Question

1) Define the following concepts: computer network, network architecture, protocol, and multilayer protocol.

2) As an IT professional who works in the networked world describe the professional, social, economic, and cultural issues of computer networks.

3) As an IT professional who works in the networked world describe the ethical issues and your social responsibility.

Answer 1

Computer Network :

A computer network can be defined as a set of connected computers.

Usually computers on a network are called nodes. A computer network is a group of computer systems and other computing hardware devices that are linked together such that through communication channels to facilitate communication and resource-sharing among a wide range of users.

A network in which the connection between computers can be done via cabling, most commonly the Ethernet cable, or wirelessly through radio waves. Connected computers can share resources, like access to the Internet, printers, file servers, and others. In a simpler way a network is a multipurpose connection, which allows a single computer to do more.

Types :

Star topology

Bus topology

Collapsed ring topology

Network Architecture:

Network Architecture can be defined as the complete framework of an organization's computer network. Network architecture it includes hardware components used for communication, cabling and device types, network layout and topologies, physical and wireless connections, implemented areas and future plans. Along with the hardware the software rules and protocols also constitute to the network architecture. This architecture is always designed by a network manager/administrator with coordination of network engineers and other design engineers.

A set of layers and protocols is called network architecture. The specification of architecture must contain enough information to allow an implementer to write the program or build the hardware for each layer so that it will correctly obey the appropriate protocol.

To tell Network architecture in a simple way it is the layout of the network, consisting of the hardware, software, connectivity, communication protocols and mode of transmission, such as wired or wireless.

Protocol

Network protocol is the one which defines rules and conventions for communication between network devices. Protocols usually used for computer networking and all generally use packet switching techniques to send and receive messages in the form of packets.

Network protocols also has mechanisms for devices to identify and make connections with each other, as well as formatting rules that specify how data is packaged into messages sent and received.

One of the common protocols is internet protocol (IP) which has TCP, UDP, HTTP, ARP, ICMP protocols.

Multi-layer protocol

IPsec is a suite of standard protocols that provides security services for Internet communications. It protects the entire IP datagram in an "end-to-end" fashion; no intermediate network node in the public Internet can access or modify any information above the IP layer in an IPsec-protected packet. Introduces a rich new set of services and applications, like traffic engineering, TCP performance enhancements, or transparent proxying and caching, all of which require intermediate network nodes to access a certain part of an IP datagram, usually the upper layer protocol information, to perform flow classification, constraint-based routing, or other customized processing. This is in direct conflict with the IPsec mechanisms. In this research, we propose a multi-layer security protection scheme for IPsec, which uses a finer-grain access control to allow trusted intermediate routers to read and write selected portions of IP datagrams (usually the headers) in a secure and controlled manner.

The basic principle is to use a multilayer protection model and a fine grain access control to make IP security protocols compatible with TCP PEP. It allows wireless network operators or service providers to grant base stations or wireless routers limited and controllable access to the TCP headers for performance enhancement purposes.

Question 3 :

Ethical issues :

Information Technology (IT) has a central role in commerce, industry, government, medicine, education, entertainment and society at large. Its economic and social benefits hardly need explanation. But like any other technologies, IT also has problematic implications, and some negative impacts on our society. It poses and creates some problems related to ethics, and contains in general three main types of ethical issues: personal privacy, access right, and harmful actions. Let us look more closely at these issues, exploring in each case the ways in which they affect the public reactions to this technological change. In terms of personal privacy, IT enables data exchange of information on a large scale from anybody, on any locations or parts of the world, at any times. In this situation, there is increased potential for disclosing information and violating the privacy of any individuals and groups of people due to its widespread disseminations worldwide. It is our challenge and responsibility to maintain the privacy and integrity of data regarding individuals. This also includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. The second aspect of ethical issues in computing systems is access right. Due to the current popularity of international commerce on the Internet, the topic of computer security and access right has moved quickly from being a low priority for corporations and government agencies to a high priority. This interest has been heightened by computer break-ins at places like Los Alamos National Laboratories and NASA in the US. Many attempts of such illegal access to United States government and military computers by computer hackers have been widely reported. Without implementation of proper computer security policies and strategies, network connections on the Internet can’t be made secure from illegal accesses. In computer ethics, harmful action means injury or negative consequences, such as undesirable loss of 3 information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of users, the general public, employees, and employers. Harmful actions include intentional destruction or modification of files and programs leading to serious loss of resources or unnecessary expenditure of human resources such as the time and effort required to purge systems from "computer viruses." In the following tables, a survey of various activities on Internet indicates that illegal information nowadays is often reported. The data shows that the percentage of response from Japanese companies and organizations is quite significant (Kubo, 1999). Table 1. Illegal Information on Internet Type of information: Percentage of response: Fraudulent Information 79.5% Violation of Privacy 73.1 % False Rumors 59.3% Obscene Information 59.0% Libel Information 55.2% Civil Rights Violation 48.5% Gambling Information 10.4% Table 2. Prejudicial Information Type of information: Percentage of response: False Rumors 73.1% Drug Information 71.3 % Sex Information 66.4% Violence Information 63.4% So far, there has been relatively little investigation into the privacy and security issues relevant to these ethical problems in IT and Cyberspace. Beside the false contents of information on Internet, many people tried to access information that they don’t have rights to do so. For this reason, computer developers have proposed and used intrusion-detection systems as basis of security systems designed to protect privacy. Typically, the intrusiondetection systems determine if a user is an intruder or a legitimate user, generally by way of various internal system profiles. 3. INTERNATIONAL EFFORTS ON LEGISLATIONS The growing threat to individuals is beginning to claim attention in national and international community. In many countries around the world, existing laws are likely to be unenforceable against such crimes. This lack of legal 4 protection means that businesses and governments must rely solely on technical measures to protect themselves from those who would pose false information, from who steal, deny access to, or even destroy valuable information. Self-protection is not sufficient to make cyberspace a safe place to conduct business. The rule of law must also be enforced. Countries where legal protections are inadequate will become increasingly less able to compete in the new economy. As cyber crime increasingly breaches national borders, nations perceived as havens run the risk of having their electronic messages blocked by the network. National governments should examine their current statutes to determine whether they are sufficient to combat such kinds of crimes (Chan and Camp, 2002). Until now, only few nations have amended their laws to cover computer crimes that need to be addressed, as shown in Table 3. Other countries begin to implement some initiatives, and it is clear that a great deal of additional work and efforts are needed before organizations and individuals can be confident that cyber criminals will think twice before attacking valued systems and information. Table 3. IT Legislations in Some Countries Country Year Legislation Contents USA 1970 Freedom of Information Act Permits individuals to access any information about themselves stored in the Federal Government Offices. USA 1980 Privacy Protection Act Provides protection of privacy in computerized and other documents. USA 1987 Computer Security Act Requires security of information regarding individuals. USA 1997 Consumer Internet Privacy Protection Act Requires prior written consent before a computer service can disclose subscriber’s information. USA 1997 Data Privacy Act Limits the use of personally identifiable information and regulates “spamming”. Japan 2000 MITI Legislation for Ecommerce Legal Provisions for Electronic Signatures & Certification, and Foundation for Network-Based Social and Economic Activities Canada 2000 Information Technology Act Establish a legal framework for IT Singapore 1999 Electronic Transactions Regulations Govern the actions of certification authorities in Singapore Australia 2000 NSW Electronic Transactions Act Application of legal requirements to electronic communications UK 1998 Data Protection Act Data protection and Right of data access New participating countries started generating principles to protect individuals from the potential invasion of privacy that data collection and retrieval poses. These countries have adopted guidelines as statutory law, in whole or in part. The OECD (Organization for Economic Cooperation and Development) in the US has specific guidelines pertaining to data privacy that directly affect those dealing with Internet data access in general, and those who use so-called "personal data" in particular. 5 4. ENCRYPTION TECHNOLOGY TO MINIMIZE HARMFUL ACTIONS ON INTERNET In World War II, scrambled messages, written using a secret code, were common to prevent the enemy from intercepting battle instructions. Today on the Internet, these scrambled messages are quite popular as we protect our credit card numbers and private information from enemy hackers. A mathematical technique, called encryption, is used to scramble/encode a message into an unreadable format. The message's recipient decrypts, or decodes, the data using a key that converts it back into a readable form. Such encryption is widely used in online banking transactions, stock trading, Internet shopping, in ATMs, in point-of-sale machines, and in electronic business-tobusiness transactions. Data can be encrypted in a number of forms: web information transmissions, e-mail, files, transactions, etc. On homepage data transmissions, encryption system commonly implemented to protect data is Secure Sockets Layer (SSL). This encryption can be easily identified by its web page address which starts with “https:” in place of usual “http:”. Another sign that SSL is being used is the presence of a gold lock on the status bar in Microsoft's Internet Explorer or the presence of a gold outline around the Security toolbar button's lock in Netscape. Most popular algorithms to encrypt files and email messages are DES (Data Encryption Standard), RSA (Rivest Shamir and Adleman), and PGP (Pretty Good Privacy). Each employs key method to encrypt data, which requires the use of two keys, a public and a private key. To encrypt an email message, the sender encrypts the email using the receiver's public key, which is widely known and can be obtained from a company or Internet public-key server. The email message is then sent in a locked, unreadable format. The receiver uses his private key, which is confidential to everyone except the recipient, to decrypt the message. Recently, new Advanced Encryption Standard (AES) has been adopted by the U.S. government. Developed by two Belgian cryptographers, the algorithm, called Rijndael, is designed to better safeguard government data than the older standard and works on multiple hardware and software platforms. This encryption method uses little memory and provides a defense against a number of data attacks. This new technique is particularly important when data passes through shared systems or insecure network segments where multiple people may have access to the information. In these situations, sensitive data--such as passwords--should be encrypted in order to protect it from unintended disclosure or modification. Another data protection that is specific for e-mail messages is called “digital ID”. As more people send confidential information by e-mail, it is increasingly important to be sure that documents sent in e-mail are not forged, and to be certain that messages sent cannot be intercepted and read by anyone other than the intended recipient. By using "digital IDs" in MS Outlook Express, senders can prove their identity in electronic transactions in a way similar to showing driver's license when people cash a check. Similar to encryption technique, digital ID is composed of a "public key," a "private key," and a "digital signature." When somebody digitally signs messages, he/she is adding digital signature and public key to the message. The combination of a digital signature and public key is called a "certificate." With Outlook Express, 6 senders can specify a certificate to be used by others to send encrypted messages to recipient. For secure data transmissions on the Internet, both SSL and digital ID are commonly used to identify the legitimate identity of senders and receivers. Both techniques allow people to send/receive data in privacy, so that no body on the Internet is able to do eavesdropping. Furthermore, they can also be used to prevent any modification of transaction or message on the computer networks (Internet). Another protection method against computer crimes is called firewalls. Internet firewall is essentially one or more systems that control access between computer networks. In this regard, the Internet is nothing more than collections of very large computer networks that need to be isolated one from another. The firewall serves two basic purposes: it controls access to the network from outside users, and it also controls the transfer of information from the inside network to outside world (Internet). The most important thing to remember about firewall is that it creates an access control policy for the organization. 5. SOME OF THE REMAINING ISSUES Information Technology also concerns computer professionals who design and create information systems and devices. Recently, national and international organizations, such as the International Federation of Information Processors (IFIP), the Association for Computing Machinery (ACM), Institute of Electrical and Electronics Engineers (IEEE), the British Computer Society (BCS) and the Institute of Data Processing Management (IDPM), have recognized the need for new codes of ethics to inform and advise their members about relevant social and ethical issues. In the US since 1992, the ACM has established a new policy on professional ethics. National accrediting bodies, like the Computer Sciences Accreditation Board and the Accreditation Board for Engineering Technology, now also require that accredited university curricula in the computing sciences include mandatory instruction in the social and ethical effects of information technology. As listed in Table 4, commitment to ethical professional conduct has been proposed so that every member of the ACM will follow (ACM , 1992).

Many of the ethical issues that face IT professionals involve privacy. For example:

• Should you read the private e-mail of your network users just “because you can?” Is it okay to read employees’ e-mail as a security measure, to ensure that sensitive company information isn’t being disclosed? Is it okay to read employees’ e-mail to ensure that company rules (for instance, against personal use of the e-mail system) aren’t being violated? If you do read employees’ e-mail, should you disclose that policy to them? Before or after the fact?

• Is it okay to monitor the Web sites visited by your network users? Should you routinely keep logs of visited sites? Is it negligent to not monitor such Internet usage, to prevent the possibility of pornography in the workplace that could create a hostile work environment?

• Is it okay to place key loggers on machines on the network to capture everything the user types? Screen capture programs so you can see everything that’s displayed? Should users be informed that they’re being watched in this way?

• Is it okay to read the documents and look at the graphics files that are stored on users’ computers or in their directories on the file server?

  Remember that we’re not talking about legal questions here. A company may very well have the legal right to monitor everything an employee does with its computer equipment. We’re talking about the ethical aspects of having the ability to do so.

  As a network administrator or security professional, you have rights and privileges that allow you to access most of the data on the systems on your network. You may even be able to access encrypted data if you have access to the recovery agent account. What you do with those abilities depend in part on your particular job duties (for example, if monitoring employee mail is a part of your official job description) and in part on your personal ethical beliefs about these issues.

  The slippery slope

  A common concept in any ethics discussion is the “slippery slope.” This pertains to the ease with which a person can go from doing something that doesn’t really seem unethical (such as scanning employees’ e-mail “just for fun”) to doing things that are increasingly unethical (such as making little changes in their mail messages or diverting messages to the wrong recipient).

  In looking at the list of privacy issues above, it’s easy to justify each of the actions described. But it’s also easy to see how each of those actions could “morph” into much less justifiable actions. For example, the information you gained from reading someone’s e-mail could be used to embarrass that person, to gain a political advantage within the company, to get him/her disciplined or fired, or even for blackmail.

  The slippery slope concept can also go beyond using your IT skills. If it’s okay to read other employees’ e-mail, is it also okay to go through their desk drawers when they aren’t there? To open their briefcases or purses?

  Real world ethical dilemmas

  What if your perusal of random documents reveals company trade secrets? What if you later leave the company and go to work for a competitor? Is it wrong to use that knowledge in your new job? Would it be “more wrong” if you printed out those documents and took them with you, than if you just relied on your memory?

  What if the documents you read showed that the company was violating government regulations or laws? Do you have a moral obligation to turn them in, or are you ethically bound to respect your employer’s privacy? Would it make a difference if you signed a non-disclosure agreement when you accepted the job?

  IT and security consultants who do work for multiple companies have even more ethical issues to deal with. If you learn things about one of your clients that might affect your other client(s), where does your loyalty lie?

  Then there are money issues. The proliferation of network attacks, hacks, viruses, and other threats to their IT infrastructures have caused many companies to “be afraid, be very afraid.” As a security consultant, it may be very easy to play on that fear to convince companies to spend far more money than they really need to. Is it wrong for you to charge hundreds or even thousands of dollars per hour for your services, or is it a case of “whatever the market will bear?” Is it wrong for you to mark up the equipment and software that you get for the customer when you pass the cost through? What about kickbacks from equipment manufacturers? Is it wrong to accept “commissions” from them for convincing your clients to go with their products? Or what if the connection is more subtle? Is it wrong to steer your clients toward the products of companies in which you hold stock?

  Another ethical issue involves promising more than you can deliver, or manipulating data to obtain higher fees. You can install technologies and configure settings to make a client’s network more secure, but you can never make itcompletely secure. Is it wrong to talk a client into replacing their current firewalls with those of a different manufacturer, or switching to an open source operating system – which changes, coincidentally, will result in many more billable hours for you – on the premise that this is the answer to their security problems?

  Here’s another scenario: what if a client asks you to save money by cutting out some of the security measures that you recommended, yet your analysis of the client’s security needs show that sensitive information will be at risk if you do so? You try to explain this to the client, but he/she is adamant. Should you go ahead and configure the network in a less secure manner? Should you “eat” the cost and install the extra security measures at no cost to the client? Should you refuse to do the job? Would it make a difference if the client’s business were in a regulated industry, and implementing the lower security standards would constitute a violation of HIPAA, GLB, SOX or other laws?

  Question 2 :

  IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations.

Network security deals with the requirements needed for a company, organization or a network administrator to help in protecting the network, computer systems and the resources that are network accessible. They are protected from any unauthorized entry, malicious components as well as monitoring continuously, consistently and measuring the effectiveness or lack of effectiveness of the network.

Network security is a major concern of every company that has a computer and is connected to a network. A network security that has been compromised means that a competitor or any hacker can gain entry to the sensitive or critical data and they may delete or make off with the information resulting in data loss or complete system destruction. The terms information security and network security are most of the time used to represent the same meaning. Network security, though, is more specifically taken as the provision protection from outside intruders.

The process of network security begins from the authentication of any user who logs in with the appropriate password and user name which is ‘one factor authentication’. There is another method of authentication known as ‘two factor’ where when one is using an item like an ATM card or mobile phone and another three factor authentication can also be used where a body part is used like a retinal scan or fingerprint. When authentication has been verified, there is a firewall that decides, which programs or services are allowed for network users to access. This component may be effective in the ability to prevent any unauthorized access but it fails to check harmful contents like computer worms that are transmitted across the network. An IPS or intrusion prevention system is able to detect and stop the activities of this sort of malware. The firewall and IPS settings are created by the network’s System Administrator who also installs a viable antivirus system, which is up-to-date.