back to the list of other resources
|
Security acronyms, terms and full descriptions Click here to return to "The ITcoach" Home page | or click here to go back to the list of other resourcesMany systems use digital certificates. These include web base transactions (SSL or TLS); remote connectivity solutions (VPN's) or full blown PKI systems and their associated applications such as secure e-mail and database transactions. The certificate is used to publish (distribute) the public key of an individual or entity. The certificate contains the public key, as well as the signature of the entity that is certifying that the key is valid. In the physical world an official document bearing your signature (such as a passport or credit card) is a trusted document if it is signed by you, and certified to be valid by the third party who issued that document. Certificates can be used in place of physical documents to establish a person's identity, or the identity of a computer system that they are connecting to. There are numerous applications for certificates such as in e-commerce and remote connectivity. Like a physical piece of identification, you should only trust a certificate if you trust the third party who certified the public key, and issued the certificate. Certificate Authority - (CA) A certificate authority is a trusted third party that issues certificates containing public keys. If you have an understanding of what a public key is and how it is used, then you will realize that security is compromised if a user or server's public key is forged, or if conditions change that no longer make the owner of the public key trustworthy. A certificate contains additional security information to prove that the key is valid and that it belongs to the person or entity named. The certificate authority certifies that this is true before putting their digital stamp of approval on it. The certificate can also be revoked by the CA. A certificate authority plays the role of trusted third party in the same way that a credit card company certifies that a vendor can safely do business with the owner of a credit card, or that the passport office certifies that you are who you say you are. The certificate authority must be known by the two parties and trusted by each of them for the certificates to be recognized as valid. Like a physical piece of identification, you should only trust a certificate if you trust the third party who certified the public key, and issued the certificate. Some companies will perform their own CA function in order to issue certificated to employees as a means of authentication. Other organizations and individuals will rely on commercial Certificate Authorities such as Verisign or Entrust, for example. A secure network can be either a physical network made up of a wire strung between two systems, or a virtual network VPN allowing multiple networks to share the same physical wire. Fiber optic cable is now becoming quite common as a transmission medium both within buildings as well as across long distances. The benefits are many when compared to the copper wire that it replaces. These include:
Dark fiber simply refers to a fiber optic cable that has not been turned on. No light is passing through it so it is said to be dark. A company would order dark fiber from their telecommunications supplier (telco) to connect two buildings if they wanted to hook their own transmission equipment to either end. Otherwise, the telecommunications company could provide a live network connection that includes telecommunications equipment that is managed by the telco. A digital signature is made up of two components:
For more information on how the signature is encrypted, see Asymmetric Encryption.
DMZ - Demilitarized Zone In order to isolate a corporate network from the internet while allowing specific traffic to flow between the two, a DMZ can be set up. If the Internet is one network, and the corporate network is another, a DMZ is a third network connecting the two (sort of a digital no-man's land). If you can imagine a castle with a moat, during a battle the land between the castle walls and the moat is no-mans land, or the castles DMZ. The only resources that would be physically located outside the castle walls but inside the moat, are those that require some defenses but can be sacrificed in order to keep the castle safe. In a corporate network, the DMZ is owned by the company in the same way that the king of the castle owns the property surrounding the castle. The company's web server can be located on the DMZ network. The web server is protected by a digital moat (a firewall), forming the company's first line of defense. If an attack takes place and the hackers manage to cross the moat (get though the firewall), like a peasant, the web server may perish. Fortunately a second stronger line of defense exists to protect the corporate network. A second firewall sits between the DMZ and the corporate network, in the same way that the castle walls protect the castles occupants from the attackers who have managed to cross the moat. An effective DMZ is filled with all sorts of services available to the internet, as well as various obstacles such as firewalls to prevent theft or damage to the company's public servers. DNS - Domain Name Server Computers talk to each other using TCP/IP numbers (addresses), in the same way that telephones contact each other using phone numbers. People have an easier time remembering names rather than numbers, so when people are introduced they exchange names. Later, if they want to call each other on the telephone, they can call directory assistance and get the phone number of the person they want to reach. You may want to reach a web site such as www.ITcoach.com, or even www.WayneMcKinnon.com, but your computer needs to look up the proper TCP/IP address for the computer where the web site is located. A DNS is like directory-assistance for the internet. In the same way that the phone company provides directory-assistance so that you can find the number that enables you to connect to your friend's telephone, a DNS provides your computer with the TCP/IP address of the web server (or other service) that you are trying to connect to. So, when you try to reach my web site, send e-mail or perform a variety of network related task, your computer does this by first by querying a DNS to get the number. Then by using that number it can connect to the web server. Encryption refers to the process of scrambling data in a way that is almost impossible to unscramble by anyone but the intended recipient. (We can't say it is impossible since given enough computing power and enough years, eventually every combination could be tried until the data was successfully unencrypted.) An encryption algorithm is a mathematical equation or formula that is applied against the data in order to create a scrambled result. There are numerous encryption technologies Such as DES, RSA, Diffie-Helman and Blowfish, to name a few. The number of bits or "strength" of an encryption algorithm refers to an input value known as a key (see public key or private key). Rather than keep the algorithm private, the algorithm is available to others who one might possibly ever want to do business with. What is kept secret is the input value or "key." The two primary uses for encryption are Authentication (prove to me that you are who you say you are), and protecting (encrypting) data that is being transmitted or stored. Some encryption technologies and applications may use a symmetric algorithm, while others use asymmetric encryption algorithms. In other cases, both will be used in what is known as hybrid encryption technologies. For web security, SSL is an example of a hybrid technology that employs both methods. There are two common encryption models in use:
In building construction, a firewall is quite simply a fireproof interior wall designed to stop the spread of flames form one part of the building to another. In network architecture, a firewall blocks the spread of viruses, hackers and undesirable network traffic from one network to another. A firewall can be thought of as a black box joining two networks (a secure network and an unsecured network). In more robust network designs, two firewalls may be used (see DMZ). A network firewall may be a dedicated device purchased for this one purpose, or it may be a service added to an existing network device. A simple network firewall can be created by configuring filters on the network router (a device that joins two networks). The traffic may be filtered based on the source or destination TCP/IP address just like call blocking services filter out telephone calls from unwanted callers. A more sophisticated filter can allow traffic from any network address to pass, but only in support of specific applications (web traffic might be allowed while other application traffic can be blocked). An even more sophisticated firewall could be used to block the
transmission of e-mail containing viruses, or web pages containing bad
words. IPsec - TCP/IP with security capabilities IPsec can be thought of simply as an enhancement to the IP protocol, allowing it to provide security and authentication. While there are many uses for IPsec, it is often used to:
A personal firewall performs the same sort of function as a network firewall, but instead of protecting an entire network, it protects an individual system, such as a home computer directly connected to a high speed Internet connection. When Internet connectivity was over a phone line, network security wasn't seen as being as important since the computer was only temporarily connected. While the window of opportunity for a hacker to strike was limited, there was still a risk. With high speed networks, computers tend to be left connected for extended periods without supervision, making the system an easier target for hackers. A personal firewall is typically a software solution that filters traffic through the network connection. It can be configured to allow some or all applications to retrieve information from the Internet, while preventing or allowing other applications from sending data to the internet. For an example of how effective a personal firewall can be, install one on your system and watch the statistics that show how many attempts to there are to access your computer. you will probably be amazed! In one case a friend called to ask me if he should open up his firewall to let NOTEPAD.EXE access the internet. Since notepad is not an Internet application I told him that there is no reason that notepad.exe would try to access the internet, yet his firewall kept asking him if it should be allowed. Turns out that notepad.exe was infected with a virus that he picked up by opening an infected e-mail message. Notepad had been replaced by an application that looked just like the original, but had the added feature of acting as a server to allow a hacker to come and visit through the open door that it created. Normally the attack would have been successful, but the correctly configured firewall detected and prevented it. Do you know what you notepad is doing?
An infrastructure describes the core components or the technological foundation upon which many business applications are built. A public key infrastructure is not a product, but a term used to describe a combination of technologies that can be brought together to fulfill a variety of security needs. In the case of PKI, the infrastructure may be created to support a single business application, but a much better return on investment can be achieved if it supports multiple security requirements and applications.
Components of a PKI include:
Additional components may include:
Executive Advice: It should be noted that it is possible to have secure applications that use certificates without the huge investment required in order to build a Public Key Infrastructure. It simply means that a number of tasks or functions will not be automated.
A key is a unique number used as an input value by an encryption process. A private key is one part of a two part security mechanism called asymmetric cryptography, which involves the use of matching key pairs (private and public). In some cases such as typical secure web transactions using SSL, the use of a private key is transparent to the user since web browser applications come with built in key pairs. In that case, the key pairs allow the user to establish a secure connection, but do not identify the users (users must type in a name and other credentials to be positively identified). In other applications such as VPN connections, or cases where private keys are used to positively identify a user to a secure web site, the user must first register their own private key with a certificate authority.
(See asymmetric cryptography then PKI for a more detailed description of this process). A privileged user is simply a user who has an account on a computer, and that account has been assign certain advanced privileges. On a windows system the ADMINISTRATOR has the highest level of privileges, and on a Unix or Linux server, the account name is ROOT. Avoid surfing the internet while logged on as someone with administrative rights. If you were to open an e-mail message containing a virus, or access a web page and launch a malicious script, since this account has full access to your system and all of your hard drive, so does the script or virus. A key is a unique number used as an input value by an encryption process. A public key is one part of a two part security mechanism called asymmetric cryptography, which involves the use of matching key pairs (private and public). Typically when a user connects to a system that uses asymmetric cryptography (such as secure web transactions or VPN connection), the user is given the server's certificate to prove the identity of the server. The certificate contains the server's public key.
Your public key can be thought of as an open padlock for which you alone hold the key. A padlock could be used by me to lock up some data that I want only you to be able to get at. There is no risk in making the public key available to all, since if a duplicate padlock existed and was publicly available to anyone, it could not be used to open the data that I secured. You alone hold the matching private key. See asymmetric cryptography then PKI for a more detailed description of this process. A smart card has traditionally meant a device similar to a credit card with a computer chip on it. A smart card is often used to physically store and transport an individual's credentials, in the form of private keys and certificates. A smart card can be used to logon to a computer that the user has privileges on, providing the computer has a smart card reader.
SSL- Secure Socket Layer (secure web site) The SSL Protocol provides web browsers a secure way to communicate with web servers. You can identify a secure connection by:
When an SSL connection is established, the web browser and server exchange certificates, and negotiate a secure, encrypted connection. See PKI for an additional description of how this connection is encrypted. System hardening is a step by step process of securely configuring a system to protect it against unauthorized access, while also taking steps to make the system more reliable. Click here to learn more TCP/IP is a suit of protocols, or what is referred to as a protocol stack. If you imagine that sending data over a computer network is like sending mail through the postal system, each layer has a specific job to do. If you want to send a letter to your friend, you would first write the letter on paper. This is like creating a request for a web page, or composing an e-mail message. Next you would write your friends address and your return address on the envelope and seal it up with the letter inside. You have just created an IP datagram. The IP layer of the TCP/IP protocol stack is like your envelope containing the both the source and destination IP (network) address on the outside, and the data inside the package (datagram).. The IP address is what allows your datagram to be routed across the internet, in the same way that the mailing address of your friend allows your letter to be routed through the postal systems. If you want to guarantee that your letter is delivered, you can send it registered mail. TCP adds extra information to the datagram that both the sender and recipient can use to determine if the whole datagram was delivered, or if something went wrong. If there was a problem, TCP attempts to guaranteed delivery of your datagram, by retransmitting it if necessary. After a number of failed attempts, TCP will notified your application that there is a problem and you will receive an error message. In short, your application (perhaps a web browser) talks to the TCP software in your computer. TCP does it's part by adding it's own information to your letter, and then passes everything down the stack to IP so that a datagram can be created and delivered to the recipient (a web server, e-mail server or other). Warning: TCP/IP does not provide security by itself. For that you should look at IPsec.
A VPN is a secure connection over a public network. A VPN "end point" can either be a PC running VPN client or server software; A dedicated VPN gateway that accepts secure remote connection; a firewall that accepts secure remote connections; a network router with VPN capabilities. VPN's are set up to support connectivity between:
The features of a VPN are that connections;
A VPN can be established using any number of secure protocols, although IPSEC is becoming most common. Note: VPN connections can be setup to just perform authentication, or to also support encryption. See PKI for a further discussion of the encryption process. A vulnerability assessment is a procedure where each part of your computing infrastructure is analyzed for potential security weaknesses. Assessments typically turn up things such as:
The list above is by no means thorough. Even the fact that a database server is connected to a network can be considered a vulnerability. The decisions that must be made following a vulnerability assessment are, what is the appropriate level of risk, and what is the worst that could happen. Based on the results of the assessment and review, an action plan can be created, and proper security measures implemented based on the organization's risk tolerance.
Copyright 2002 by ITcoach.com. All rights reserved. |
Home