Data Protection for LANs

[Gluteus]

In this Guide we will discusses the classification of threats, methods and means of information protection, identification of key concepts in the field of cryptography, the classic methods of encryption and standard cryptographic systems, and software data protection (built into the OS and external).


Judging by the growing number of publications and companies professionally engaged in the protection of information in computer systems, this task is given great importance. One of the most obvious causes of the violation of the protection is intentional unauthorized access (unauthorized access) to confidential information by illegal users and subsequent unwanted manipulation with this information. Information security - a set of activities undertaken to prevent the diversion, theft, loss, unauthorized destruction, mutilation, modification (forgery), the unauthorized copying, blocking information, etc. As the loss of information can happen on a purely technical, objective, and unintended reasons, under this definition, and also activities related to improving the reliability of the server because of refusals or failures in the disk, defects in the software used, etc.

It should be noted that along with the term "information security" (as applied to computer networks) is widely used, usually in the near meaning of the term "computer security".

The transition from work on personal computers to work in a network complicates the protection of information for the following reasons:

1. large number of users on the network and their variable composition. Protection at the level of the user name and password is not sufficient to prevent the entrance of the network by unauthorized persons;
2. considerable length of the network and the presence of many potential channels of penetration into the network;
3. already identified weaknesses in hardware and software that are often found not to pre-stage, called beta testing, and in the process of exploitation. In nonideal including built-in data protection, even in such well-known and "powerful" network operating system, like Windows NT or NetWare.

The severity of the problems associated with long chains to one of its segments to the coaxial cable. The network has many natural sites and channels of unauthorized access to information in the network. Each device in the network is a potential source of electromagnetic radiation from the fact that the relevant fields, especially at high frequencies, escape non ideally. The system ground along with the cable system and a network of power can serve as channels of access to information online, including in areas outside the zone of controlled access, and therefore especially vulnerable. In addition to electromagnetic radiation, the potential threat contactless electromagnetic effects on the cable system. Of course, if you are using a wired connection type coaxial cables or twisted pairs, often called copper cables, and possibly a direct physical connection to a cable system. If the passwords to log into a network of known or chosen, it becomes possible to unauthorized entry into a network with a file server or a workstation. Finally possible leakage of information through channels outside the network:

• storage media
• elements of building structures and windows that form the channels of leaks of confidential information by the so-called effect of the microphone,
• telephone, radio, and other wired and wireless channels (including channels of mobile communication).

Any additional connections to other segments or connect to the Internet pose new challenges. Attacks on the local network via an Internet connection in order to gain access to confidential information that has recently gained wide distribution because of the flawed system to protect the information embedded in the protocols TCP / IP. Network attacks via the Internet can be classified as follows:

• Packets Sniffer (sniffer - in this case in terms of filtering) - an application that uses a network card that works in promiscuous (do not distinguish) mode (in this mode, all packets received on physical channels, the network adapter sends the application for processing) .
• IP-spoofing (spoof - deception, hoax) - occurs when a hacker inside or outside the corporation, is impersonating the authorized user.
• Denial of service (Denial of Service - DoS). DoS attack makes the network inaccessible for normal use by the excess of allowable limits of operation of the network, operating system or application.
• Password attack - an attempt to legitimate the user selecting a password to log into the network.
• Attacks Man-in-the-Middle - direct access to the packets transmitted over the network.
• Attacks at the application level.
• Network intelligence - gathering information about the network by using publicly available data and applications.
• Abuse of trust within the network.
• Unauthorized access (unauthorized access), which can not be considered as a separate type of attack, as the majority of network attacks are carried out to gain unauthorized access.
• Viruses and applications such as "Trojan horse".

[Gluteus]

The classification of information security

Protection of information in the network in Fig. 9.1. can be improved through the use of special noise generators, masking incidental electromagnetic radiation and laying, network filters, network devices, noise power, scrambler (encoder phone calls), suppressor of the cellular phones, etc. Crucial decision is to move the compounds on the basis of optical fiber, free from the influence of electromagnetic fields, and permits the detection of unauthorized connections.

In general, a means of ensuring protection of information in the prevention of deliberate action, depending on how the implementation can be divided into groups:

1. Technical (hardware) resources. This is a different type of device (mechanical, electromechanical, electronic, etc.), which hardware address the problem of information security. They are either physically impede penetration or, if the penetration is still held, access to information, including through her disguise. The first part of the problem solve locks, grates on the windows, the security alarm system, etc. The second - as mentioned above, noise generators, network filters, scanning radios and many other devices, "off" potential channels of information leakage, or allow them to observe. The advantages of technology related to their reliability, regardless of the subjective factors, a high resistance to modification. Weaknesses - lack of flexibility, a relatively large volume and weight, the high cost.
2. The software includes programs to identify users, access control, encryption of information, removal of residual (working) information like temporary files, the test control system, protection, etc. The advantages of software - the universality, flexibility, reliability, ease of installation, the ability to update and development. Disadvantages - limited functionality of the network, the use of resources, file servers and workstations, the high sensitivity to accidental or deliberate change, possibly depending on the type of computers (the hardware).
3. Mixed hardware / software implement the same functions as hardware and software separately, and have intermediate properties.
4. Institutional funds arise from organizational and technical (training rooms with computers, cable system to meet the requirements for restricting access to it, etc.) and legal (national laws and rules set by the leadership of a particular enterprise). Benefits of institutional funds is that they allow to solve many different problems that are simple to implement, quick to react to unwanted actions on the network have unlimited opportunities modification and development. Disadvantages - high dependence on subjective factors, including the overall organization of work in a particular unit.

Depending on the degree of dissemination and accessibility of available tools, so they continue in more detail (see "Standard methods of encryption and cryptographic systems, and software data protection). Other means are applied when needed to provide an additional level of data protection.

Data encryption is a variety of software and information security is of particular importance in practice as the only reliable protection of information transmitted on a consistent long lines of leakage. Encryption is the last form almost irresistible "line" of protection against unauthorized access. The term "encryption" is often used in connection with the more general notion of cryptography. Cryptography involves the ways and means to ensure the confidentiality of information (including using encryption) and authentication. Confidentiality - protection of information from the dissemination of its contents by persons who do not have access rights to it. In turn, the authentication is an authentication of the various aspects of information networking: a communication session, the parties (ID), content and source (the authorship of c through digital signatures).

The number of encryption programs is limited, some of which are the standard factor. However, even if the encryption algorithm is not a secret, to decrypt (decryption) without knowing the private key is extremely difficult. This property is in modern encryption programs available in the multistep process of transformation of the initial public information (plain text in English literature), using a key (or two keys - one for encryption and decryption). Ultimately, any complex method (algorithm) encryption is a combination of relatively simple methods.

[Gluteus]

Standard methods of encryption and cryptographic systems

U.S. encryption standard DES (Data Encryption Standard - Data Encryption Standard) is a group of symmetric encryption and works with a number of steps in 1976 - 16. The length of key - 56 bits, 8 bits - check level of parity / parity odd. Long time, the degree of resistance to the decryption of this method was considered sufficient, but now it is outdated. Instead DES to "triple DES" - 3DES, DES algorithm which is used 3 times, usually in a sequence of "encryption - decrypt - encrypt" with three different keys for each stage.

Considered a reliable algorithm IDEA (International Data Encryption Algorithm), developed in Switzerland and has a key length of 128 bits.

Domestic GOST28147-89 - this is an analogue of DES, but with a key length 256 bits, so that the degree of resistance to decrypt originally much higher. It is also important that in this case provides a system of protection that overcomes the "generic" lack of symmetric encryption techniques - an opportunity to displace the posts. Such improvements, as hash functions and digital signature enable "authenticate" the messages.

Advantages of symmetric encryption methods include high-speed encryption and decryption, to the shortcomings - a small degree of protection if the key became available to third parties.

Very popular, especially when using e-mail, Internet, unbalanced methods of encryption or a system with public key - public-key systems. This group of methods include, inter alia, PGP (Pretty Good Privacy - is a good privacy). Each user has a key pair. Public keys for encryption and are freely distributed on the network, but does not allow decryption. This requires the secret (private) keys. The principle of encryption in this case based on the use of so-called one-sided functions. Direct function of x f (x) easily computed on the basis of open-algorithm (the key). The reverse transformation. F (x) x without knowing the private key is difficult and must take a long time, which determines the degree of one-sided function.

The idea of a system of public key can be explained as follows (Table 9.3). To encrypt messages, you can take normal phone book, in which the names of the subscribers are in alphabetical order and preceded by a telephone number. The user has a choice of correspondence between a symbol in the source text and the name of the caller, ie mnogoalfavitnaya system. Its degree of resistance to decrypt above. Legal user has a "reverse" telephone directory, which in the first column of numbers arranged in ascending order, and easy to decrypt. If there are none, then the user is a tedious and often available direct prosmatrivanie directory to find the right phone numbers. This is the practical realization of hard-computable functions. On its own encryption method, based on telephone directories hardly promising at least from the fact that one does not prevent a potential cracker to make "reverse" telephone directory. However, in practice the methods used to encrypt a given group in the sense of safety to protect all is well.

Table 9.3. An example of encryption in the system of public key

Another well-known system public key - RSA.

Unbalanced encryption methods have advantages and disadvantages, reverse those with symmetric methods. In particular, asymmetric methods using assumptions and analysis of special service messages may be implemented authentication (verifying the legality of the source of information) and integrity (no substitute) data. In doing so, performed the operation of encryption and decryption with the public key and private key of the user. Thus, the system can be balanced with sufficient reason to include a full cryptographic systems. In contrast to the symmetric encryption methods, the problem of unbalanced distribution of keys to be decided by simpler methods - the key pair (public and private) are generated "on site" with the help of special programs. For the distribution of public keys are used technologies such as LDAP (Lightweight Directory Access Protocol - a protocol to facilitate access to the directory). Distributed keys can be pre-encrypted using a symmetric encryption methods.

Traditional and modern cryptographic binding of ways to ensure authentication and integrity checking of the data (hash functions and digital signatures) that are sold directly involved in the exchange are not only possible. Distributed by the method involving a third party, trusted by all parties to exchange. We are talking about so-called digital certificates - messages sent over the network with a digital signature, certifying the authenticity of public keys.

[Gluteus]

Software data protection

Built-in data protection for network operating systems available, but not always, as already noted, can completely solve the problems arising in practice. For example, a network operating system NetWare 3.x, 4.x allow a reliable "layered" protection of data against hardware failures and damage. The system of SFT (System Fault Tolerance - the system resilience to failures) of Novell consists of three main levels:
SFT Level I provides, inter alia, the creation of additional copies of the FAT and Directory Entries Tables, immediate verification of all newly recorded on the file server data block, as well as back-up on each hard drive for about 2% of the disk. When it detects a malfunction in the data forwarded reserved disk area, and bad block is marked as "bad" and subsequently not used.
SFT Level II includes more options for creating a "mirror" disks, as well as duplication of disk controllers, power supplies and interface cables.
SFT Level III permit the application in duplicate network servers, one of which is the "main" and the second containing a copy of all information entering the work in the event of withdrawal "chief" of the server.

The system of control and restriction of access to networks, NetWare (protection against unauthorized access), also contains several levels:
primary level of access (including username and password, the system records the restrictions - such as the explicit permission or prohibition of the allowable time in the network place on your hard disk, occupied by the user's personal files, etc.);
level of user rights (limiting the fulfillment of certain transactions and / or the work of the user, as a member unit, in certain parts of the network file system);
level attributes of directories and files (restrictions on the implementation of certain operations, including delete, edit or create, reaching from the file system, and relating to all users who try to work with these files or directories);
console-level file server (blocking of the keyboard file server for the duration of the absence of a network administrator before they enter a special password).

However, reliance on this part of the protection of information in the NetWare operating system, you can not always. Evidence of this are the numerous instructions on the Internet and the ready availability of programs to hack the various elements of protection against unauthorized access.

The same observation is true in relation to more recent versions of OS NetWare (until the last 6-th Edition) and other "powerful" network operating system with built-in data protection (Windows NT, UNIX). The point is that the protection of information - this is only part of the many tasks that dealt with the network operating system. Upgrading one of the functions at the expense of others (as understood by reasonable restrictions on the volume occupied by this OS on your hard disk) can not be the main direction of development of general-purpose software products that are network operating systems. At the same time, the severity of the problem of information security, there is a tendency of integration (embedding) of selected, well-established and have become standard tools in the network operating system, or develop their own "branded" analogs known information security program. Thus, in the NetWare 4.1 network operating system capable of encoding data on a "public key" (an algorithm for RSA) with the formation of an electronic signature to the transmitted over the network packets.

[Gluteus]

Specialized software tools to protect information from unauthorized access are generally better placed and features than the built-in network operating systems. In addition to programs and cryptographic systems, encryption, there are many other available external information security. Among the most frequently mentioned solutions are the following two systems, to limit and control the information flow.

Firewalls - Firewalls (literally firewall - firewall). Between local and global networks, special intermediate servers to inspect and filter all traffic passing through their network / transport layer. This allows you to dramatically reduce the threat of unauthorized access from outside the corporate network, but does not eliminate this risk entirely. A more secure kind of method - a way to masquerade (masquerading), when all of the outgoing network traffic is sent on behalf of firewall-server, making the local network virtually invisible.

Proxy-servers (proxy - proxy, proxy). All traffic network / transport layer between the local and global networks are prohibited entirely - such as the routing is not available, and treatment from the local to the global network via special proxy servers. It is obvious that this treatment from a global network of local becomes impossible in principle. This method does not provide sufficient protection against attacks at higher levels - for example, at the level of applications (viruses, code Java and JavaScript).