When we use a computer system which is connected to the internet we are able to reach different sites. one system which is connected to the internet can be reached by another system by the same protocol. when we download any information from the Internet, our first incentive is about the security of our computer system and another system.
the reason for the concern about the system is that we don’t want an unauthorized person to access any information from our system. we need to be concerned about the security of another system so that we can conduct business transactions and retrieve faithful information.
Maintaining security becomes more important when we use the internet for commercial transactions. we need to make sure that messages are private and financial transactions are secure. methods of internet security are described:
What is Authentication?
Authentication is the process of determining the identity of a user who is attempting to access a system. also for security purposes, the verification of the identity of a person or process is necessary.
Thus, authentication is the verification of a user’s claim of identity by passwords, personal challenges, response calculators, or random password generators.
Authentication methods are usually based on something users know, such as passwords, or something users have, such as security tokens or smart cards.
Most security policies state that to access a network ad its services, a user must enter a login ID and password that are authenticated by a security server. to maximize security, one-time passwords can be used. with one-time password systems, a user’s password always changes. this is often accomplished with a security card. a security card is a physical device about the size of a credit card. the user types a personal identification number (PIN) into the card.
(The PIN is an initial level of security that simply gives the user permission to use the card). the card provides a one-time password that is used to access the corporate network for a limited time. the password is synchronized with a central security card is commonly used by telecommuters and mobile users. they are not usually used for LAN access.
There are two primary models for token-based user authentication systems:
One-time Password Systems
The user token displays a “current password” that the user enters in any context that would require a conventional password. the server system can calculate the password on-demand and verify the authentication request. however, it is incumbent on the authentication server to ensure that a password cannot be reused. this means that each successful one-time password authentication requires an update operation to the authentication database.
The user first receives a challenge (usually a pseudo-random number) generated by the authentication server. the challenge is then copied by the user into his token. the token then calculates and displays a response that depends on the challenge. the user then copies this response back into the application prompting authentication information.
The server system calculates the expected response and compares it with the response submitted by the user. However, since challenges are generated at random by the server, attacks associated with replaying authentication information are not an issue for a well-designed system. as a result, the server does not need to retain information regarding which “passwords” have been used.
Some of the Authentication Methods are given in the following subsections.
Password is the most common form of computer security. Some networks require multiple levels of passwords to gain access to various servers or databases. Passwords become weak links when they are shared among colleagues, stolen, written down, or created in such a way that they can be easily guessed. For example, users will try to create memorable passwords by using their names or social security numbers.
The callback is a security feature that works like this. a user dials into a communications server and enters a username and password. the communications server then hangs up the modem connection, searches its database to authenticate the user, and then calls the user back at a pre-defined number. the callback provides good security and cost savings to users who remotely access networks from one location. However, it is inconvenient for traveling executives.
Packet filters allow network administrators to limit a user’s access to specific services on the network For example, a user may be allowed to send electronic mail but not copy data files from the network. Packet filtering on the communications servers analyses each message being sent from a remote client. the filter can determine the computer and service the user is attempting to reach and either permit or deny access to that server.
Authentication Servers can be set up in a variety of ways, depending upon the security scheme of the network they are serving. the basic process for authenticating a use includes the following steps:
A user dials into a network through a communications server or Network Access Server (NAS).
The NAS forwards the user identification and password to the Authentication Server.
Then the Authentication server validates the user and provides access privileges to the network.
RADIUS (Remote Authentication Dial-In User Service)
RADIUS is a system of distributed security that solves the problems associated with meeting the security requirements of remote computing. the solution eliminates the need for special hardware and provides access to a variety of state-of-the-art security solutions.
Distributed security separates the use of authentication and authorization from the communications process and creates a single central location for user authentication data. RADIUS is a freely available distributed security system developed by Lucent Technologies. RADIUS provides an open and scalable client-server security system. The RADIUS server can be easily adapted to work with third-party security products or proprietary security systems.
Any communications server or network hardware that supports the RADIUS client protocols can communicate with a RADIUS server. RADIUS authenticates users through a series of communications between the client and the server. once a user is authenticated, the client provides that user with access to the appropriate network services.
Authorization is the process of determining how an authenticated user is permitted to use specific resources. an authorization mechanism automatically enforces a management policy regarding resource object use. For example, in a computer system, resources typically include data files, operator commands, transactions, I/O devices, and program processes. the specific rules for authorizing access to data objects usually enforce confidentiality and integrity by either granting or denying access to read, modify or create data records and by controlling the creation or deletion of data objects.
For a communications network, resource objects usually include specific operator commands and routing destinations. the authorization rules for networks generally limit each network operator’s available commands for status inquiry or starting/stopping devices in local and remote network domains.
While authentication controls who can access network resources, authorization says what they can do once they have accessed the resources. authorization lets a security administrator controls parts of a network, for example, directories and files on servers.
Auditing and Accountability
Auditing is the process of data collection and analysis that allows administrators and others, such as IT auditors, to verify that the users and authorization rules are producing the intended results as defined in a company’s business and security policy.
Individual accountability for attempts to violate the intended policy depends on monitoring relevant security events, which initiates the auditing feedback reporting loop. the monitoring process can be implemented as a continuous automatic function, as a periodic check, or as an occasional verification that proper procedures are being followed. the auditing information may be used by security administrators, internal audit personnel, external auditors, government regulatory officials, and in legal proceedings.
The auditing and individual accountability monitoring functions also apply to documenting the activities of security administrators and auditors to ensure that they are not abusing their authorized capabilities.
To effectively analyze the security of a network and to respond to security incidents, procedures should be established for collecting network activity data. collecting data is called accounting or auditing.
For networks with strict security policies, audit data should include all attempts to achieve authentication and authorization by any person. it is especially important to log “anonymous” or “guest” access to public servers. the data should also log all attempts by users to change their access rights. the collected data should include user and hostnames for login and logout attempts and previous and new access rights for a change of access rights. each entry in the audit log should be time-stamped.