Network Security 31252 and 32548 Tutorial 1 Questions

1.

What are the names of three most important goals of network security?
(1) Confidentiality
(2) Integrity
(3) Availability

2.

Write a short description (1-2 sentences or up to a paragraph) describing

each of the three primary goals.
(1) Confidentiality: This is the assurance that messages or data exchanged
between two people or hosts on a network remains secret and is not read by
third parties.
(2) Integrity: This is the assurance that messages or data exchanged between
two people or hosts on a network is not changed while it is being transmitted
over the network.
(3) Availability: This is the assurance that a host on a network is freely
allowed to send and receive legitimate messages with other hosts on the
network without interference.

3.

What are the names of 6 other lesser, but still important goals of network
security?
(1) Entity Authentication
(2) Message Origin Authentication
(3) Timeliness
(4) Non Repudiation (origin)
(5) Non Repudiation (destination)
(6) Authorization
(7) Access Control

4.

Write a short description (1-2 sentences or up to a paragraph) describing

each of the 6 lesser goals.
(1) Entity Authentication: This is the general idea that a host on a network
should be able to prove its identity. This goal also applies to humans who may
want to use some resources on a network. One example is a user logging onto
a host using a password to identify themselves.
(2) Message Origin Authentication : This means that it can be established with
certainty that a message came from a particular entity.
(3) Timeliness : This means that a conversation between 2 hosts on a network

cannot be watched by a third party who can use the record of the conversation
to masquerade as one of parties and replay the prior conversation. To put it
another way, each session where 2 hosts on a network exchange a set of
messages is unique and cannot be replicated later.
(4) Non Repudiation (origin) : This means that a host or other entity on a
network cannot deny having sent a message.
(5) Non Repudiation (destination) : This means that a host or other entity on a
network cannot deny having received a message.
(6) Authorization : This refers to the legitimate granting of access to
computing resources to a human being or a host on a network.
(7) Access Control : This is ability to restrict access to certain computing
resources.
5.

Consider an automated teller machine (ATM) in which users provide a

personal identification number (PIN) and a card for account access. Give
examples of confidentiality, integrity, and availability requirements
associated with the system. In each case, indicated the degree of importance
of the requirement.
The system must keep personal identification numbers confidential, both in the
host system and during transmission for a transaction. It must protect the integrity
of account records and of individual transactions. Availability of the host system
is important to the economic well being of the bank, but not to its fiduciary
responsibility. The availability of individual teller machines is of less concern.

6.

Consider a desktop publishing system used to produce documents for

various organizations. Give an example of a type of publication:
a) For which confidentiality of the stored data is the most important
requirement.
b) In which data integrity is the most important requirement.
c) In which system availability is the most important requirements.
a. The system will have to assure confidentiality if it is being used to publish
corporate proprietary material.
b. The system will have to assure integrity if it is being used to laws or
regulations.
c. The system will have to assure availability if it is being used to publish a
daily paper.

7.

Name 5 organizations or groups involved in network security.

(1) Standards Bodies
(2) Governments

(3) Academics, researchers, civil libertarians

(4) Business Organizations
(5) Malfeasors
8.

Briefly (1-2 sentences or up to a paragraph) describe the role of each of these

organizations or groups.
(1) Standards Bodies : Standards bodies create reliable standards available to
all interested parties to use to attain network security goals.
(2) Governments : Governments have a multifaceted role in network and
computer security. Governments need to protect their own systems
(websites, data, etc.). Governments provide a legal framework for the
enforcement of laws regarding network and computer security. Many
governments engage in espionage activities that use network and computer
security practices. Some governments have provided standards that are
widely used.
(3) Academics, researchers, civil libertarians : Active in researching the
fundamental techniques used in network security such as encryption and
integrity. Very important in delineating the mathematical basis of a lot of
security technologies. Academics are also important in providing
educational services in network and computer security. Civil libertarians
and individual researchers have also made significant contributions to
analysis of encryption techniques, provision of cheap (or free) network
security tools and the providing a critique of the role of government in
network and computer security.
(4) Business Organisations : A multifaceted relationship to network security.
Some organisations market security services. All medium to large
organisations that have a web presence and/or a connection to the internet
will also be consumers of network security services.
(5) Malfeasors: These are the main groups responsible for security attacks.
The most significant groups are Script Kiddies, crackers/hackers,
organized crime, cyberterrorists and governments. The first three groups
are the traditional sources of network security attacks. Cyberterrorism
has been a popular topic of discussion in security circles lately, the actual
magnitude of the threat is a matter of debate. Some governments are
believed to have been behind some network security attacks. Precise
details are often sketchy as no government will openly admit to such
activities.

9.

Here is a list of security techniques. Try and match the techniques with
particular security goals outlined in the earlier questions. Some of the
techniques may be unfamiliar to you. Do some research on the net to find out
the meaning of unfamiliar terms if necessary. Some techniques may match
more than one security goal.

Passwords
Timestamps
Firewalls

Encryption
Digital Signature
Trusted Third Parties
Hash Functions
Message Authentication Code (MAC) aka keyed Hash Function
Use of Trusted Third Party
Unix File Permissions
Unix Access Control Lists
Backup Servers at a different IP address
Nonce
Confirmation

Security Goal

Technique

Confidentiality

Encryption

Integrity

Hash Functions, Message Authentication Codes (MACS)

Availability

Firewalls, Backup Servers at a different IP address

Entity
Authentication

Passwords, nonce

Message Origin
Authentication

Digital Signatures

Timeliness

Timestamp

Non-repudiation
(origin)

If message origin authentication then non repudiation of origin

should be able to be enforced.

Non-repudiation
(destination)

Use of trusted third party, Confirmation

Authorization

Passwords

Access Control

Firewalls, Unix file permissions, Access Control Lists (Unix

and cisco)