The Three Pillars Of Network Security

• By Joe Astorino
• July 7, 2011
• 1 Comment

Introduction

When dealing with network security, pretty much everything you learn about comes down to three basic principles.  If you gain a thorough understanding of these principles, I guarantee your overall understanding of and success with network security technologies will increase dramatically.  There are many technologies that encompass network security that use these three things.

The three pieces of network security I am talking about here are confidentiality, integrity and authentication, or CIA for short.  In this blog, we will examine each of these fundamental pieces of network security

Confidentiality

Confidentiality has to do with how we keep our data private.  In the computer networking world, confidentiality basically comes down to the process of encryption.  When we encrypt our data, we take plain clear text information, run it through a mathematical algorithm and end up with cipher-text.  Cipher text is just a fancy word for encrypted data. At the other end, an authorized receiving party can of course change the cipher-text back to clear text. Many times encryption is implemented on network links where we are sending sensitive data over an unsecure network like the internet.  For example, IPSEC can utilize the ESP protocol for data confidentiality

There are many different kinds of encryption but one could categorize them into two main groups: symmetrical ciphers or asymmetrical ciphers. The process of encryption generally involves a lot of math and encryption keys.  If both sides use the same key to both encrypt and decrypt the data, we call that a symmetrical cipher.  If the two sides use separate keys for encryption and decryption we call that an asymmetrical cipher.  Asymmetrical ciphers are sometimes known as public/private key encryption. DES, 3DES and AES are examples of symmetrical ciphers. RSA is an example of an asymmetrical cipher

Integrity

If we are going to “securely” transfer data from point A to point B we should make sure that what we send is what actually comes out the other end!  How do we know that what one user sent was not modified before it was received by the user at the other side?  Data integrity is how we accomplish that.  Generally speaking, the process of data integrity is usually accomplished using cryptographic hashing algorithms such as SHA or MD5.  I am not going to get into the deep technical detail because that is not the purpose of this particular blog but we will talk about the basic idea now.  The idea of hashing starts with data, a key and a mathematical function that uses the data and the key.  When you run the data with the key through this mathematical function, the function spits out a unique value we call a hash.  Recovering the original data from the cryptographic hash in a good algorithm is not mathematically possible. To make sure data has not changed in transit from sender to receiver, you calculate a hash of your data and send it along with that data.  At the other end, the receiver calculates the hash of the data the same way the sender did using the same key.  If the data changed by even a single bit, the hash value will not match and we know there was a change somewhere.  If the hash matches we know we have data integrity

Authentication

We have talked about how to make sure our data is only readable by authorized individuals by using encryption and how to make sure the data received is actually the same as the data that was sent, but how do we define who the authorized individuals are?  That is where authentication comes into play.  Authentication is the process of making sure you are who you say you are.  Think about what happens when you login to your computer or a router.  Typically you need something like a username and a password.  This is a way to prove to the system that you are who you claim to be, and we call that authentication.

There are many different types of authentication mechanisms that can be put in place such as usernames and passwords, digital certificates, biometrics, tokens, or combinations of these things and more.  If you only need one particular thing to authenticate to the system we call that single factor authentication.  A more secure design is two factor authentication which requires multiple different things in order for you to authenticate.  In a two factor authentication, you usually will be required to present to the system authenticating you something that you have and something that you know.  For example, something you know might be a password or a PIN while something you have might be a securely generated token or a digital certificate embedded on a smart card.  Without both, you cannot access the system.

Summary

Today, we explored three fundamental things related to network security — Confidentiality, Integrity and Encryption (CIA).  Confidentiality protects the actual data itself by using encryption algorithms.  Integrity makes sure our data has not changed en route from the source to the destination, and authentication ensures that people are who they claim to be.  Understanding these three essential concepts will go a long way in helping you understand what many many other technologies are trying to accomplish and how they go about doing it.