Network security

Network security (also known as network security ) is not a single fixed term, but comprises all measures for planning, implementing and monitoring security in computer networks . These measures are not only of a technical nature, but also relate to the organization (e.g. guidelines that regulate what the network operators should be allowed to do), the operation (how can I apply security in the network in practice, without disrupting operations at the same time?) and finally also on the law (which measures may be used?).

deepening

Security itself can only be seen in relative terms and not a fixed state. On the one hand, it must be considered how valuable the data is that is circulating in the network and, on the other hand, the network is always subject to changes due to expansion and technical development, which must also be reflected in the changed security architecture. Increases in the area of ​​security are often associated with increasing hurdles in use.

The topic of security often begins with the question of how a network can be protected against external access ( firewall / DMZ ). Users can only use the resources of the network after identification and subsequent authentication and authorization . Computers are often monitored so that a compromise of a computer in the network can be detected. This can be done internally (is the data still consistent? Have changes occurred?) Or also externally (are the computer's services still accessible and functional?). Potential data loss due to faulty software, incorrect operation, negligence or age-related wear and tear of the hardware is prevented by a data backup that is then stored separately. Security gaps in software can be counteracted by installing software updates in good time . Additional security can be increased by using certain software that is considered secure because it is e.g. B. is subject to an open source license. The opposite case can also occur: software that is considered unsafe can be banned. By training the users, a need for security or awareness of problems can arise by conveying that the data of a network is very valuable. This should enable the user to understand the measures and not undermine them by writing complicated passwords on pieces of paper and sticking them to his monitor. Finally, physical access to the network itself can be restricted with the help of access controls.

Because the networking of the Internet is increasing, the topic of network security also plays an increasingly important role. The infrastructures of companies are becoming more complicated, more and more information has to be available and / or managed online ...

Possible attacks

As diverse as networks are, the possibilities for attacking a network are just as diverse. In many cases, multiple attacks are combined to achieve one goal.

Attacks on software (implementations)

Since communication networks always consist of a (large) number of systems, it is very often precisely these systems that are attacked via the communication network. Many attacks target weaknesses in software (implementations):

• Buffer overflow - especially in programs in the C programming language, one often finds the error that writing beyond a buffer and other data or control information is overwritten
• Stack Smashing - this overwrites e.g. B. a buffer overflow in the stack of a program, thereby malicious routines can be introduced and executed ( exploit )
• Format string attacks - output routines like printf use a format string to modify output. Storage areas can be overwritten by using very special formatting instructions.

Attacks on network protocols

• Man-in-the-middle attack - if no mutual authentication is carried out, an attacker fakes the communication partners for the other (e.g. telnet , rlogin , SSH , GSM , Cisco's XAUTH)
• Unauthorized use of resources - if no secure authentication or secure authorization is available (e.g. rlogin)
• Reading of data and control information - all unencrypted protocols such as POP3 , IMAP , SMTP , Telnet , rlogin , http
• Infiltration of data or information - any protocol without sufficient message authentication, such as POP3 , SMTP , Telnet , rlogin , http
• Tunnels can be used to embed traffic in permitted protocols (e.g., http). This can circumvent firewall rules. A more detailed description can be found under [1] .
  • Example: The SSH client establishes a connection to a server outside the internal network via https and the proxy. This bypasses the rules that control SSH traffic to the outside world. This connection can also be reversed, whereby a connection is switched from the outside into the internal network.
  • The control requires the appropriate rules in the proxy, the effect of restricting the methods CONNECT or POST. The url filter UfdbGuard makes it possible to detect and block https tunnels.

Attacks on the network structure

• The overload of services is known as a Denial of Service attack (DoS). Especially distributed DoS attacks are also referred to as distributed denial of service attacks (DDoS). Attacks that get by with just one package, such as: B. the TCP-SYN attack, since the sender address and thus the origin can be falsified.

Camouflage from attacks

• Fragmentation of packets, especially in the case of overlapping fragments, can be used to hide attacks from attack detectors
• Spoofing - the falsification of mostly sender addresses to disguise the origin of packets (see also firewall )

Related attacks (tend to be favored by the distributed structure)

• Social engineering is the process of using social aspects to achieve certain goals, e.g. B. bypassing a password query to achieve.
• Passwords can be obtained in order to gain access to services. If this is done by trying out all the options, one speaks of a brute force attack.
• Poor installations can make an attack with standard passwords successful.
• Data coming from the outside world are not checked for validity, but accepted as "correct" ( tainted data or cross-site scripting and SQL injection ).
• Flooding with senseless or unsolicited e-mails is called UBE (“unsolicited bulk e-mail”) and especially when it comes to advertising, as UCE (“unsolicited commercial e-mail”).
• Worms , trojan horses , dialers or viruses
• Gullibility and the easy technical possibility of faking false websites can be exploited by phishing .
• Gullibility allows users to run unfamiliar programs that were sent via email.

prevention

The preventive measures are just as diverse as the attack options. The user is recognized with the help of authentication and the rights to which he is entitled are assigned ( authorization ). One speaks of a single sign-on , in which case only a single login should be necessary in order to use all permitted resources. Kerberos , which now forms the basis for Windows networks, is very common . It was originally developed by MIT .

The security of computer networks is the subject of international standards for quality assurance . Important standards in this context are above all the American TCSEC and the European ITSEC standards as well as the newer Common Criteria standard. In Germany, security is usually certified by the Federal Office for Information Security .

Protocols, Architectures and Components

• Kerberos - for authentication, authorization, and billing
• X.509 - standard for certificates and their infrastructure
• IPsec - the most powerful (and complex) protocol for protecting connections
• SSL / TLS - the most widely used security protocol. Protects http , for example , which is then referred to as https.
• S / MIME , PGP - standards for protecting emails
• EAP - a modular protocol for authentication in e.g. B. WPA , TLS and IPsec .
• Firewalls - for filtering packets. Here, forged packets can be discarded in a targeted manner.
• IDSs recognize attacks.
• Honeypots - for the rapid detection of known security gaps and attack vectors.

See also

• Data security
• Disaster
• espionage
• Encryption
• X.800
• Cyberspace

literature

• Roland Bless among others: Secure network communication. Basics, protocols and architectures. Springer Verlag, Berlin et al. 2005, ISBN 3-540-21845-9 ( X.systems.press ).
• Hacker's Guide. Security on the Internet and in the local network. Limited special edition. Markt-und-Technik-Verlag, Munich 2001, ISBN 3-8272-6136-8 ( New technology ).
• Günter Schäfer : Network security. Algorithmic basics and protocols. dpunkt-Verlag, Heidelberg 2003, ISBN 3-89864-212-7 ( dpunkt.lehrbuch ).
• Markus Schumacher , Utz Rödig, Marie-Luise Moschgath: Hacker Contest. Security problems, solutions, examples. Springer, Berlin et al. 2003, ISBN 3-540-41164-X ( Xpert.press ).
• Christoph Sorge, Nils Gruschka, Luigi Lo Iacono: Security in communication networks. Oldenbourg Wissenschaftsverlag, Munich 2013, ISBN 978-3-486-72016-7 .
• Clifford Stoll : Cuckoo's Egg. The hunt for the German hackers who cracked the Pentagon. Updated new edition. Fischer-Taschenbuch-Verlag, Frankfurt am Main 1998, ISBN 3-596-13984-8 ( Fischer 13984).
• Steffen Wendzel , Johannes Plötner : Practical book network security: Risk analysis, methods and implementation. (Optimal network and server protection, for Unix, Linux and Windows systems. VPN, OpenVPN, basic IT protection, penetration testing, viruses, worms and Trojans). 2nd updated and expanded edition. Galileo Press, Bonn 2007, ISBN 978-3-89842-828-6 ( Galileo Computing ). Available as a download from ResearchGate.net .

Web links

• http://www.opensecurityarchitecture.org Open community for the development of a standards-based security architecture
• http://www.securityfocus.com/
• http://www.bsi.de/IT-Grundschutz-Kataloge
• http://www.sans.org/
• Lecture on network security at the TU Ilmenau
• Lecture on network security at the Karlsruhe Institute of Technology (KIT)