Aspects of network security are closely tied to the services provided: inbound or outbound. Security in the outbound service can be tried as best they can with the firewall configuration. Similarly, the anonymous access to the inbound services, such as anonymous FTP, HTTP, Gopher etc.. In this case, the information is deliberately provided to all people. Other well as when we want to provide access to non-anonymous (or authenticated services), where in addition to through the firewall, someone requesting access must also be obtained 'permission' after the first server to prove identity. This is the authentication. For further, the author uses the term as a synonym autentisasi word.
RISK-SECURITY SERVICES inbound
Why should autentisasi ... ..? Internet is a public network, and open to everyone across the world to combine them. Once the size of this network, has raised profit and loss. Often we hear and read about bobolnya bank financial computer system, a secret Pentagon information or data base student academic transcripts. Sentence is enough to represent the statement that we must be 'vigilant' against those 'evil' and always try to minimize the possibility for them to be able to jahatnya intention. Indeed, it's easy to negate the possibility of infiltration (illegal access) from outside the channel close all inbound traffic to the network services internally. However, this is a major advantage mereduksi the network: communication and use of the resources together (sharing resources). Thus, the natural consequence of the network is big enough, is to receive and attempt to minimize this risk, not abolish.
We will start from a network-administrator (NA), which has performed its duties well, set up in the 'defense' service for all outbound and inbound-anonymous. Need some additional things that should be remembered. Whether defense is strong enough for the theft of a relationship (hijacking attack)? Are there already considered the possibility pemonitoran illegal packages of information that is sent (packet sniffing - playback attack)? Including whether or readiness for the real existence of illegal access to the system (false authentication)?
Hijacking usually occur on a computer network to contact us, even if for some rare cases, can occur on any path that dilaluinya. So that will be wise to consider if a NA reposal access only from computers that do not have the same security system or may be 'strong', compared with the network under the responsibility answered. Business opportunities out this natural, can also be done with the set packet-filter well or use a server modifications. For example, we can provide facilities for anonymous-FTP any computer anywhere, but only authenticated FTP-given the hosts listed in the list of 'trust'. Hijacking of the path can be avoided with the use of encryption across the network (end to end encryption).
Confidentiality of data and the password is also the topic design security. Program dedicated to packet-sniffing can automatically display the contents of each packet of data between the client with the server. Password protection of such crimes can be done with the implementation of the one-time password (non-reusable passwords), so that although you can termonitor by sniffer, password can not be used again.
Risk of hijacking and sniffing data (not the password) can not be avoided altogether. NA means should consider this possibility and do the optimization for small-to its opportunity. Limiting the number of accounts with full access and remote access time, is one form of optimization.
Mechanism AUTENTISASI
Autentisasi is the subject of verification. Proved that includes three categories, namely: something in us (something you are sya), something that we know (something you know SYK), and something that we have (something you have SYH). Sya closely related to the field of biometrik, such as finger-examination examination, eye examination retina, voice etc. analysis. SYK is identical with the password. SYH While generally used for identity cards such as smartcard. \
Perhaps, it is still a widely used system is password-ber. To prevent password theft and illegal use of the system, the network will be wise if we equipped one-time password system. How the implementation of this method?
First, use the system time-stamp-ter encryption. In this way, a new password be sent after the first modified based on the time at that time. Second, the system uses challenge-response (CR), where we provide the password from the server depending on the challenge. Kasarnya we prepare a list of answers (response) is different for the 'questions' (challenge) by a different server. Because of very difficult to memorize as much as tens or hundreds of the password, will be easier if the rule is dihafal challenge to change the response to be provided (not so random). For example, our rule is: "kapitalkan fifth letter and delete the four letters", the password that we provide is MxyPtlk1W2 to challenge the system Mxyzptlk1W2.
If the CR system, must be 'aturan' it, then the time-stamp system, we must remember the password for this time-stamp. What I did not make it like this? Luckily once the mechanism is generally handled by a device, either with software or hardware. Kerberos, software autentisasi made at MIT, and adopted the time-stamp system, require modifications to the client for time synchronization with the server password and the time-stamp. Modify the client program on the proxy and we are, more or less like that. CR systems are usually applied simultaneously with the support of the hardware. Sample CR system is operational device SNK-004 card (Digital Pathways), which can be applied together with the packet-FWTK TIS (Trusted Information Systems - Internet Firewall Toolkit).
TIS-FWTK offers a one-time password solution (CR system) that are 'fun': S / Key. S / Key hash algorithm implementing the procedure iteratif against a seed, such a system can validate the client-instant response but does not have the ability to predict response-client next. So if there is infiltration in the system, there is no 'something' that can be stolen (usually a list of password). Hash algorithms have two main nature. First, the input can not diregenerasikan output from the (non-reversibel). Second, there are two possible inputs for a same output.
Encryption and Cryptography
Cryptography has been developed since a long time, when people want information that he can not send 'read' by parties not concerned. Cryptography is traditionally known as the two mechanisms, a private key or public key. DES (data encryption standard) that is used by Kerberos to use private-key system. RSA (Rivest Shamir Addleman) implement public-key system. One of the contributors RSA, Ron Rivest and make MD4 (message digest function # 4) used by the S / Key is half-FWTK. Optimization and crossbreed between the two methods is the traditional birth PGP (Pretty Good Privacy). Discussion of the DES, RSA, or PGP is a book and not in place here disclosed. But clearly, a private-key system with a process characterized encrypt-decrypt key through the identical, whereas in public-key system, this process is done with two keys: public key to encrypt and decrypt the key secret to this is the second key digenerasikan and have relationships close through a mathematical algorithm. Because the mathematical process is needed first, speed public-key systems can be thousands of times more slowly from the private-key algorithm ekivalen even if the other offers better protection. Exploit the advantages and disadvantages of the system key private and public PGP done, for which the data transmission system would be conducted with key private-session-key so that it runs fast, while the transmission of session-key using its own public-key.
With encryption, the information that we submit to the network through a network of security doubts (the Internet), relatively more secure. Encryption between the network causes a 'thief' must try a little harder to get illegal information that he expected. There are several opportunities for the implementation of encryption, namely: the application level, data-link level and network level.
On application-level encryption requires the use of software-specific client-server. In accordance with the OSI reference model, encryption of data-link is only valid for point to point links, such as the encryption system on a phone modem. While network-level encryption (network layer) is applied on the router or other equipment adjacent to the network dikedua side. Optimization of interest and be done with the security policy set the type / part of IP packet akan dienkrip, adjustments to the firewall architecture and the consequences, the effectiveness of the distribution of key-encryption etc.. In the future, where technology VLAN (Virtual LAN) is estimated to be the choice for the main Intranet (enterprisewide), the use of network-level encryption has become so important. Perhaps as important as the situation that while a company is' forced 'to use the internet as a route for delivery of sensitive information between head office with branches dibelahan the other earth.
KERBEROS AND TIS-FWTK Authentication SERVER
Kerberos is one of Athena project, the collaboration between MIT, IBM and DEC. Kerberos designed for medukung autentisasi encryption and data on the environment through modification terdistribusi client or server standard. Some operating system vendors have been entered into the Kerberos products. MIT itself provides a free version of Unix that many have in-Kerberizing. Even for the sake ported to the operating system or software client-server is not support Kerberos, MIT provides to its source-code, also free. Project Athena own Kerberos implementation in many applications such as NFS, rlogin, email, and password system. Secure RPC (Sun Microsystems) also implement the same.
There are a few things to consider in the implementation of Kerberos. Modifications to the software client and the server will cause the application of choice. Unfortunately, there is also not as an alternative method of modification source-code (as in the proxy that allows custom user procedure or custom client software). Then, most people also agree to call: "Kerberos is relatively difficult to apply / managed."
Package autentisasi other system offered by TIS-FWTK: authentication-server. Servers are designed in a modular, flexible so that it supports many popular autentisasi mechanisms such as reusable standard password system, S / Key, SecurdID card from Security Dynamics (the system with time-stamp), SNK-004 card Digital Pathways (CR system) and for ease of integration new mechanism. Back to the conference beginning this paper, the main interest is how we prepare the 'defense' for the service inbound non-anonymous, perhaps authentication-server solution that is worth consideration. Why? How does this work? Not much space in this paper to load all our discussions about autentisasi, but the cover illustration below will give you a little picture for you, peminat network security, the authentication-server.
Author: Eueung Mulyana & Onno W. Purbo
Read More..
