24. Chapter 0 – Reader’s Guide
The art of war teaches us to rely not on
the likelihood of the enemy's not
coming, but on our own readiness to
receive him; not on the chance of his
not attacking, but rather on the fact
that we have made our position
unassailable.
—The Art of War, Sun Tzu
25. Standards Organizations
National Institute of Standards &
Technology (NIST)
Internet Society (ISOC)
International Telecommunication
Union Telecommunication
Standardization Sector (ITU-T)
International Organization for
Standardization (ISO)
RSA Labs (de facto)
26. Information security
امن
المعلومات
بأمن يختص علم ظهر الشبكات امن ظهور قبل
الكمبيوتر وجود قبل العلم هذا وظهر المعلومات
.
مث
ال
امين مكان في أوراق وضع
,
توثيق
الشهادات
,
امضاء
شيك
,
ذلك وغير واألوراق للنقود خزنة استخدام
.
Is about how to prevent attacks or
failing that , to detect attacks on
information-based systems where in
the information itself has no
meaningful physical existence and
then recover from the attacks.
27. Computer security
الحاسب امن
The generic name for the collection of
tools designed to protect data and to
thwart hackers.
لحماية المستخدمة األدوات لمجموعة عام اسم هو
القراصنة ومنع البيانات
.
28. Network security
الشبكة امن
The second major change that affected security is
the introduction of distributed systems and the use
of networks and communications facilities for
carrying data between terminal user and computer
and between computer and computer.
هو
االمن
لشبكة
ممكن
تكون
داخلية
وغير
متصلة
باإلنترنت
وظهر
له
االحتياج
له
بعد
ظهور
شبكات
الحاسب
ولكن
في
المرحلة
السابقة
كانت
األجهزة
منفصلة
عن
بعضها
أي
ال
تحدث
مشاكل
كبيرة
بها
اال
ألسب
اب
مثل
الفيروسات
وغيرها
29. Internet security
االنترنت شبكة امن
Consists of measures to deter, prevent,
detect and correct security violations that
involve the transmission of information.
ويعتبر
امن
االنترنت
هو
المعني
االعم
ألمن
كل
شبكات
الحاسب
وفي
هذه
الحالة
فقد
احتجنا
ال
قياسات
لحماية
واكتشاف
وتصحيح
التعارضات
الموجودة
في
الشبكة
و
التي
تشمل
ارسال
البيانات
وقياسات
لتأكيد
سالمة
البيانات
وامن االنترنت شبكة امن بين واضح فرق يوجد ال أوال
الشبكة
.
We use the term internet ,with lower case
,to refer to any interconnected of network.
36. Cont .
One approach is to consider three
aspects of information security
Major axes in network security
1.security attack .والهجمات المخاطر
2.security mechanism .المستخدمة االليات
3.security services .االمنية الخدمات
37. 1.Security attacks
Any action that compromises the security of
information owned by an organization.
Any action wants to break security policy.
معينة لمنظمة المعلومات امن اختراق يحاول فعل أي
.
مثال
:
عندها االمن قواعد من مثال شركة
security policy
فيها
أي استخدام عدم هو
external CD
تشغيله او جهاز أي في
.
ال وشغل ذلك موظف أي فعل فاذا
CD
اختراق هذا يعتبر
لل
policy
ال
CD
الخت خلفية أبواب او فيروسات تحتوي ان يمكن
راق
الشركة
38. 2.Security mechanism
A mechanism that is designed to
detect , prevent or cover from security
attack.
Antivirus = security mechanism
Detect of viruses=security mechanism
والتغط والحماية لالكتشاف المستخدمة االليات هي
ية
الهجمات من
39. 3.Security services
A service that enhances the security of the data processing
system and the information transfers of an organization.
The services are intended to counter security attacks , and
they make use of one or more security mechanisms to
provide the service.
تقوم
الخدمات
بحساب
الهجمات
وتستخدم
بعض
االليات
لتحقيق
الخدمات
األمني
ة
المطلوبة
.
مثال
مثال
للدخول
علي
أي
تطبيق
لشركة
ميكروسوفت
مثل
الوورد
بيعمل
في
البداية
virus check
والفيروس
ليس
شرط
ان
يكون
ملف
تنفيذي
بل
قد
يكون
عبارة
عن
script
ويسبب
مشاكل
عند
فتح
الملف
.
فهذه
تعتبر
خدمة
داخل
منتجات
Microsoft
من
اكبر
الشركات
في
عمل
standard
للشبكات
هي
ISO
واشهر
معيار
لها
هو
نموذج
الشبكات
(
ISO-OSI model
)
Open system interconnect
40. Threat
خطورة
A potential for violation of security
which exists when there is a
circumstance ,capability ,action , or
event that could breach security and
cause harm. That is ,a threat is a
possible danger that might exploit a
vulnerability.
نقاط
ضعف
موجودة
في
النظام
او
نقاط
خطورة
محتم
لة
في
النظام
.
41. Attack (intelligent threat)
An assault on system security that
derives from an intelligent threat ;that
is ,an intelligent act that is a deliberate
attempt to evade security services and
violate the security policy of a system.
هو
هجوم
ذكي
علي
النظام
وفي
الغالب
يكون
بواسط
ة
شخص
او
برنامج
42. OSI Security Architecture
ITU-T X.800 “Security Architecture for
OSI”
defines a systematic way of defining and
providing security requirements
for us it provides a useful, if abstract,
overview of concepts we will study
43. The OSI security architecture
OSI: Open System Interconnection
ITU: International Telecommunication
Union
X800.RFC (request for comment)
X800:international standard
ل تفصيلي شرح علي يحتويX.800
ITU-T2 recommendation X.800
security architecture for OSI defines
such a systematic approach.
44. Cont.
Computer & communications vendors
have developed security features for
their products and services. That
relates to this structured definition of
services and mechanisms.
X800 defines :
1.security services.
2.security mechanism.
3.security attacks.
45. 1.Security services (in RFC
2828)
Def:
A processing or communication
service that is provided by a system to
give a specific kind of protection to
system resources.
Security services implement security
policies and are implemented by
security mechanisms.
46. Security Services
X.800:
“a service provided by a protocol layer of
communicating open systems, which
ensures adequate security of the systems
or of data transfers”
RFC 2828:
“a processing or communication service
provided by a system to give a specific
kind of protection to system resources”
48. Security Services (X.800)
X800 divides these services into five
categories:
1.Authentication - assurance that
communicating entity is the one claimed
2.Access Control - prevention of the
unauthorized use of a resource
3.Data Confidentiality –protection of data from
unauthorized disclosure
4. Data Integrity - assurance that data received
is as sent by an authorized entity
5.Non-Repudiation - protection against denial
by one of the parties in a communication
6.Availability – resource accessible/usable
49. 1.Authentication
الوثوق
The authentication services is concerned
with assuring that a communication is
authentic.
The assurance that the communicating
entity is the one that it claims to be.
مثال
:
خدمة وظيفة فان انذار او تحذير رسالة وصول عند
ذ يدعي الذي المصدر هو المرسل ان من التأكد هي التوثيق
لك
.
لهم مسموح الشخصين ان من التأكد
له مسموح غير اخر شخص دخول عدم من التأكد
االم هذا لتحقيق مرور وكلمة المستخدم اسم استخدام يمكن
ر
50. 2.Access control
لكل الصالحيات
فرد
المال راس علي المحافظة
Def 1:is the ability to limit and control the access to
host systems and applications via communication
links.
ا معين دخول اذن علي الحصول يطلب شخص كل فان ذلك من للتحقق
و
أي اعطاؤه قبل أوال منه والتوثق تعريفه يجب فانه معينة صالحية
صالحيات
.
Access Rights: او طابعة او كمبيوتر علي بالدخول السماحcd rom
User A >>>>delete ,edit , read
User B>>>>edit
User C>>>>read
Def 2:the prevention of unauthorized use of a
resource.
51. 3.Data confidentiality
Is the protection of transmitted data
from passive attacks.
ف او البيانات من االستفادة احد يستطيع ال حتي
همها
.
The protection of data from
unauthorized disclosure.
من الحماية
passive attacks
52. 4.Data Integrity
The assurance that data received are
exactly as sent by an authorized
entity.
i.e. , contain no modification ,insertion
,deletion ,or replay.
Assures that messages are received
as sent ,with no duplication, insertion,
modification, reordering ,or replays.
وليس الهجوم اكتشاف هو الخدمة هذه من الهدف
منه الحماية
.
53. 5.Non repudiation
ال او ينكر احد ال
يتنصل احد
Provides protection against denial by
one of the entities involved in a
communication of having participated in
all or part of the communication.
ينك ال والمستقبل الرسالة ارسال ينكر ال المرسل
ر
استالمها
.
54. 6.Availability services
او االتاحة خدمة
متاح النظام
Defined in X800 and RFC 2828
The property of a system or a system resource
being accessible and usable upon demand by an
authorized system entity , according to
performance specialization for the system.
و البيانات بكون تهتم التي النظام موارد احد او للنظام خاصية هي
الموارد
ب لهم المسموح المستخدمين بواسطة واستخدامها عليها الدخول يمكن
ذلك
للنظام األداء لمتطلبات تبعا
.
A system is available if it provides services
according to the system design whenever the user
request them.
55. Cont.
هذه علي تؤثر ان يمكن الهجمات أنواع كل ان نالحظ
تلغيها او الخدمة
.
X800 treats availability as a property
to be associated with various security
services.
Availability services is one that
protects a system to ensure it’s
availability.
من الحماية هي الخدمة هذه من الهدف
DOS attack , DDOS attack) dynamic
DOS)
56. 2-Security mechanism
A mechanism that is designed to
detect ,prevent or recover from a
security attack.
م والتغطية والحماية لالكتشاف المستخدمة االلية
ن
الهجمات
57. Security Mechanism
a.k.a. control
feature designed to detect, prevent, or
recover from a security attack
no single mechanism that will support
all services required
however one particular element
underlies many of the security
mechanisms in use:
◦ cryptographic techniques
hence our focus on this topic
59. 1-Encipherment
The use of math algorithms to
transform data into a form that is
readily intelligible.
البيانات لتحويل رياضية خوارزميات استخدام هو
الي
مقروءة غير صورة
.
60. 2-Digital signature
Data appended to ,or a cryptographic
transformation of a data unit that
allows a recipient of the data unit to
prove the source and integrity of the
data unit to protect against forgery.
يتن ال حتي االصلية الرسالة مع مفتاح استخدام
احد صل
الرس انكار احد يستطيع وال الرسالة من الطرفين
الة
واستالمها
61. 3.Access control
A variety of mechanisms that enforces
access right to resources
علي الدخول لتقنين المستخدمة االليات مجموعة
البيانات
.
62. 4-data integrity
Mechanism not service
A variety of mechanisms used to
assure the integrity of a data unit or
stream of data units.
63. 5.Authentication exchange
A mechanism intended to ensure the
identity of an entity by means of
information exchange.
64. 6.Traffic padding
The insertion of bits into gaps in a
data stream to frustrate traffic analysis
attempts.
معرف يستطيع ال حتي البيانات في حشو نضع
شكل ة
البيانات
65. 7.Routing control
Enables selection of particular
physically secure routes for certain
data and allows routing changes
especially when a breach of security is
suspected.
للبيانات امنا المسارات اكثر اختيار
66. 8.Notorization
The use of trusted third party to
assure certain properties of a data
exchange .
ا تحويل من والتأكد للتحقق ثالث طرف استخدام
لبيانات
67. 3.Security attacks
Use x800 and RFC 2828 classify security
attacks to
1-passive attacks
Attempts to learn or make use of information
from the system but does not affect system
resources.
علي التأثير دون النظام معلومات من والتعلم االستفادة يحاول
موارده
2-active attacks
Attempts to alter system resources or affect
their operation.
69. 1-Passive attack
The good of the opponent is to obtain
information that is transmitted.
Passive attacks are very difficult to
detect because they do not involve
any alternation of data.
الهجمات اكتشاف وليس البيانات بحماية نهتم هنا
وفي
من النوع هذا من للحماية المستخدمة الطريقة الغالب
التشفير هو الهجمات
73. 2-Active attack
Involve some modification of the data
stream or the creation of false stream.
It can be sub-divided into four
categories:
1-Masquerade اخر احد شخصية ينتحل
2-Replay
3-Modification of message
4-Denial of services
75. 2.Replay
Involves the passive capture of a data
unit and it’s subsequent transmission
to produce unauthorized effect.
مثال
:
الخ االرسال بروتوكول او وطريقة التنسيق
اصة
بالبنك
77. 3.Modification of messages
Means that some portion of legitimate
message is alerted , or that messages are
delayed or reordered to produce an
unauthorized effect.
مثال
:
الرسالة هذه تعديل تم
Allow john smith to read confidential file
accounts.
Modified to
Allow Fred brown to read confidential file
accounts
83. A model for network security
using this model requires us to:
1. design a suitable algorithm for the
security transformation
2. generate the secret information (keys)
used by the algorithm
3. develop methods to distribute and
share the secret information
4. specify a protocol enabling the
principals to use the transformation and
secret information for a security service
84. A model for network security
All the techniques for providing security
have two components:
1.a security-related transformation on the
information to be sent.
مثال
علي
ذلك
عمل
تشفير
للبيانات
حتي
تكون
غير
م
قروءة
بواسطة
الخصوم
او
إضافة
كود
يكون
معتمد
علي
محتويات
الرسالة
حتي
نتأكد
من
استخدامه
من
شخصية
المرسل
.
2.some secrete information shared by the
two principals and, it is hoped, unknown by
the opponent.
مثال
علي
ذلك
عملية
ارسال
مفتاح
التشفير
والذ
يستخ
دم
عند
المرسل
لتشفير
البيانات
وعند
المستقبل
لفك
التش
فير
85. A trusted third party
A trusted third party may be needed to
achieve secure transmission.
المعلومات إلرسال هو ثالث طرف وجود من الهدف
والمس المرسل بين التشفير مفتاح مثل السرية
تقبل
واالعداء الخصوم من البيانات وحماية
.
86. A model for network security
This general model shows that there are four basic
tasks in designing a particular security services:
1.Design an algorithm for performing the security
related transformation.
2.Generate the secrete information to be used with
the algorithm .
3.Develop methods for the distribution and sharing of
secrete information.
4.Specify a protocol to be used by the two principals
that make use of the security algorithm and the
secrete information to achieve a particular security
service.
88. Model for Network Access
Security
using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated
information or resources
note that model does not include:
1. monitoring of system for successful
penetration
2. monitoring of authorized users for
misuse
3. audit logging for forensic uses, etc.