+1443 776-2705 panelessays@gmail.com

In the file quality work only 

need in 9 hours

How do you know if your system is meeting your security goals?

You can verify that controls are working, but how do you know if they are getting the job done?

What auditing practices or procedures would you implement for your organization? Why?

Deliverables:

Provide information from your readings to support your statements. Your well-written essay should be 4-5 pages in length, not including the cover and reference pages, incorporating at least two academic resources from the Library in addition to the case study. Cite all sources using academic writing standards and APA style guidelines found in the Library, citing references as appropriate.

William Stallings
Effective Cybersecurity
1st Edition

Lecture slides prepared for “Effective Cybersecurity”, 1/e, by William Stallings.

1

Chapter 12

Networks and Communications

Chapter 12—Networks and Communications

This chapter provides a survey of security and security management issues related to two broad and related topics: networks and electronic communications. The chapter begins with an overview of network management concepts. Following this are sections covering firewalls and virtual private networks. With this background, the chapter then addresses the specific security concerns involved with network management. Next, the chapter examines electronic communications in the enterprise environment, including email, instant messaging, voice over IP networks, and tele- phony and conferencing.

2

(Table is on page 393 in the textbook)

Table 12.1 ISO Management Functional Areas

Table 12.1 lists key functions of network management, as suggested by the International Organization for Standardization (ISO) in ISO 7498-4, Open Systems Interconnection—Basic Reference Model—Part 4: Management Framework. A much more detailed description of these network management functions is contained in ITU-T (International Telecommunication Union Telecommunication Standardization Sector) M.3400, Telecommunications Management Functions. These categories provide a useful way of organizing this discussion of requirements.

3

Fault management

When a fault occurs, it is important to do the following as rapidly as possible:

Determine exactly where the fault is

Isolate the rest of the network from the failure so it continues to function without interference

Reconfigure or modify the network in such a way as to minimize the impact of operation without the failed component or components

Repair or replace the failed components to restore the network to its initial state

Fault

An abnormal condition that causes a device or system component to fail to perform in a required manner and that requires management attention (or action) for repair

Is usually indicated by failure to operate correctly or by excessive errors

Problem tracking and control

After correcting a fault and restoring a system to its full operational state, the fault management service must ensure that the problem is truly resolved and that no new problems are introduced

To maintain proper operation of a complex network, make sure that systems as a whole, as well as each essential component individually, are in proper working order. When a fault occurs, it is important to do the following as rapidly as possible:

Determine exactly where the fault is

Isolate the rest of the network from the failure so it continues to function without interference

Reconfigure or modify the network in such a way as to minimize the impact of operation without the failed component or components

Repair or replace the failed components to restore the network to its initial state

Central to the definition of fault management is the fundamental concept of a fault, as distinguished from an error. A fault is an abnormal condition that causes a device or system component to fail to perform in a required manner and that requires management attention (or action) for repair. A fault is usually indicated by failure to operate correctly or by excessive errors. For example, if a communications line is physically cut, no signals get through. Or a crimp in the cable can cause wild distortions so that there is a persistently high bit error rate. Certain errors (for example, a single bit error on a communication line) can occur occasionally and are not normally considered to be faults. It is usually possible to compensate for errors using the error control mechanisms of the various protocols.

Users expect fast and reliable problem resolution. Most end users tolerate occasional outages. When these infrequent outages do occur, however, users generally expect to receive immediate notification and expect the problem be corrected almost immediately. Providing such a level of fault resolution requires very rapid and reliable fault detection and diagnostic management functions. The impact and duration of faults are also minimized by the use of redundant components and alternate communication routes, to give the network a degree of fault tolerance. An organization should make sure the fault management capability is redundant to increase network reliability.

Users expect to be kept informed of the network status, including both scheduled and unscheduled disruptive maintenance. Users expect reassurance of correct network operation through mechanisms that use confidence tests or that analyze dumps, logs, alerts, or statistics. After correcting a fault and restoring a system to its full operational state, the fault management service must ensure that the problem is truly resolved and that no new problems are introduced. This requirement is called problem tracking and control.

4

Fault management

To satisfy requirements, fault management generally includes functions to do the following:

Maintain and examine error logs

Accept and act upon error detection notifications

Trace and identify faults

Carry out sequences of diagnostic tests

Correct faults

As with other areas of network management, fault management should have minimal effect on network performance

To satisfy requirements, fault management generally includes functions to do the following:

Maintain and examine error logs

Accept and act upon error detection notifications

Trace and identify faults

Carry out sequences of diagnostic tests

Correct faults

As with other areas of network management, fault management should have minimal effect on network performance.

5

Accounting management

In many enterprise networks, individual divisions or cost centers, or even individual project accounts, are charged for the use of network services. These are internal accounting procedures rather than actual cash transfers, but they are important to the participating users nevertheless. Furthermore, even if no such internal charging is employed, a network manager needs to be able to track the use of network resources by user or user class for a number of reasons, including the following:

A user or group of users may abuse their access privileges and burden the network at the expense of other users.

Users can make inefficient use of the network, and the network manager can assist in changing procedures to improve performance.

The network manager is in a better position to plan for network growth if user activity is known in sufficient detail.

A network manager must specify the kinds of accounting information to be recorded at various nodes, the desired interval between successive transmissions of the recorded information to higher-level management nodes, and the algorithms used in calculating the charging.

To limit access to accounting information, the accounting facility must provide the capability to verify users’ authorization to access and manipulate that information.

6

In many enterprise networks, individual divisions or cost centers, or even individual project accounts, are charged for the use of network services

These are internal accounting procedures rather than actual cash transfers

A network manager needs to be able to track the use of network resources by user or user class for a number of reasons, including the following:

A user or group of users may abuse their access privileges and burden the network at the expense of other users

Users can make inefficient use of the network, and the network manager can assist in changing procedures to improve performance

The network manager is in a better position to plan for network growth if user activity is known in sufficient detail

Accounting management

To satisfy requirements accounting management generally includes functions to do the following:

Inform users of costs incurred or resources consumed

Enable accounting limits to be set and tariff schedules to be associated with the use of resources

Enable costs to be combined where multiple resources are invoked to achieve a given communication objective

To satisfy requirements, accounting management generally includes functions to do the following:

■ Inform users of costs incurred or resources consumed

■ Enable accounting limits to be set and tariff schedules to be associated with the use of resources

■ Enable costs to be combined where multiple resources are invoked to achieve a given communication objective

7

Configuration management

Modern data communication networks are composed of individual components and logical subsystems (for example, the device driver in an operating system) that are configured to perform many different applications. The same device, for example, can be configured to act either as a router or as an end system node or both. Once it is decided how a device is to be used, the configuration manager chooses the appropriate software and set of attributes and values (for example, a transport layer retransmission timer) for that device.

Configuration management is concerned with initializing a network and gracefully shutting down part or all of the network. It is also concerned with maintaining, adding, and updating the relationships among components and the status of components during network operation.

Startup and shutdown operations on a network are part of configuration management. It is often desirable for these operations on certain components to be performed unattended (for example, starting up or shutting down a network interface unit). A network manager needs to be able to identify initially the components that comprise the network and to define the desired connectivity of those components. Those who regularly configure a network with the same or a similar set of resource attributes need ways to define and modify default attributes and to load those predefined sets of attributes into the specified network components. A network manager needs to be able to change the connectivity of network components when users’ needs change. Reconfiguration of a network is often desired in response to performance evaluation or in support of network upgrade, fault recovery, or security checks.

Users often need to, or want to, be informed of the status of network resources and components. Therefore, when changes in configuration occur, the network or system manager should notify users of these changes. The network or system manager should also generate configuration reports either on some routine periodic basis or in response to a request for such a report. Before reconfiguration, users often want to inquire about the upcoming status of resources and their attributes.

Network managers usually want only authorized users (operators) to manage and control network operation (for example, software distribution and updating).

8

Once it is decided how a device is to be used, the configuration manager chooses the appropriate software and set of attributes and values for that device

Configuration management is concerned with initializing a network and gracefully shutting down part or all of the network

It is also concerned with maintaining, adding, and updating the relationships among components and the status of components during network operation

Startup and shutdown operations on a network are part of configuration management

Configuration management

To satisfy requirements, configuration management generally includes functions to do the following:

Set the parameters that control the routine operation of the system

Associate names with managed objects and sets of managed objects

Initialize and close down managed objects

Collect information on demand about the current condition of the system

Obtain announcements of significant changes in the condition of the system

Change the configuration of the system

To satisfy requirements, configuration management generally includes functions to do the following:

Set the parameters that control the routine operation of the system

Associate names with managed objects and sets of managed objects

Initialize and close down managed objects

Collect information on demand about the current condition of the system

Obtain announcements of significant changes in the condition of the system

Change the configuration of the system

9

Performance management

Performance management of a computer network comprises two broad functional categories:

Monitoring

The function that tracks activities on the network

Controlling

Enables performance management to make adjustments to improve network performance

A network manager must focus on some initial set of resources to be monitored to assess performance levels

This includes associating appropriate metrics and values with relevant network resources as indicators of different levels of performance

Performance management must monitor many resources to provide information in determining network operating level

Modern data communications networks are composed of many and varied components, which must intercommunicate and share data and resources. In some cases, it is critical to the effectiveness of an application that the communication over the network be within certain performance limits. Performance management of a computer network comprises two broad functional categories: monitoring and controlling. Monitoring is the function that tracks activities on the network. The controlling function enables performance management to make adjustments to improve network performance. Some of the performance issues of concern to a network manager are as follows:

What is the level of capacity utilization?

Is there excessive traffic?

Has throughput been reduced to unacceptable levels?

Are there bottlenecks?

Is response time increasing?

To deal with these concerns, a network manager must focus on some initial set of resources to be monitored to assess performance levels. This includes associating appropriate metrics and values with relevant network resources as indicators of different levels of performance. For example, what count of retransmissions on a transport connection is considered to be a performance problem requiring attention? Performance management, therefore, must monitor many resources to provide information in determining network operating level. By collecting this information, analyzing it, and then using the resultant analysis as feedback to the prescribed set of values, a network manager becomes more and more adept at recognizing situations that indicate present or impending performance degradation.

Before using a network for a particular application, a user may want to know such things as the average and worst-case response times and the reliability of network services. Thus, performance must be known in sufficient detail to respond to specific user queries. End users expect network services to be managed in such a way as to afford their applications consistently good response time.

Network managers need performance statistics to help them plan, manage, and maintain large networks. Performance statistics are used to recognize potential bottlenecks before they cause problems to end users. They also enable network managers to take appropriate corrective action. This action either takes the form of changing routing tables to balance or redistribute traffic load during times of peak use or when a bottleneck is identified by a rapidly growing load in one area. Over the long term, capacity planning based on such performance information indicates the proper decisions to make, for example, with regard to expansion of lines in that area.

10

Performance management

To satisfy requirements, performance management generally includes functions to do the following:

Gather statistical information

Maintain and examine logs of system state histories

Determine system performance under natural and artificial conditions

Alter system modes of operation for the purpose of conducting performance management activities

To satisfy requirements, performance management generally includes functions to do the following:

Gather statistical information

Maintain and examine logs of system state histories

Determine system performance under natural and artificial conditions

Alter system modes of operation for the purpose of conducting performance management activities

11

Security management is concerned with generating, distributing, and storing encryption keys. Passwords and other authorization or access control information must be maintained and distributed. Security management is also concerned with monitoring and controlling access to computer networks and access to all or part of the network management information obtained from the network nodes. Logs are an important security tool, and therefore security management is very much involved with the collection, storage, and examination of audit records and security logs, as well as with the enabling and disabling of these logging facilities.

Security management provides facilities for protection of network resources and user information. Network security facilities should be available for authorized users only.

Users want to know that the proper security policies are in force and effective and that the management of security facilities is itself secure.

The purpose of security management is to support the application of security policies by means of functions that include the following:

The creation, deletion, and control of security services and mechanisms

The distribution of security-related information

The reporting of security-related events

12

Security management:

Is concerned with generating, distributing, and storing encryption keys

Is concerned with monitoring and controlling access to computer networks and access to all or part of the network management information obtained from the network nodes

Is very much involved with the collection, storage, and examination of audit records and security logs, as well as with the enabling and disabling of logging facilities

Provides facilities for protection of network resources and user information

Purpose is to support the application of security policies

network management system

A network management system is a collection of tools for network monitoring and control that is integrated in the following senses:

A single operator interface with a powerful but user-friendly set of commands for performing most or all network management tasks

A minimal amount of separate equipment, as most of the hardware and software required for network management is incorporated into the existing user equipment

A network management system consists of incremental hardware and software additions implemented among existing network components. The software used in accomplishing the network management tasks resides in the host computers and communications processors (for example, front-end processors, terminal cluster controllers, switches, routers). A network management system is designed to view the entire network as a unified architecture, with addresses and labels assigned to each point and the specific attributes of each element and link known to the system. The active elements of the network provide regular feedback of status information to the network control center. In this context, the term element refers to network devices and end systems attached to the network.

13

Network management system:

Is a collection of tools for network monitoring and control that is integrated in the following areas:

A single operator interface with a powerful but user-friendly set of commands for performing most or all network management tasks

A minimal amount of separate equipment, as most of the hardware and software required for network management is incorporated into the existing user equipment

Consists of incremental hardware and software additions implemented among existing network components

The software used in accomplishing the network management tasks resides in the host computers and communications processors

Is designed to view the entire network as a unified architecture, with addresses and labels assigned to each point and the specific attributes of each element and link known to the system

Figure 12.1 suggests the principal components of a network management system. Each network node contains a collection of software devoted to the network management task, referred to in the diagram as a network management entity (NME).

Each NME performs the following tasks:

■ Collects statistics on communications and network-related activities

■ Stores statistics locally

■ Responds to commands from the network control center, including commands to do the following:

Transmit collected statistics to the network control center

Change a parameter (for example, a timer used in a transport protocol)

Provide status information (for example, parameter values, active links)

Generate artificial traffic to perform a test

■ Sends messages to the NCC when local conditions undergo significant

changes

At least one host in the network is designated as the network control host, or manager. In addition to the NME software, the network control host includes a collection of software called the network management application (NMA). The NMA includes an operator interface to allow an authorized user to manage the network. The NMA responds to user commands by displaying information and/ or by issuing commands to NMEs throughout the network. This communication is carried out using an application-level network management protocol that employs the communications architecture in the same fashion as any other distributed application.

Every other node in the network that is part of the network management system includes an NME and, for purposes of network management, is referred to as an agent. Agents include end systems that support user applications as well as nodes that provide a communications service, such as front-end processors, cluster controllers, bridges, and routers.

As depicted in Figure 12.1, the network control host communicates with and controls the NMEs in other systems. For maintaining high availability of the network management function, two or more network control hosts are used. In normal operation, one of the hosts is actively used for control, while the others are idle or simply collecting statistics. If the primary network control host fails, the backup system is used.

14

In a traditional centralized network management scheme, one host in the configuration has the role of a network management station; there can be one or two other management stations in a backup role. The remainder of the devices on the network contain agent software and a local database to allow monitoring and control from the management station. As networks grow in size and traffic load, such a centralized system is unworkable. Too much burden is placed on the management station, and there is too much traffic, with reports from every single agent having to wend their way across the entire network to headquarters. In such circumstances, a decentralized, distributed approach works best (see the example in Figure 12.2). In a decentralized network management scheme, there can be multiple top-level management stations, which are referred to as management servers. Each such server can directly manage a portion of the total pool of agents. However, for many of the agents, the management server delegates responsibility to an intermediate manager. The intermediate manager plays the role of manager to monitor and control the agents under its responsibility. It also plays an agent role to provide information and accept control from a higher-level management server. This type of arrangement spreads the processing burden and reduces total network traffic.

15

Cisco has developed a hierarchical network management architecture [CISC07] based on ITU M.3400, as shown in Figure 12.3.

The element management layer provides an interface to the network devices and communications links in order to monitor and control them. This layer captures events and fault occurrences through a combination of direct polling and unsolicited notification by network elements. Management function modules provide interfaces to specific elements, allowing elements from different manufacturers to be incorporated under a single network management system.

The network management layer (NML) provides a level of abstraction that does not depend on the details of specific elements. In terms of event management, this layer takes input from multiple elements (which in reality can be different applications), correlates the information received from the various sources (also referred to as root-cause analysis), and identifies the event that occurred. The NML provides a level of abstraction above the element management layer in that operations personnel are not “weeding” through potentially hundreds of unreachable or node down alerts but instead are focusing on the actual event, such as failure of an area-border router. Thus, this layer performs a filtering function, only providing a more aggregated view of the network through a common database across all five functions as well as a trouble ticketing facility.

The service management layer is responsible for adding intelligence and automation to filtered events, event correlation, and communication between databases and incident management systems. The goal is to move traditional network management environments and the operations personnel from element management (managing individual alerts) to network management (managing network events) to service management (managing identified problems).

16

firewalls

The firewall is an important complement to host-based security services such as intrusion detection systems

Typically, a firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter

The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and auditing are imposed

Firewalls are also deployed internally in an enterprise network to segregate portions of the network

A firewall provides an additional layer of defense, insulating internal systems from external networks or other parts of the internal network

This follows the classic military doctrine of “defense in depth,” which is applicable to IT security

The firewall is an important complement to host-based security services such as intrusion detection systems. Typically, a firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter. The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and auditing are imposed. Firewalls are also deployed internally in an enterprise network to segregate portions of the network.

A firewall provides an additional layer of defense, insulating internal systems from external networks or other parts of the internal network. This follows the classic military doctrine of “defense in depth,” which is applicable to IT security.

17

Firewall characteristics

“Network Firewalls” [BELL94] lists the following design goals for a firewall:

■ All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this chapter.

■ Only authorized traffic, as defined by the local security policy, is allowed to pass. Various types of firewalls are used, and they implement various types of security policies, as explained later in this chapter.

■ The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. Trusted computer systems are suitable for hosting a firewall and often required in government applications.

18

“Network Firewalls” lists the following design goals for a firewall:

All traffic from inside to outside, and vice versa, must pass through the firewall

Only authorized traffic, as defined by the local security policy, is allowed to pass

The firewall itself is immune to penetration

firewalls

Firewalls use four techniques to control access and enforce the site’s security policy:

Service control

Determines the types of Internet services that can be accessed—inbound or outbound

The firewall can filter traffic on the basis of IP address, protocol, or port number; provide proxy software that receives and interprets each service request before passing it on; or host the server software itself, such as a web or mail service

Direction control

Determines the direction in which particular service requests are initiated and allowed to flow through the firewall

User control

Controls access to a service according to which user is attempting to access it

This feature is typically applied to users inside the firewall perimeter (local users)

It can also be applied to incoming traffic from external users, though this requires some form of secure authentication technology, such as that provided in IP Security (IPsec)

Behavior control

Controls how particular services are used

In general terms, firewalls use four techniques that to control access and enforce the …