one of the CC UNIX computers, or, if you prefer a less technical approach, consult some UNIX tutorial.
Other security tools
The more advanced security tools are described briefly, with references to further information.
One time passwords - the s/key system at HUT
It is possible to use one-time passwords when logging onto the HUT CC computers, for added security if you are abroad, for example. However, the instructions only exist in Finnish at the moment .
If you would need one-time passwords, you can visit the Computing Centre's User Services in room U133 in the Main Building. It is open from Mon-Fri 8.00 AM to 3.45 PM. 
Note! If you use one-time passwords, your further connections are not secure. Never use any service that requires a "static" password during a one-time password based session.
Secure remote connections with ssh, slogin and scp
A much more secure way to connect to remote computers, provided that they are also running the programs in question, are the SSH programs.
From the HUT CC computers, you can securely use remote computers with the command "ssh host" where "host" is the name of the computer you want to contact. You can also securely copy files from one computer to another over the net with the command "scp sourcefile targetfile" where the syntax of the source and target file names is somewhat more complicated than with the normal "cp" command. You can also securely log onto remote computers, the command is "slogin host".
For further information on ssh, consult the manual pages "man ssh", "man scp" or "man slogin", or, if you prefer a slightly less technical approach, consult the SSH related links in the link list.
Encryption of files and email with PGP
PGP ("Pretty Good Privacy") differs from both s/key and the ssh product family in that it does not secure your connection to a computer, but instead the files that reside on the computer and thus also the messages (e.g. email) composed of such files.
Alike s/key, and unlike the ready-to-use ssh (on the HUT CC UNIX computers, that is, where ssh is pre-installed), PGP requires you to take certain steps before you can use it. Most pressingly you will need to create your own public and secret encryption keys and plan on how to keep your secret key(s) safe.
The good news is that there are relatively easy-to-use on-line guides. Consult them and try out PGP's help function with the command "pgp -h".
Final words of encouragement
By now you may have the impression that this security business is only a mess of WWW links and that there are just too many things to learn. Relax. Take your time. Even if you learn nothing else from this document except to use good passwords and adequate file protection, you are still very likely to be much better off than before.
You don't have to learn everything about computer security today or even this week. Most of us aren't able to take in huge amounts of information quickly so that the new knowledge also becomes useful skills in the process (I certainly am not). But if you make a habit of regularly seeking out and coming back to security related Web sites, books, courses and newsgroups, you will steadily accumulate your knowledge and understanding.
A basic understanding of computer network security is fast becoming one of the equivalents to reading and writing skills for the 21st century. Good luck in claiming your part of the global information society!
The link evaluation scales explained
The links in the References and the Link list below have all been evaluated for both their content quality and their intended audience.
The content quality has been judged on a five star scale based on three quality factors (QF) approximately like this:
- ***** = excellent content, structure and language
- **** = good content, structure and language or two of the QF are excellent, one is average
- *** = one of the QF is excellent or good, the other two average or one QF is excellent, one average and one fair
- ** = all QF are average or one good QF, one average and one fair
- * = not one of the QF is exactly good, but for some reason(s) the link is still worth visiting
The intended audience has been judged based on what seems to be the level of expertise required of the person studying the material behind the link. The levels used are: beginner, user, advanced user and administrator/expert.
 Langley Research Center and the University of Virginia's School of Commerce, 28 april 1995
"Langley Data Security Training Tutorial"
A good, in places theoretical introduction to the concepts of data security. Includes a couple of broken links, though
*** / beginner - advanced user
 Cliff Stoll, 1989
"The Cuckoo's Egg - Tracking a Spy Through the Maze of Computer Espionage"
Pocket Books, ISBN 0-671-72688-9
Old but good - reads like a detective story yet more informative than many an educational publication
**** / beginner - admin/expert
 Simson Garfinkel, 1995
"PGP: Pretty Good Privacy"
O'Reilly & Associates Inc, ISBN 1-56592-098-8
All you ever thought of asking about PGP. Well written, too, and the history of PGP is quite enlightening. Not very new, though.
**** / beginner - admin/expert
 P. Holbrook and J. Reynolds, July 1991
"RFC 1244 - Site Security Handbook"
A guide for security in e.g. a company network. Technical and long, very authoritative
**** / user - admin/expert
 Kai Vorma, 20 May 1997
"Tietoturva TKK:ssa" (In Finnish)
A general data security guide, clear and conscice
***** / beginner - admin/expert
 Jukka Korpela, 14 April 1997
"Unix-opas" (In Finnish)
A general UNIX guide, clear and conscice
***** / beginner - advanced user
 Personal communication from the HUT CC customer service personnel, 30 October 1997
 Jukka Korpela ja Raija Kukkonen, 7 June 1997
"Palvelupisteet ja yhteystiedot" (In Finnish)
Where and when you can find the HUT CC customer service personnel
(link not scaled - no technical information)
Information about the Internet
Information on WWW
Information on SSH
Information on PGP
General security information
- Ministry of Justice, 29 September 1997
Ministry of Justice and the Legal System of Finland
All the basics about the Finnishjudicial system
***** / beginner - admin/expert
- Ministry of Justice and Oy Edita Ab, 28 October 1997
Database of the Laws in Finland (in Finnish and Swedish)
All Finnish laws collected in a searchable index
**** / beginner - admin/expert
- email@example.com, 17 October 1997
A common front end for six search engines, the user interface is a little strange
*** / user - admin/expert
- firstname.lastname@example.org, 18. September 1997
A quite inclusive list on different search engines. On a Finnish page, under the second subtitle (show above).
**** / beginner - admin/expert
Ronja Addams-Moring <email@example.com>