Means of protecting information in computer networks. Protection of information in computer networks. Similar works to - Methods and means of protecting information in networks

Information protection in computer systems has a number of specific features related to the fact that information is not strictly connected to the media and can be easily and quickly copied and transmitted over communication channels. There are a very large number of threats to information that can be implemented by both external and internal violators. Problems arising with the security of information transmission when working in computer networks can be divided into three main types: - interception of information - the integrity of the information is preserved, but its confidentiality is violated; - modification of information – the original message is changed or completely replaced by another and sent to the addressee; - substitution of authorship of information. This problem can have serious consequences. For example, someone can send an email on your behalf (this type of deception is usually called spoofing) or a Web server can pretend to be an electronic store, accept orders, credit card numbers, but not send any goods. Studies of the practice of functioning of data processing and computing systems have shown that there are many possible directions for information leakage and ways of unauthorized access in systems and networks. Among them:

Reading residual information in the system memory after executing authorized requests;

Copying storage media and information files by overcoming security measures;

Masking as a registered user;

Masking as a system request;

Use of software traps;

Exploitation of operating system flaws;

Illegal connection to equipment and communication lines;

Malicious failure of protection mechanisms;

Introduction and use of computer viruses.

Ensuring the security of information in aircraft and in autonomously operating PCs is achieved by a set of organizational, organizational, technical, technical and program measures. Organizational information protection measures include:

Restricting access to premises where information is prepared and processed;

Allowing only verified officials to process and transmit confidential information;

Storing electronic media and log books in safes that are closed to unauthorized persons;

Preventing unauthorized persons from viewing the contents of processed materials through a display, printer, etc.;

Use of cryptographic codes when transmitting valuable information over communication channels;

Destruction of ink ribbons, paper and other materials containing fragments of valuable information.

Cryptographic information protection.

TO cryptographic methods of information protection are special methods of encrypting, encoding or otherwise transforming information, as a result of which its content becomes inaccessible without presenting the cryptogram key and reverse transformation. The cryptographic method of protection is, of course, the most reliable method of protection, since the information itself is protected, and not access to it (for example, an encrypted file cannot be read even if the media is stolen). This protection method is implemented in the form of programs or software packages.

Modern cryptography includes four major sections:

Symmetric cryptosystems.

In symmetric cryptosystems, the same key is used for both encryption and decryption.(Encryption is a transformation process: the original text, which is also called plaintext, is replaced by ciphertext, decryption is the reverse process of encryption. Based on the key, the ciphertext is converted into the original);

Public key cryptosystems.

Public key systems use two keys, a public key and a private key, that are mathematically related to each other. Information is encrypted using a public key, which is available to everyone, and decrypted using a private key, known only to the recipient of the message. (The key is the information necessary for the smooth encryption and decryption of texts.); Electronic signature.

Electronic signature system. is called a cryptographic transformation attached to the text, which allows, when the text is received by another user, to verify the authorship and authenticity of the message. The main areas of use of cryptographic methods are the transfer of confidential information through communication channels (for example, e-mail), establishing the authenticity of transmitted messages, storing information (documents, databases) on media in encrypted form.

The danger of malicious unauthorized actions over information has become especially threatening with the development of computer networks. Most information processing systems were created as separate objects: workstations, LANs, large universal computers, etc. Each system uses its own operating platform (Windows, Linux), as well as different network protocols(TCP/IP). The complex organization of networks creates favorable conditions for committing various types of offenses related to unauthorized access to confidential information. Majority operating systems, both autonomous and networked, do not contain reliable information security mechanisms.

The dangers of networked systems have resulted in ever-increasing costs and efforts to protect information that can be accessed through network communication channels. Data integrity can be maintained only if special measures are taken to control access to data and encrypt transmitted information. Different systems require different degrees of protection. The task of combining systems with different degrees of security (for example, on Unix and Windows platforms) has become urgent.

It is necessary to have a clear understanding of possible channels of information leakage and ways of unauthorized access to protected information. Only in this case is it possible to build effective mechanisms for protecting information in computer networks.

Network security threats

Paths of information leakage and unauthorized access in computer networks mostly coincide with those in autonomous systems. Additional features arise due to the existence of communication channels and the possibility of remote access to information. These include:

electromagnetic illumination of communication lines;
illegal connection to communication lines;
remote overcoming of defense systems;
errors in circuit switching;
disruption of communication lines and network equipment.

Network security issues are addressed within the architecture

security, the structure of which includes:

security threats;
security services (services);
security mechanisms.

Under security threat refers to an action or event that can lead to the destruction, distortion or unauthorized use of network resources, including stored, transmitted and processed information, as well as software and hardware.

Threats are usually divided into:

unintentional, or accidental;
intentional.

Random threats arise as a result of software errors, hardware failure, incorrect actions of users or the network administrator, etc.

Deliberate threats pursue the goal of causing damage to users and subscribers of the network and, in turn, are divided into active and passive.

Passive threats are aimed at unauthorized use of network information resources, but do not affect its functioning. An example of a passive threat is obtaining information circulating in network channels through eavesdropping.

Active threats have the goal of disrupting the normal functioning of the network through targeted impact on its hardware, software and information resources. Active threats include, for example, destruction or electronic jamming of communication lines, disablement of a computer or operating system, distortion of information in user databases or system information, etc.

The main threats to information security on the network include:

disclosure of confidential information;
compromise of information;
unauthorized exchange of information;
refusal of information;
denial of service;
unauthorized use of network resources;
erroneous use of network resources.

Threats of disclosing confidential information implemented through unauthorized access to databases.

Compromise of information implemented by making unauthorized changes to databases.

Unauthorized use of network resources is a means of disclosing or compromising information, and also causes damage to users and network administration.

Misuse of resources is a consequence of errors in the LAN software.

Unauthorized exchange of information between network subscribers makes it possible to receive information to which access is prohibited, i.e., in essence, leads to the disclosure of information.

Refusal of information consists in the non-recognition by the recipient or sender of this information of the facts of its receipt or sending.

Denial of service is a very common threat that originates from the network itself. Such a refusal is especially dangerous in cases where a delay in the provision of network resources can lead to serious consequences for the subscriber.

Network Security Services

Differences in the composition and characteristics of security services. Information exchange protocols in networks are divided into two large groups: virtual connection and datagram, according to which networks are also usually divided into virtual and datagram.

IN virtual networks, the transfer of information between subscribers is organized according to the so-called virtual channel and occurs in three stages: creation of a channel (connection), transmission itself, destruction of the channel (disconnection). Messages are divided into blocks, which are transmitted in the order they appear in the message.

IN datagram networks packets ( datagrams) messages are transmitted from the sender to the recipient independently of each other along different routes, and therefore the order of delivery of packets may not correspond to the order in which they appear in the message. A virtual network conceptually implements the principle of organization telephone communication, while datagram is mail.

The International Organization for Standardization (ISO) defines the following security services:

1) authentication (confirmation of authenticity);
2) ensuring integrity;
3) classification of data;
4) access control;
5) protection against failures.

The last two services are the same for datagram and virtual networks. The first three are characterized by certain differences due to the peculiarities of the protocols used in networks.

Authentication Service in relation to virtual networks is called the entity authentication service (single-level) and provides confirmation of the fact that the sender of the information is exactly who he claims to be. When applied to datagram networks, the authentication service is called the data source authentication service.

Under integrity it is understood that the sent and received data correspond exactly to each other. Integrity Services for the networks under consideration look like this:

virtual networks:
connection integrity service with recovery;
connection integrity service without recovery;
connection selective fields integrity service;
datagram networks:
connectionless integrity service;
connectionless selective field integrity service.

Under fields refers to individual specific elements of blocks or packets of transmitted data. Recovery refers to procedures for recovering data destroyed or lost due to the discovery of corruptions, insertions, or replays in blocks or datagrams. Datagram network integrity services do not provide recovery procedures.

Data secrecy services are:

connection secrecy service - ensures the secrecy of all data sent by objects over a virtual channel;
connectionless secrecy service - ensures the secrecy of the data contained in each individual datagram;
service for classifying individual connection fields;
traffic secrecy service - neutralizes the possibility of obtaining information about network subscribers and the nature of network use.

Security Mechanisms

Among the network security mechanisms provided by the IOC, the following are usually distinguished: basic:

encryption;
access control;
digital signature.

Encryption used to implement classification services and is used in a number of other services.

Access control mechanisms ensure the implementation of the security service of the same name, check the authority of network objects, i.e. programs and users to access network resources. When accessing a resource over a connection, control is performed at the point at which the connection is initiated, at intermediate points, and also at the end point.

Access control mechanisms are divided into two main groups:

object authentication, requiring a resource, followed by an access check, for which a special information base access control;
use of security labels, associated with objects; Having an object with a mandate gives the right to access the resource.

The most common and at the same time the most unreliable authentication method is password access. More advanced are plastic cards and electronic tokens. The most reliable methods of authentication based on special characteristics of an individual, the so-called biometric methods.

Digital signature used to implement authentication and denial services. At its core, it is intended to serve as an electronic analogue of the “signature” requisite used on paper documents. Mechanism digital signature is based on the use of public key encryption. Knowledge of the corresponding public key allows the recipient email uniquely identify its sender.

Additional security mechanisms are as follows:

ensuring data integrity;
authentication;
traffic substitution;
routing management;
arbitration.

Mechanisms to ensure data integrity are aimed at implementing the service of the same name both in relation to a separate block of data and to a data stream. The integrity of the block is ensured by the execution of interrelated encryption and decryption procedures by the sender and recipient. More are possible simple methods monitoring the integrity of the data flow, for example, numbering blocks, adding them with a timestamp, etc.

Authentication Mechanisms are used to implement the service of the same name, distinguishing between one-way and mutual authentication. In the first case, one of the interacting objects of one level verifies the identity of the other, while in the second the verification is mutual. In practice, authentication mechanisms are typically combined with access control, encryption, digital signature and arbitration.

Traffic substitution mechanisms are used to implement the data stream secrecy service. They are based on the generation of fictitious blocks by network objects, their encryption and the organization of their transmission over network channels.

Routing Control Mechanisms are used to implement classification services. These mechanisms ensure the choice of routes for information movement through the network.

Arbitration Mechanisms provide confirmation of the characteristics of data transmitted between network objects by a third party. To do this, all information sent or received by objects also passes through the arbiter, which allows him to subsequently confirm the mentioned characteristics.

In general, a combination of several security mechanisms can be used to implement a single security service.

Protecting network operating systems

The operating system and network hardware provide protection for network resources, one of which is the OS itself, i.e.

the programs and system information included in it. Therefore, security mechanisms must be implemented in one way or another in the LAN network OS.

It is customary to distinguish:

passive objects of protection (files, application programs, terminals, areas random access memory and so on.);
active subjects (processes) that can perform certain operations on objects.

Object protection is implemented by the operating system by monitoring the implementation by subjects of a set of rules governing these operations. This collection is sometimes called protection status. Operations that can be performed on protected objects are usually called access rights, and the subject's access rights in relation to a specific object are possibilities. The so-called access control matrix is most often used as a formal model of security status in the OS.

A fairly simple to implement means of restricting access to protected objects is safety ring mechanism.

File protection in the OS is organized as follows. Each file has multiple permissions associated with it: read, update, and/or execute (for executable files). The owner of the file, i.e. The person who created it enjoys all rights in relation to the file. He can transfer some of these rights to group members - persons to whom he trusts the information contained in the file.

Access to OS resources is most often limited by password protection. The password can also be used as a key to encrypt/decrypt information in user files. The passwords themselves are also stored in encrypted form, making them difficult for attackers to identify and use. The password can be changed by the user, the system administrator, or the system itself after a set period of time.

Protecting distributed databases

Ensuring the security of distributed databases (RDBs) is indirectly implemented by the network OS. However, all the mentioned mechanisms and means are invariant to specific ways of presenting information in the database. Such invariance leads to the fact that if special measures are not taken, all DBMS users have equal rights to use and update all information available in the database. At the same time, information, as with its manual accumulation and use, must be divided into categories according to the classification of secrecy, user groups to whom it is available, as well as operations on it that are permitted to these groups. The implementation of this process requires the development and inclusion of special protection mechanisms in the DBMS.

Making a decision on access to certain information available in the RDB may depend on the following factors:

1) time and access point;
2) the presence of certain information in the database;
3) fluidity of the DBMS state;
4) user authority;
5) history of data access.
1. Access to the database from each LAN terminal can be limited to a certain fixed period of time.
2. The user can obtain the information he is interested in from the database only on the condition that the database contains some information related to it with a certain content.
3. A user may be allowed to update information in a certain database only at those times when it is not updated by other users.
4. For each user of the application program, individual rights to access various elements of the database are established. These rules regulate the operations that the user can perform on specified elements. For example, a user may be allowed to select database elements containing information about goods offered on an exchange, but may not be allowed to update this information.
5. It is based on the fact that the user can obtain the information he is interested in not by directly selecting certain database elements, but indirectly, i.e. by analyzing and comparing DBMS responses to sequentially entered queries (data update commands). In this regard, to ensure the security of information in a database, in general, it is necessary to take into account the history of data access.

Local computer networks: Directory. In 3 books. Book 1. Principles of construction, architecture, communication tools / Ed. S.V. Nazarova.M.: Finance and Statistics, 1994.

Data protection in computer networks is becoming one of the most open problems in modern information and computing systems. To date, three basic principles have been formulated information security, whose task is to ensure:

data integrity;

protection against failures leading to loss of information or its destruction;

confidentiality of information;

When considering the problems associated with protecting data on a network, the question arises of the classification of failures and unauthorized access, which leads to loss or unwanted modification of data. These may be equipment failures (cable system, disk systems, servers, workstations, etc.), loss of information (due to infection with computer viruses, improper storage of archived data, violations of data access rights), incorrect operation of users and service providers. personnel. The listed network disruptions have necessitated the creation of various types of information security. Conventionally, they can be divided into three classes:

means of physical protection;

software (anti-virus programs, authority delimitation systems, access control software);

administrative protection measures (access to premises, development of company security strategies, etc.).

One of the means of physical protection is information archiving and duplication systems. In local networks where one or two servers are installed, most often the system is installed directly into the free slots of the servers. In large corporate networks preference is given to a dedicated specialized archiving server that automatically archives information from hard drives servers and workstations at a certain time set by the network administrator, issuing a report on the backup performed. The most common archive server models are Intel's Storage Express System ARCserve for Windows.

To combat computer viruses, antivirus programs are most often used, and hardware protection is less common. However, recently there has been a tendency towards a combination of software and hardware protection methods. Among the hardware devices, special anti-virus cards are used, inserted into standard computer expansion slots. Intel Corporation has proposed a promising technology for protecting against viruses in networks, the essence of which is to scan computer systems before they boot. In addition to anti-virus programs, the problem of protecting information on computer networks is solved by introducing access control and delineating user powers. For this purpose, built-in tools of network operating systems are used, the largest manufacturer of which is Novell Corporation. On a system such as NetWare, except standard means access restrictions (change of passwords, differentiation of powers), it is possible to encode data using the “public key” principle with the formation of an electronic signature for packets transmitted over the network.

However, such a protection system is weak, because The access level and the ability to log into the system are determined by a password that is easy to spy or guess. To prevent unauthorized entry into a computer network, a combined approach is used - password + user identification using a personal “key”. The “key” is a plastic card (magnetic or with a built-in microcircuit - a smart card) or various devices for identifying a person using biometric information - iris, fingerprints, hand size, etc. Servers and network workstations equipped with smart card readers and special software, significantly increase the degree of protection against unauthorized access.

Access control smart cards allow you to implement functions such as entry control, access to PC devices, programs, files and commands. One of the successful examples of creating a comprehensive solution for access control in open systems, based on both software and hardware security, is the Kerberos system, which is based on three components:

a database that contains information on all network resources, users, passwords, information keys, etc.;

an authorization server, whose task is to process user requests for the provision of one or another type of network service. Upon receiving a request, it accesses the database and determines the user's authority to perform a specific operation. User passwords are not transmitted over the network, thereby increasing the degree of information security;

the Ticket-granting server receives from the authorization server a “pass” with the user’s name and network address, request time, as well as a unique “key”. The packet containing the "pass" is also transmitted in encrypted form. The permission server, after receiving and decrypting the “pass”, checks the request, compares the “keys” and, if identical, gives the go-ahead to use the network equipment or programs.

As enterprises expand their activities, the number of subscribers grows, and new branches appear, the need arises to organize access for remote users (user groups) to computing or information resources at company centers. To organize remote access, cable lines and radio channels are most often used. In this regard, protecting information transmitted via remote access channels requires a special approach. Bridges and remote access routers use packet segmentation - dividing them and transmitting them in parallel over two lines - which makes it impossible to “intercept” data when a “hacker” illegally connects to one of the lines. The compression procedure of transmitted packets used when transmitting data ensures that the “intercepted” data cannot be decrypted. Remote access bridges and routers can be programmed in such a way that not all company center resources may be accessible to remote users.

Currently, special access control devices have been developed for computer networks via dial-up lines. An example is the Remote Port Security Device (PRSD) module developed by AT&T, which consists of two blocks the size of a regular modem: RPSD Lock, installed in the central office, and RPSD Key, connected to the modem. remote user. RPSD Key and Lock allow you to set several levels of security and access control:

encryption of data transmitted over the line using generated digital keys;

access control based on the day of the week or time of day.

The strategy for creating backup copies and database recovery. Typically these operations are performed outside of business hours in batch mode. In most DBMS backup and data recovery are allowed only to users with broad permissions (access rights at the system administrator, or the database owner), it is not advisable to specify such sensitive passwords directly in batch processing files. In order not to store the password explicitly, it is recommended to write a simple application program that itself would call the copy/recovery utilities. In this case, the system password must be “hardwired” into the code of the specified application. The disadvantage of this method is that each time the password is changed, the program must be recompiled.

In relation to means of protection against unauthorized access, seven security classes (1-7) of computer equipment (SVT) and nine classes (1A, 1B, 1B, 1G, 1D, 2A, 2B, 3A, 3B) are defined. automated systems(AS). For SVT, the lowest grade is seventh grade, and for AC - 3B.

Let's take a closer look at the certified NSD protection systems listed above.

The COBRA system meets the requirements of the 4th security class (for SVT), implements identification and delimitation of user powers and cryptographic information closure, records distortions of the reference state of the PC working environment (caused by viruses, user errors, technical failures, etc.) and automatically restores the main components of the terminal operating environment.

The authority segregation subsystem protects information at the level logical drives. The user gets access to specific drives A, B, C,..., Z. All subscribers are divided into 4 categories:

superuser (all actions in the system are available);

administrator (all actions in the system are available, with the exception of changing the name, status and powers of the superuser, adding or excluding him from the list of users);

programmers (can change personal password);

colleague (has the right to access resources assigned to him by the superuser).

In addition to authorizing and limiting access to logical drives, the administrator sets each user access rights to serial and parallel ports. If the serial port is closed, then it is impossible to transfer information from one computer to another. If there is no access to the parallel port, output to the printer is not possible.

Topic 3.3: Applications for creating websites

Topic 3.4: Application of the Internet in the economy and information protection

Programs for creating websites

3.4. Application of the Internet in economics and information protection

3.4.1. Organization of computer security and information protection

Information is one of the most valuable resources of any company, so ensuring information security is one of the most important and priority tasks.

Safety information system- this is a property that consists in the ability of a system to ensure its normal functioning, that is, to ensure the integrity and secrecy of information. To ensure the integrity and confidentiality of information, it is necessary to protect information from accidental destruction or unauthorized access to it.

Integrity means the impossibility of unauthorized or accidental destruction, as well as modification of information. Confidentiality of information means the impossibility of leakage and unauthorized acquisition of stored, transmitted or received information.

The following sources of threats to the security of information systems are known:

anthropogenic sources caused by accidental or intentional actions of actors;
man-made sources leading to failures and malfunctions of technical and software due to outdated software and hardware or software errors;
natural sources caused by natural disasters or force majeure.

In turn, anthropogenic sources of threats are divided into:

on internal (impacts from company employees) and external (unauthorized interference by outsiders from external networks general purpose) sources;
on unintentional (accidental) and intentional actions of subjects.

There are many possible directions of information leakage and ways of unauthorized access to it in systems and networks:

interception of information;
modification of information (the original message or document is changed or replaced by another and sent to the addressee);
substitution of information authorship (someone may send a letter or document on your behalf);
exploitation of deficiencies in operating systems and application software;
copying storage media and files bypassing security measures;
illegal connection to equipment and communication lines;
masquerading as a registered user and appropriating his powers;
introduction of new users;
implementation computer viruses and so on.

To ensure the security of information systems, information security systems are used, which represent a set of organizational and technological measures, software and hardware, and legal norms aimed at countering sources of threats to information security.

With an integrated approach, threat countermeasures are integrated to create a systems security architecture. It should be noted that any information security system is not completely safe. You always have to choose between the level of protection and the efficiency of information systems.

The means of protecting IP information from the actions of subjects include:

means of protecting information from unauthorized access;
protection of information in computer networks;
cryptographic information protection;
electronic digital signature;
protecting information from computer viruses.

Means of protecting information from unauthorized access

Gaining access to information system resources involves performing three procedures: identification, authentication and authorization.

Identification - assigning unique names and codes (identifiers) to the user (object or subject of resources).

Authentication - establishing the identity of the user who provided the identifier or verifying that the person or device providing the identifier is actually who it claims to be. The most common method of authentication is to assign a password to the user and store it on the computer.

Authorization is a check of authority or verification of a user's right to access specific resources and perform certain operations on them. Authorization is carried out to differentiate access rights to network and computer resources.

Protection of information in computer networks

Local enterprise networks are very often connected to the Internet. To protect local networks of companies, as a rule, they use firewalls- firewalls. A firewall is a means of access control that allows you to divide the network into two parts (the border runs between local network and the Internet) and create a set of rules that determine the conditions for the passage of packets from one part to another. Screens can be implemented either in hardware or software.

Cryptographic information protection

To ensure the secrecy of information, encryption or cryptography is used. Encryption uses an algorithm or device that implements a specific algorithm. Encryption is controlled using a changing key code.

Encrypted information can only be retrieved using a key. Cryptography is a very effective method that increases the security of data transmission on computer networks and when exchanging information between remote computers.

Electronic digital signature

To exclude the possibility of modification of the original message or substitution of this message for others, it is necessary to transmit the message along with an electronic signature. An electronic digital signature is a sequence of characters obtained as a result of cryptographic transformation of the original message using a private key and allowing one to determine the integrity of the message and its authorship using a public key.

In other words, a message encrypted using a private key is called an electronic digital signature. The sender transmits the unencrypted message in its original form along with a digital signature. The recipient uses the public key to decrypt the message's character set from the digital signature and compares it with the unencrypted message's character set.

If the characters completely match, we can say that the received message has not been modified and belongs to its author.

Protecting information from computer viruses

A computer virus is a small malware, which can independently create copies of itself and implement them into programs (executable files), documents, boot sectors of storage media and distribute them through communication channels.

Depending on the environment, the main types of computer viruses are:

Software viruses (affect files with the extension .COM and .EXE)
Boot viruses.
Macroviruses.
Network viruses.

Sources of viral infection can be removable media and telecommunications systems. To the most effective and popular antivirus programs include: Kaspersky Anti-Virus 7.0, AVAST, Norton AntiVirus and many others. More detailed information about viruses and methods of protection against them is described on the page