DESIGN AND IMPLEMENTATION OF NETWORK SECURITY

(A CASE STUDY OF UBA ENUGU)

1
 ABSTRACT

Network Security is essential to any organization. This has been previously

done by manual method. But this project is aimed at computerized Network
Security to make the work easier. This is possible because of the advance
improvement in information technology as pertaining programming language;
because this is achieved by the help of visual basic programming language and
other programming language. For the first few decades of their existence,
computer\ networks were primarily used by university researchers for sending
e-mail and by corporate employees for sharing printers. Under these conditions,
security did not get a lot of attention. But now, as millions of ordinary citizens
are using networks for banking, shopping, and filing their tax returns, network
security is looming on the horizon as a potentially massive problem. The
requirements of information security within an organization have undergone
two major changes in the last several decades before the widespread use of data
processing equipment the security of information felt to be valuable to an
organization was provided primarily by physical and administrative means with
the introduction of computer the need for automated tools for protecting files
and other information stored on the computer became an evident .this is
especially the case for a shared system such as time sharing system and the need
is even more acute for systems that can be accessed for a public telephone or a
data network the generic name for the collection of tools to protect data and to
thwart hackers is ―computer security‖. Network Security is a broad topic and
covers a multitude of sins. In its simplest form, it is concerned with making sure
that nosy people cannot read, or worse yet, secretly modify messages intended
for other recipients. It is concerned with people trying to access remote services
that they are not authorized to use. Most security problems are intentionally
caused by malicious people trying to gain some benefit, get attention, or to harm
someone. Network security problems can be divided roughly into four closely
intertwined areas: secrecy, authentication, non repudiation, and integrity
control. Secrecy, also called confidentiality, has to do with keeping information
out of the hands of unauthorized users. This is what usually comes to mind
when people think about network security. Authentication deals with
determining whom you are talking to before revealing sensitive information or
entering into a business deal. Non repudiation deals with signatures.

2
 TABLE OF CONTENT

CHAPTER ONE
1.0 Introduction
1.1 Statement of the problem
1.2 Purpose of study
1.3 Aims and objective of the study
1.4 Scope of study
1.5 Limitations
1.6 Assumptions
1.7 Definition of terms

CHAPTER TWO
2.0 Literature review

CHAPTER THREE
3.0 Description and analysis of the existing system
3.1 Fact Finding Method Used
3.2 Objective of the existing system
3.3 Organizational chart
3.4 Input/process/output analysis
3.5 Information flow diagram
CHAPTER FOUR
4.0 Design of new system
4.1 Output specification and design
4.2 Input specification and design
4.3 File design
4.4 Procedure chat
4.5 System flowchart

3
CHAPTER FIVE
5.0 Implementation
5.1 Program design
5.2 Program flowcharts
5.3 Documentation
5.4 Recommendation
5.5 Conclusion
5.6 Summary
Reference
Appendix I
Appendix II

4
 CHAPTER ONE

1.0 INTRODUCTION

Several recent proposals have argued for giving third parties and end-users

control over routing in the network infrastructure. Some examples of such

routing architectures include TRIAD [6], i3 [30], NIRA [39], Data Router [33],

and Network Pointers [34]. While exposing control over routing to third-parties

departs from conventional network architecture, these proposals have shown

that such control significantly increases the flexibility and extensibility of these

networks.

Using such control, hosts can achieve many functions that are difficult to

achieve in the Internet today. Examples of such functions include mobility,

multicast, content routing, and service composition. Another somewhat

surprising application is that such control can be used by hosts to protect

themselves from packet-level denial-of-service (DOS) attacks [18], since, at the

extreme, these hosts can remove the forwarding state that malicious hosts use to

forward packets to the hosts. While each of these specific functions can be

achieved using a specific mechanism—for example, mobile IP allows host

mobility— we believe that these forwarding infrastructures (FIs) provide

architectural simplicity and uniformity in providing several functions that

makes them worth exploring. Forwarding infrastructures typically provide user

control by either allowing source-routing (such as [6], [30], [39]) or allowing

users to insert forwarding state in the infrastructure (such as [30], [33], [34]).

5
Allowing forwarding entries enables functions like mobility and multicast that

are hard to achieve using source-routing alone.

While there seems to be a general agreement over the potential benefits of

usercontrolled routing architectures, the security vulnerabilities that they

introduce has been one of the important concerns that has been not addressed

fully. The flexibility that the FIs provide allows malicious entities to attack both

the FI as well as hosts connected to the FI.

For instance, consider i3 [30], an indirection-based FI which allows hosts to

insert forwarding entries of the form (id,R), so that all packets addressed to id

are forwarded to R. An attacker A can eavesdrop or subvert the traffic directed

to a victim V by inserting a forwarding entry (idV ,A); the attacker can

eavesdrop even when it does not have access to the physical links carrying the

victim’s traffic. Alternatively, consider an FI that provides multicast; an attacker

can use such an FI to amplify a flooding attack by replicating a packet several

times and directing all the replicas to a victim. These vulnerabilities should

come as no surprise; in general, the greater the flexibility of the infrastructure,

the harder it is to make it secure.

In this project, we improve the security that flexible communication

infrastructures which provide a diverse set of operations (such as packet

replication) allow. Our main goal in this project is to show that FIs are no more

vulnerable than traditional communication networks (such as IP networks) that

6
do not export control on forwarding. To this end, we present several

mechanisms that make these FIs achieve certain specific security properties, yet

retain the essential features and efficiency of their original design. Our main

defense technique, which is based on light-weight cryptographic constraints on

forwarding entries, prevents several attacks including eavesdropping, loops, and

traffic amplification. From earlier work, we leverage some techniques, such as

challenge-responses and erasure-coding, to thwart other attacks.

NETWORK SECURITY

(NS) is an important aspect of any system. NETWORK SECURITY is the act

of ensuring that an authenticated user accesses only what they are authorized to

and no more. The bad news is that security is rarely at the top of people's lists,

although mention terms such as data confidentiality, sensitivity, and ownership

and they quickly become interested. The good news is that there is a wide range

of techniques that you can apply to help secure access to your system. The bad

news is that as Mitnick and Simon (2002) point out ―…the human factor is the

weakest link. Security is too often merely an illusion, an illusion sometimes

made even worse when gullibility, naivette, or ignorance come into play.‖ The

go on to say that ―security is not a technology problem – it’s a people and

management problem.‖ Having said that, my experience is that the

―technology factor‖ and the ―people factor‖ go hand in hand; you need to

address both issues to succeed.

7
Access control is the ability to permit or deny the use of a particular resource by

a particular entity. Access control mechanisms can be used in managing

physical resources (such as a movie theater, to which only ticket holders should

be admitted), logical resources (a bank account, with a limited number of people

authorized to make a withdrawal), or digital resources (for example, a private

text document on a computer, which only certain users should be able to read).

Banks are secured financial institutions. They are often housed in large

buildings that are located in a commercial or residential area. Banks store

money and other financial information and goods.

Money and valuables have been stored in banks since ancient times. As a result

of the long history that banks have enjoyed, bank security has also been

important for a long time. Some of the oldest banks in the world have the best

security available. These banks include the Bank of Sweden, the Bank or

England, Bank of America, and Swiss Banking.

Bank security usually includes a staff of security guards, a security system, and

one or more vaults. Security guards are uniformed personnel that maintain high

visibility and watch cameras and alarms. Cameras and alarms are usually top of

the line systems in banks and other financial buildings. But these security

elements are not exclusive to banks. Some of these elements can be found in

other commercial buildings and even residential homes.

8
Basic security starts with the locks. For a high level of security, windows and

doors will need the best locks. After high quality locks are installed many

property owners opt for a security system or even security cameras.

Security cameras are often a small part of a larger security system. Systems

often include motion detectors, alarms, sensors, and cameras. Cameras are

arguably the most important because they allow the property owner to see and

record everything that happens in and around their building or property.

Cameras can be installed by a professional or by a property owner. For a large

and elaborate system it may be best for a professional to do the work. But for a

smaller and easy layout, a property owner should have no problem installing a

system by following the manufactures instructions. If he does than there is

usually a local installer that can be called to help finish the job.

1.1 STATEMENT OF THE PROBLEM

Owing to:

1. Fraudulent act of some customer/workers

2. Accessing the organizational data/information unauthorized

3. Sensitive nature of bank data/information

4. Valuable or costly items in bank

9
 5. Increase in crime in our society

The need arise for the development of computerized NETWORK SECURITY

to eliminate such problems.

1.2 PURPOSE OF STUDY

The main purpose of this project is to design a NETWORK SECURITY that

will assist UBA in the area of ensuring effective security measures.

1.3 AIMS AND OBJECTIVES

This project will have the following aims and objectives:

Detecting security violations

Re-creating security incidents

To disallow unauthorized users

To safeguard the organizational data/information

To computerized the organizational security

To enhance the organizational security

To eliminate all forms of mistakes associated with security control

10
1.4 SCOPE OF STUDY

This research work will access the design and implementation of NETWORK

SECURITY in UBA Enugu. It will look into the operations of this bank in the

aspect of computerizing their security control system.

1.5 CONSTRAINTS

This project will be limited to the data available at hand, data outside the

researcher will not be made use of.

The limitations militating against this research are financial constraints, time

factor and other circumstances.

1.6 ASSUMPTIONS

Accuracy, efficiency and reliability is associated with Network Security.

For the purpose of this research, my assumptions can be stated as follows:

1. The application of computer related garget for security control

2. A computerized Network Security is effective and dependable

1.7 DEFINITION OF TERMS

Administration is an aspect of running the organization by devising systems

which will run smoothly.

11
2. Client: This any process that request specific services from server

processes.

3. Computer: This is an electrons machine that can accept; handle and

manipulate data by performing arithmetic and logic operations without

human intervention usually under the control of programmes.

4. Data: This is fore runner of information. It is unprocessed fact.

5. Database is a collection of information that is related to a particular

subject or purpose.

6. Hardware: This is the electromechanical part of computer system.

7. Information: This is data that have been processed, interpreted and

understood by the recipient of the message or report.

8. Internet is a collection of computer networks that operate to common

standards and enable the computes and the program they run to

communicate directly.

9. Server: This is a process that provides requested services for clients.

10. Software: This is a logically written program that hardware uses to

perform it’s operation.

12
11. System is the collection of hardware, software, data information,

procedures and people.

12. Website is a space or location customized by a company, organization or

an individual which is locatable within an address on the internet.

CHAPTER TWO

2.0 LITERATURE REVIEW

According to John J. Murphy, Technical Analysis of the Financial Markets

Authentication is the act of determining the identity of a user and of the host

that they are using. The goal of authentication is to first verify that the user,

either a person or system, which is attempting to interact with your system is

allowed to do so. The second goal of authentication is to gather information

regarding the way that the user is accessing your system. For example, a stock

broker should not be able to make financial transactions during off hours from

an Internet café, although they should be able to do so from their secured

workstation at their office. Therefore gathering basic host information, such as

its location and security aspects of its connection (is it encrypted, is it via a

physical line, is the connection private, …), is critical.

There are several strategies that you can follow to identify a client:

13
 User id and password. This is the most common, and typically the

simplest, approach to identifying someone because it is fully

softwarebased.

Physical security device. A physical device, such as a bank card, a smart

card, or a computer chip (such as the ―Speed Pass‖ key chains used by

gas stations) is used to identify a person. Sometimes a password or

personal identification number (PIN) is also required to ensure that it is

the right person.

Biometric identification. Biometrics is the science of identifying someone

from physical characteristics. This includes technologies such as voice

verification, a retinal scan, palm identification, and thumbprints.

According to McKay, Peter A, A , Authorization is the act of determining the

level of access that an authorized user has to behavior and data. This section

explores the issues surrounding authorization, there is often more to it than

meets the eye, and then explores various database and object-oriented

implementation strategies and their implications.

Issues.

Fundamentally, to set an effective approach to authorization the first question

that you need to address is ―what will we control access to?‖ My experience is

14
that you can secure access to both data and functionality, such as access to

quarterly sales figures and the ability to fire another employee respectively.

Your stakeholders’ requirements will drive the answer to this question.

However, the granularity of access, and your ability to implement it effectively,

is a significant constraint. For example, although you may be asked to control

access to specific columns of specific rows within a database based on complex

business rules you may not be able to implement this in a cost effective manner

that also conforms to performance constraints.

The second question that you need to answer is ―what rules are applicable?‖

The answer to this question is also driven by your stakeholders’ requirements;

although you may need to explore various security factors that they may not be

aware of (they’re not security experts after all). These factors, which are often

combined, include:

Connection type.

Update access.

Time of day.

Existence.

Cascading authorization.

Global permissions.

15
 Combination of privileges.

Database Implementation Strategies

Let’s start by reviewing the concepts of roles and security contexts. A role is a

named collection of privileges (permissions) that can be associated to a user.

So, instead of managing the authorization rights of each individual user you

instead define roles such as HR_ Manager, HR_ User, Manufacturing Engineer,

Accountant, and so on and define what each role can access. You then assign

users to the roles, so Sally Jones and her co-workers would be associated with

the role of Manufacturing Engineer. Someone else could be assigned the roles

of HR_ Manager and HR_ User if appropriate. The use of roles is a generic

concept that is used by a wide range of technologies, not just databases, to

simplify the security administration effort.

A security context is the collection of roles that a user is associated with. The

security context is often defined as part of the authentication process.

Depending on the technology used a security context is maintained by the

system, this is very common in GUI applications, or must be passed around by

the system, something that is common with browser-based n-tier system. A

combination of the two strategies is also common.

Authorization can be enforced within your database by a variety of means

(which can be combined). These techniques include:

16
Permissions. Permission is a privilege or authorization right, that a user or

role has regarding an element (such as a column, table, or even the

database itself). A permission defines the type of access that that is

permitted, such as the ability to update a table or to run a stored

procedure. In SQL, permissions are given via the GRANT command and

removed via the REVOKE command. When a user attempts to interact

with a database his or her permissions are checked, and if the user is not

authorized to perform part of the interaction, which could be a

transaction, the interaction fails and an error is returned.

Views. You can control, often to a very fine level, the data that a user can

access via the use of views. This is a two-step process. First, you define

views that restrict the tables, columns, and rows within the tables that a

role can access. Second, you define permissions on those views.

Stored procedures. Code within the stored procedure can be written to

programmatically check security access rules.

Proprietary approaches. A new option being offered by some database

vendors is proprietary security tools. One example is Oracle Label

Security, an add-on that enables you to define and enforce row-level

permissions.

17
The primary goal of database security is to ensure that there isn’t any

―backdoor‖ ways to access critical corporate data. Many organizations choose

to disallow ad-hoc queries to production databases to help minimize the chance

of unauthorized access (as well as to avoid the associated performance

problems). Many organizations introduce reporting databases such as data

marts to support ad-hoc queries. According to Gregory J. Millman on his book

titled Access Control System Operation, when a credential is presented to a

reader, the reader sends the credential’s information, usually a number, to a

control panel, a highly reliable processor. The control panel compares the

credential's number to an access control list, grants or denies the presented

request, and sends a transition log to a database. When access is denied based

on the access control list, the door remains locked. If there is a match between

the credential and the access control list, the control panel operates a relay that

in turn unlocks the door. The control panel also ignores a door open signal to

prevent an alarm. Often the reader provides feedback, such as a flashing red

LED for an access denied and a flashing green LED for an access granted.

The above description illustrates a single factor transaction. Credentials can be

passed around, thus subverting the access control list. For example, Alice has

access rights to the server room but Bob does not. Alice either gives Bob her

credential or Bob takes it; he now has access to the server room. To prevent

this, two-factor authentication can be used. In a two factor transaction, the

18
presented credential and a second factor are needed for access to be granted.

The second factor can be a PIN, a second credential, operator intervention, or a

biometric input. Often the factors are characterized as something you have,

such as a credential, Something you know, e.g. a PIN.

CHAPTER THREE

3.0 DESCRPTION AND ANALYSIS OF THE EXISTING SYSTEM

The existing system of Network Security maintained by UBA Enugu is a

manual system. There have been a lot of lapses concerning the operations

involved in the computerized Network Security.

One of the primary roles of Network Security is to satisfy the needs of

customers and the organization thereby maximizing profit.

3.1 FACT FINDING METHOD USED

The researcher used the following method of data collection in writing the

project.

19
 a. Interview method: People that deal on computerized Network

Security where interviewed to share their opinion concerning the

manual method.

b. Written Document: A lot of documents concerning computerized

Network Security where studied from which I gather useful

information for the project.

c. Observation: Observation method was also used to get information

concerning the project.

3.2 OBJECTIVES OF THE EXISTING SYSTEM

The main objectives of the existing include:

1. To eliminate all forms of mistakes associated with security control

2. Detecting security violations

3. Re-creating security incidents

4. To disallow unauthorized users

5. To safeguard the organizational data/information

6. To computerized the organizational security

7. To enhance the organizational security

20
 BRANCH

MANAGER

INTER HEAD OF DEPUTY HEAD OF

AUDITOR OPERATION MANAGER C/M

SECRETARY

INTER OPERATION
ACE OFFICER
CUSTOME FUND CASH COPORATE ACE OFFICE
ACCOUNT
R SERVICE TRANSFER AND ACCOUNT
UNIT UNIT TELLER MG MAINTAIN
COMPUTE OFFICE

CHIEF SECRETARY
CHIEF DRIVER
MESSAGER
FIG1: ORGANISATION SYSTEM
STAFF

3.3 ORGANISATION CHART

21
3.4 INPUT/PROCESS/OUTPUT ANALYSIS

INPUT ANALYSIS

Since the major activity carried out by the computerized NETWORK

SECURITY management is the changing of currency to customers, the

following are the requirements of this management from their customers.

User log-in Account

User Name

Password

Retype Password

NAME

ACCOUNT NO

TYPE OF CURRENCY

DATE OF TRANNSTION

PROCESS ANALYSIS

All the input specifications are put into consideration and specification of

authenticity carried out before an activity is accomplished.

Necessary signatures are signed and clarified without any waste of time. At the

end, accuracy is achieved and loopholes does not abound.

22
3.5 INFORMATION FLOW DIAGRAM

INFORMATION MANGER

CERTIFIED LOAN SCHEME

INFORMATION

SURVEILLANCE &
INSPECTORATE

LOAN SCHEME
MANAGEMENT RAM DATA

GENERAL MANAGER

APPLICATION
INFORMATION

CASHIER

REQUEST

CUSTOMER

23
 CHAPTER FOUR

4.0 DESIGN OF A NEW SYSTEM

The design of the new system is born out of the report from the analysis of the

existing system. The new system is automatic in operation and its features are

represented in computer coding formats under this chapter.

4.1 OUTPUT SPECIFICATION AND DESIGN

The output specification includes:

User Name

Password

Retype Password

NAME

ACCOUNT NO

TYPE OF CURRENCY

DATE OF TRANNSTION

24
4.2 INPUT SPECIFICATION AND DESIGN
THE INPUT ELEMENTS ARE

S/N FIELD NAME FIELD FIELD FIELD TYPE

VARIABLE WIDTH

USERNAME UN 20 TEXT
PASSWORD P 15 TEXT
RETYPE PASSWORD RP 20 TEXT
ACCOUNT NO AN 16 NUMBER
DATE OF TRANNSTION DOT 10 NUMBER
NAME N 15 TEXT

USER LOG-IN FORM

User Name: ____________________________________________

VALIDATION FORMPassword
______________________________________________

Retype ________________________________________________

User Name_______________ Retype Password________________

NAME ACCOUNT NO___________ TYPE OF CURRENCY_________

DATE OF TRANNSTION___________________________________

25
4.3 FILE DESIGN

NAME ______________________ACCOUNT NO ______________

TYPE OF CURRENCY _______AMOUNT TO CHANGE ___________

DATE OF TRANNSTION __________________________________

LOG-IN

MAIN MENU

EXCHANGE UPDATING CLEARANCE AT EXIT

MGT SYSTEM INFORMATION COMPLETION PROGRAM

Supply of data The deletion and This certifies that This option
for system update of record a customer has terminates the
processing is takes place here cleared his debts running program
achieved here

4.4 PROCEDURE CHART

26
27
 4.5 SYSTEM FLOWCHART

DOC

DOC

DOC

THE FOREIGN EXCHANGE DATA IS

KEYED IN FROM THE KEYBOARD

FOREIGN EXCHANGE UPDATE OF

REPORT
RECORD

DATA PROCESSING
DELETE OF

RECORD

DATA
STORAGE

DISK

GENERATE FOREIGN EXCHANGE

INFORMATION ON SCREEN

28
45.1 SYSTEM REQUIREMENTS

HARDWARE REQUIREMETNS

MODEL - 550

STORAGE - 10GB

MEMORY - 128MB

DISPLAY - 15‖ SVGA

DRIVE – 31/2 FDD

PRINTER - DESIGN PRINTER

SOFTWARE REQUIREMENTS

OPERATING SYSTEM – WINDOW XP

LANGUAGE - VISAUL BASIC

ANT – VIRUS - AVASTA

CHAPTER FIVE

5.0 IMPLEMENTATION

The computer needs to understand the design of the new system for its effective

operations and use. The design has to be coded in computer understandable

formats. The structures are designed under this chapter.

5.1 PROGRAM DESIGN

The programming is made under modules which are:

29
FILE ORGANIZATION MODULE

This module handles data entry and storage. It consists of data entry screen

which is the medium through which data is entered into the computer system.

The data received is stored automatically by commanding the computer to save.

INFORMATION UPDATA MODLE

The information update module makes it possible for modification to be

effected on already maintained record. This module makes the system to be

flexible and reliable.

INFORMATION REQUIREMENT MODULE

Accurate report generation is made possible through this module, the

comprehensive report of the system under this module. The particular report

generator depends on the user’s request.

PROCESSING MODLE

This module carries out action on the supplied data in order to achieve the best

desired result.

EXIT MODULE

This module terminates the running of the program.

30
5.2 PROGRAM FLOWCHART

31
 START

ENTER PASSWORD

IF CORRECT
NO
YES

DISPLAY MENU OPTIONS

INPUT OPTIONS (1 – 4)

ADD
OPTION = 1 RECORDS

NO

OPTION = 2 UPDATE
RECORDS

NO

EDIT
OPTION = 3 RECORDS

NO

OPTION = 4

YES

STOP

32
5.3 DOCUMENTATION

This project is divided into five chapters. Chapter one consists of the

introduction, purpose of study, aims and objectives, scope, constraints,

assumptions and definition of terms.

Chapter two is literature review while chapter three is the description and

analysis of the existing system which is made up of organizational chart,

objectives, methods of data collection, input/process/output, information flow

diagram and justification.

Chapter four is the design of a new system. It contains the output specification,

input specification and file design, flowchart and system requirements. Chapter

five is implementation which consists of program design, program flowchart,

pseudo codes, source program, test run

Documentation, summary, recommendation and conclusion.

PROGRAM HELP MENU

This program was coded in a programming language called VISUAL BASIC.

The program is run through Window into the VBASIC directory. There, it is

expected that laying in the program and pressing F5, one can view the

NETWORK SECURITY system as done in UBA Enugu. Clicking exist on the

file menu will quit the program. The file name for the program is FOREIGN

33
EXCHANGE program
5.4 RECOMMENDATION & CONCLUSION

5.5 RECOMMENDATION

This great research is recommended to individuals who are involved in one

business transaction or the other, that they continue to fulfill their motives by

making profit through NETWORK SECURITY.

5.6 CONCLUSION

In computer security, access control includes authentication, authorization and

audit. It also includes measures such as physical devices, including biometric

scans and metal locks, hidden paths, digital signatures, encryption, social

barriers, and monitoring by humans and automated systems.

In any access control model, the entities that can perform actions in the system

are called subjects, and the entities representing resources to which access may

need to be controlled are called objects (see also Access Control Matrix).

Subjects and objects should both be considered as software entities, rather than

as human users: any human user can only have an effect on the system via the

software entities that they control. Although some systems equate subjects with

user IDs, so that all processes started by a user by default have the same

authority, this level of control is not fine-grained enough to satisfy the Principle

34
of least privilege, and arguably is responsible for the prevalence of malware in

such systems (see computer insecurity).

In some models, for example the object-capability model, any software entity

can potentially act as both a subject and object.

Access control models used by current systems tend to fall into one of two

classes: those based on capabilities and those based on access control lists

(ACLs). In a capability-based model, holding an unforgivable reference or

capability to an object provides access to the object (roughly analogous to how

possession of your house key grants you access to your house); access is

conveyed to another party by transmitting such a capability over a secure

channel. In an ACL-based model, a subject's access to an object depends on

whether its identity is on a list associated with the object (roughly analogous to

how a bouncer at a private party would check your ID to see if your name is on

the guest list); access is conveyed by editing the list. (Different ACL systems

have a variety of different conventions regarding who or what is responsible for

editing the list and how it is edited.)

Both capability-based and ACL-based models have mechanisms to allow access

rights to be granted to all members of a group of subjects (often the group is

itself modeled as a subject).

Access control systems provide the essential services of identification and

authentication (I&A), authorization, and accountability where:

35
 identification and authentication determine who can log on to a system,

and the association of users with the software subjects that they are able to

control as a result of logging in; authorization determines what a subject

can do;

Accountability identifies what a subject (or all subjects associated with a

user) did.

5.7 SUMMARY

Routing is one of the most important parts of the infrastructure that keeps a

network running, and as such, it is absolutely critical to take the necessary

measures to secure it. There are different ways routing can be compromised,

from the injection of illegitimate updates to DOS specially designed to disrupt

routing. Attacks may target the router devices, the peering sessions, and/or the

routing information. Fortunately, protocols like BGP, IS-IS, OSPF, EIGRP and

RIPv2 provide a set of tools that help secure the routing infrastructure. This

section provides the guidelines for using such tools.

The router's primary functions are to learn and propagate route information, and

ultimately to forward packets via the most appropriate paths. Successful attacks

against routers are those able affect or disrupt one or more of those primary

36
functions by compromising the router itself, its peering sessions, and/or the

routing information.

Routers are subject to the same sort of attacks designed to compromise hosts

and servers, such as password cracking, privilege escalation, buffer overflows,

and even social engineering. Most of the best practices in this document help

mitigate and even prevent some of those threats.

Peering relationships are also target of attacks. For most routing protocols

routers cannot exchange route information unless they establish a peering

relationship, also called neighbor adjacency. Some attacks attempt to break

established sessions by sending the router malformed packets, resetting TCP

connections, consuming the router resources, etc. Attacks may also prevent

neighbor adjacencies from being formed by saturating queues, memory, CPU

and other router resources. This section of the document presents a series of best

practices to protect neighbor adjacencies from those threats.

Finally, routing can also be compromised by the injection of false route

information, and by the modification or removal of legitimate route information.

Route information can be injected or altered by many means, ranging from the

insertion of individual false route updates to the installation of bogus routers

into the routing infrastructure. Potential denial of service conditions may result

from intentional loops or black-holes for particular destinations. Attackers may

37
also attempt to redirect traffic along insecure paths to intercept and modify

user's data, or simply to circumvent security controls. This section also includes

a collection of best practices designed to prevent the compromising of routing

information.

REFERENCES

Anderson, A.C. (2006). Cryptography and network security. New York: A

Bantam Press.
Applied cryptography. (2001). Computer security. U.S.A: CRC Press.

Apostolou, B. (2000). Internal fraud Investigation. Louis Avenue: Institute of

Internal Auditor’s Publication.
A.C.F.E. (2002). Report on fraud Occurrence. http: www.wikipedia.com

38
Boyle, L., & Panko, H. (2009). Corporate Computer Security. America: Bank
of Settlement.
Bishop, A.A. (2011). Threats Security. France: Art and Science.
Bytes (2011). Security tool. http://www. Securebytes.com
Chukwu, L.C. (2010). Securing and Investigation. Owerri: Benson
Publication.
Casey, E. (2010). Handbook of Investigation. U.S.A: Academic Press
Publication.
Chandelle, V. (2001). Anomaly detection. India: University of
Minnesota Publication.

Howard, L., & Leblanc, K. (2002). Writing Secure code. U.S.A: Editing
Microsoft Press.
John, J. (2001). A Triennial Central Bank survey. London: Bank for
International Settlements.
Simmons, A. (December 2010). Ontology for Network Security Attack.
Lecture note in Computer science.
Solomon, P.O. (November 2000). Encrypting Messages. Russia: Encrypting
Messages Centre.

APPENDIX I

PSEUDOCODE

Press F5 to run the program. Press any key to continue.

1. Enter password
2. initialize variables
3. input data records
4. is data ok
5. if yes write data to disk
6. add more variables

39
7. if yes repeats step 1
8. end

EDIT RECORD
1. Enter record No to Edit
2. Does record exist
3. If yes then edit record
4. Edit another record
5. If yes then repeat step 1
6. End

DELETE RECORD
1. Enter record No to delete
2. Does record exist
3. If yes then update database
4. End if
5. Delete another
6. If yes then repeat step 1
7. Stop

APPENDIX II
SOURCE LISTING

KINDLY CONTACT US IF YOU NEED THE SOURCE CODE.

VERSION 5.00
Object = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}#2.0#0"; "MSCOMCTL.OCX"

40
41