1.

INTRODUCTION:
1.1 DEFINITION & OVERVIEW
Security by the name itself is very important for any individual a machine or also in network. Like the locks help in making tangible property secure, computers and data need provisions that help in keeping the information secure. Moreover , the increased use of networked

computers on Internets,Intranets and Extranets has had a profound impact on the neccesity of network security. As we know that when one PC communicates with other it forms a network & hence there rises a need that whatever secret data is being transferred between the two

computers should not be exposed to outside world. This provision of making data secure within the network has led to concept of Network security i.e security on the net. Since most of the transactions in the world today are taking place on the Internet hence there is a greater need to prevent the unauthorized access of the data. Security on an Internet environment is both important and

difficult. Its important as information can be used to create new products and services that yield high value
1

and is difficult as it involves understanding trust between various participating users , computers,& also

understanding technical details of the network hardware and protocols. As the Internet is becoming more complex day by day security administators face the risk of being attacked by external intruders that may: Read

access

Read

or

copy

confidential

information.
Write access- Write to network or perhaps infect

the systems with viruses and trojan horses.

Denial of Service - Deny authorized users normal

network services. Thus to guard against threats to the security of

distributed system, security policies as well as securtiy mechanisms must be employed therby providing a secure communication link for data transmission between

interconnected host computer systems of the network.

2.CHARACTERSTICS OF SECURED COMMUNICATION

Suppose two persons A & B communicate. Both of them make sure that the contents delievered are not altered by an intruder and are being tranfferred between them only. The following considerations below reflect these desirable properties of the secure communication 2.1 SECRECY- only the sender and the intended reciever should be able to understand the contents of the transmitted message. Because eavesdroppers may intercept the message be somehow encrypted so that an intercepted message can be decrypted by an interceptor. For example , A might also want the mere fact that shes communicating with B to be a secret. 2.2 AUTHENTICATION- here both the sender & reciever need to confirm the identity of other party involved in the communication- to confirm that the other party is indeed who or what they claim to be. For eg- if A receives mail from B, in order to know that it has been sent by B only A needs some
3

authentication,

likewise

in

network

there

are

authentification protocols. 2.3 MESSAGE INTEGRITY- here the sender and reciever want to ensure that apart from

authentication the content of their communcation is not altered, either maliciously or by accident, in transmissions.

3. NEED FOR NETWORK SECURITY:

Most of the security problems are intentionally caused by malicious people trying to gain some benefit or harm some one thereby enforcing the security administrator to keep network free from programming errors. This in turn involves outsmarting often intelligent, dedicated and sometimes well funded adversaries and hence the need for network security rises. As Internet forms the platform for all networks its susceptible to all kind of attacks by an intruder. Below illustrated are some of the important network security considerations on the net-

3.1 PACKET SNIFFING- A packet sniffer is a program running in a network attached device that passively receives all data link layer frames passing by the network devices interface. In broadcast environment like the Ethernet LAN the packet sniffer receives all frames being transmitted from all to all hosts on the LAN. These frames can then be passed on to application

program that extract application level data. For eg in the telnet scenario shown on the next page.

packet sniffings The login password prompt sent from A to B as well as password entered at B are sniffed at host C. 3.2 IP SPOOFING - Any Internet connected device sends IP data grams into the network. A user with

complete control over that devices software can easily modify the devices protocols to place an arbitrary IP

address into data grams Source Address field. This is known as IP spoofing.

3.3 DENIAL OF SERVICE- In this the attacker deluges the server with the TCP SYN packets, each having a spoofed IP source address. The server being not able to distinguish between legitimate SYN and spoofed SYN completes the second step of TCP handshake allocating data structures and state. The third step of three way hand shake is not completed by the attacker, leaving n number of partially opened connections, this ever increasing load of SYN brings the server down on its knees. Thus an intruder can actively interfere with control or corrupt the network management functions, DNS lookups and updates, routing computations that can really create havoc on the net. Below mentioned are few more perpetrators that can have real impact on the market. ADVERSARY HACKER BUSINESSMAN ACCOUNTANT TERRORIST STOCK BROKER GOAL TO TEST OUT SOMEONES SECURITY SYSTEM TO DISCOVER A COMPETITORS STRATEGIC PLAN TO EMBEZZLE MONEY FROM THE COMPANY TO STEAL GERM WARFARE SECRETS TO DENY PROMISE MADE TO THE CUSTOMER BY MAIL

From the given analysis above its quite clear that to prevent the legitimate messages being captured, to maintain the authenticity of the data network security is greatly needed.

4.NETWORK SECURITY

MECHANISMS:
Before getting into the solutions of the network security its necessary to have a view to which layer belongs to. However theres no such single place. Every layer has something to contribute like in physical layer wire tapping can be prevented by enclosing transmission lines in sealed tubes containing gases at high pressure ,any attempt to drill the tube may cause fall in pressure that in turn could ring an alarm, similarly in data link layer point to point line can be encoded as they leave one machine & can be decoded on other also in network layer firewalls are established. However the problem of authentication in security can be resolved only on the application layer thereby holding a greater importance. network security mechanisms are:Some of the

CRYPTOGRAPHY8

 FIREWALLS. DIGITAL SIGNATURES. SECURITY IDENTIFIERS.

Lets discuss them in detail one by one.

4.1 CRYPTOGRAPHY:

INTRODUCTION

The art of devising ciphers i.e. converting the plaintext into coded format & then decoding it refers to

cryptography. Here the messages to be encrypted are known as plain text & are transformed by a function parameterized by a key. The output of the encryption process is known as cipher text and is then often transmitted by a messenger. At the receiver its decrypted with help of decryption key and the original message is retrieved.

HISTORY
Historically, four groups of people have used &

contributed to the art of cryptography. Of these the

9

military has had the most important role as within the military organizations, the messages to be sent were normally encrypted. Until the advent of computers the main constraints of cryptography had been the ability of the code clerk to perform necessary transformations & also difficulty in switching over quickly from one

cryptographic method to another. Earlier there were few traditional methods to prevent the intruders from

capturing the encrypted message. They are as follows-

4.1.1 SUBSTITUTION CIPHERSIn this method each letter or group of letters is replaced by another letter to disguise it. one of the oldest ways in substitution cipher technique was Caesar cipher in which the cipher text alphabet was shifted by k letters. An improvement made in this technique was that each of the symbol in the plaintext map on to some other letter. PLAINTEXT
x y z.

a b c d ef g h I j k l m n o p q r s t u v w

CIPHERTEXT
c b v.

:qwe r t y u k l m p

a s d f g h j kl

z x

This

general

system

is

known

as

monoalphabetic

substitution with the key being the 26 letter string

10

corresponding to the full alphabet. At first glance it appeared to be a safe system but by taking the advantage of the statistical properties of the natural language like frequency of words this cipher could be broken.

4.1.2 TRANSPOSITION CIPHER In this method unlike the substitution cipher method the cipher text was reordered form of the plaintext & was not its disguised form. The following example depicts the transposition method. The cipher is keyed by a word or phrase not containing any repeated letters. Here

MEGABUCK is the key. The purpose of the key is to number the columns. The plaintext is written horizontally in rows & the cipher text is read our by columns. MEGABUCK
7 4 5 1 2 8 3 6 P L E A SE TR million AN S F ERON E M I L L IO N D O AFLLSELATOOSLNMOESILR L L A R S A. CIPHER TEXT: dollars. PLAINTEXT: Please transfer one

To break this transposition cipher the cryptanalyst use to be aware that hes dealing with transposition cipher, after
11

that he use to guess the number fo columns & find the probable phrase or word. Thus by hunting for various possibilities the cryptanalyst often could determine the key length & got the message decrypted.

4.1.3 MODERN CRYPTOGRAPHIC TECHNIQUES Secret key algorithms

12

In modern cryptography the object is to make the encryption algorithm so complex and involuted that even if the cryptanalyst acquires vast mounds of enciphered text he wont be able to make sense of it all. In modern cryptography transpositions and substitution are

implemented with simple circuits known as P box (Ppermutation) used to affect a transposition on an 8 bit

input. For e.g the input 8 bits are designated from top to bottom as 01234567 them the output of the particular P box can be anything lets say 3607125 depending upon the transposition made.Shown fig below

13

Fig a

Fig b

Fig c

Substitutions are performed by S boxes. Here at the first stage the input selects one of the eight lines & then the second stage is P-box. The third stage selects the input line in binary again. The real power of these basic elements only becomes apparent when we cascade the whole series of boxes to form a product cipher. However this method is less powerful but by including a sufficiently
14

large number of stages the output can be made more complicated. Below illustrated are few of the modernised algorithms-

DES(Data Encryption Standard):

In january 1977 the US government adopted a product cipher developed by IBM as its official standard for unclassified information. Its a no longer secure in its original form but its modified form is useful. Here the plaintext is encrypted in blocks of 64 bits, yielding 64 bits cipher text. The algorithm, which is parametrized by a 56 bit key has 19 distinct stages. The first stage is key independent transposition on 64 bit plaintext. The last stage is the exact inverse of this transposition. The stage prior to this exchanges leftmost 32 bits with the right most 32 bits. The remaining 16 stages are functionally identical. For decryption the algorithm is run with the same key but in reverse order.An outline of this algorithm is shown in the fig below-

15

DES ALGORITHM

IDEA(International Standard

Data

Algorithm

16

IDEA was designed by two members in switzerland that introduced a secret tap door. The basic structure of the algorithm resembles the DES in that the 64 bit plaintext

input blocks are mangled in a sequence of parametrized iterations to produce 64 bit cipher text output blocks.The following figure below illustrates the working of this algorithm. IDEA ALGORITHM As with all block ciphers, IDEA can also be used in a cipher feed back mod eor with other DES modes.Moreover it has been constructed with both hardware & software

implementations for e.g ita first software implementation

17

ran on 33Mhz 386 & achieved an encryption rate of . 88Mbps.

PUBLIC KEY ALGORITHM

In 1976, two researchers at Stanford University proposed a radically new kind of cryptosystem, one in which the encryption & the decryption key were different and the decryption key could not be derived from the encryption key. More over the encryption and decryption algorithm had to meet the following requirements D (E (P) = P that is if we apply D to an encrypted message E (P) we get the original message. Its exceedingly difficult to deduce D from E. E cannot be broken by a chosen plaintext attack. Lets go the analysis of this method. Suppose a person A wants to communicate secretly with B, so its devises two algorithms Ea & Da meeting the above two requirements. The encryption key is made public hence the name is Public key cryptography. Now both A as well as Bs encryption key are assumed to be publicly readable file. Now A takes her first message P computes E (P) and then
18

sends it to B. B then decrypts the message by applying the secret key Db that is known to him only. One more terminology used here is that each user has two keys public & private to use for encryption & decryption.

RSA ALGORITHM
This algorithm is known by the initials of the three discoverers (Rivest, Shamir, and Adleman) & is based on simple number theory. Below mentioned is the summary of this algorithm Choose two large primes, p and q. Compute n=p*q and z= (p-1)*(q-1). Choose a number relatively prime to z and call it d. Find e such that e*d=1 modz. With these parameters computed in advance we readily begin the encryption. To encrypt a message P compute C=Pe (modn) & to decrypt P=Cd (modn). The security of this method is based on factoring large numbers i.e. if the cryptanalyst could factor n he could find p & q and then z
19

but according to Rivest it would take 2 billion yrs of computer time to factor 200 digit number. So even if the computers become faster it would take lot of time which is not feasible. The only disadvantage of this algorithm is its speed in handling large volume of data.

4.2

INTERNET

CONNECTION

FIREWALL:
Introduction
A firewall is a security system that acts as a protective boundary between a network and the outside world. Internet Connection Firewall (ICF) is firewall software that is used to set restrictions on what information is

communicated from your home or small office network to and from the Internet to your network. If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, ICF should be enabled on the shared Internet connection. However,
20

ICS and ICF can be enabled separately. You should enable ICF on the Internet connection of any computer that is connected directly to the Internet.ICF also protects a single computer connected to the Internet. If you have a single computer connected to the Internet with a cable modem, a DSL modem, or a dial-up modem, ICF protects your Internet connection. You should not enable ICF on VPN connections because it will interfere with the

operation of file sharing and other VPN functions.

4.2.1 How Internet Connection Firewall (ICF) works:

FIREWALL SCHEME

ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that

21

cross its path and inspects the source and destination address of each message that it handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF

computer. In the case of a single computer, ICF tracks traffic originated from the computer. When used in conjunction with ICS, ICF tracks all traffic originated from the ICF/ICS computer and all traffic originated from private network computers. All inbound traffic from the Internet is compared against the entries in the table. Inbound Internet traffic is only allowed to reach the computers in your network when there is a matching entry in the table that shows that the communication exchange began from within your computer or private network. Communications that originate from a source outside ICF computer, such as the Internet, are dropped by the firewall unless an entry in the Services tab is made to allow passage. Rather than sending you notifications about activity, ICF silently discards unsolicited

communications, stopping common hacking attempts

22

such as port scanning. Such notifications could be sent frequently enough to become a distraction. Instead, ICF can create a security log to view the activity that is tracked by the firewall.. Services can be configured to allow unsolicited traffic from the Internet to be forwarded by the ICF computer to the private network. For example, if you are hosting an HTTP Web server service, and have enabled the HTTP service on your ICF computer, unsolicited HTTP traffic will be forwarded by the ICF computer to the HTTP Web server. A set of operational information, known as a service definition, is required by ICF to allow the unsolicited Internet traffic to be forwarded to the Web server on your private network.

4.2.2 TYPES OF FIREWALL

Basically there are of two types Filter based firewalls

As filter based firewalls work on deny or permit rules, these are characterised as firewalls that block traffic as well as firewalls that permit traffic. Firewalls control
23

mechanisms include packet filtering, circuit filtering & application gateways. Packet filtering is the simplest and the fastest

mechanisms

that is based on the contents of the

individual packets and blocks or passes through the packets. It takes decision by checking only the individual packets headers whereas circuit filtering collects & checks connection state data associated with the packets & thereby takes decision to forward or block. Application gateways apply true user based access control and behaviour control. The cost of application gateways is higher as it offers more security. The following fig shows the application gateways.

Working Priciple Of Application Gateway

It mainly consists a gateway node & two firewalls on either side of the gate way. Firewall 1 discards packets
24

not addressed to the gateway, thereby controlling the inbound access. Similarly firewall-2 accepts only packets to the gateway ,thereby controlling the outbound access.

PROXY BASED FIREWALLS The proxy based firewall may be an application gateway firewall. As the proxy appears as a server to the client & as ac lient to the server it responds to the clients request without passing the requests to the server , thereby controlling the access right. The proxy software recieves and interprets each service & after checking forwards it to the destination server. If a company wants to make some of its Web server pages accessible to all outside users and to restrict certain pages simple filter firewall doesnt work. The solution is to use an HTTP proxy server. Outsiders can use HTTP/TCP

connection with proxy which after checking the universal resourcs locator (URL) contained in the request , may allow a second HTTP/TCP connection to the companys

25

web server or prohibit the connection. Shown in the fig belowProxy Based Firewall

The proxy server acts as an intermediary between local server & the external client i.e local computer

communicates to the external computer through proxy server & vice versa.

4.2.3

Internet

Connection

Firewall

Considerations
ICF and Home or Small Office communications You should not enable Internet Connection Firewall (ICF) on any connection that does not directly connect to the Internet. If the firewall is enabled on the network adapter of an ICS client computer, it will interfere with some communications between that computer and all other computers on the network. For a similar reason, the Network Setup Wizard does not allow ICF to be enabled on the ICS host private connection, the connection that connects the ICS host computer with the ICS client

26

computers, because enabling a firewall in this location would completely prohibit network communications. Internet Connection Firewall is not needed if your network already has a firewall or proxy server. If your network has only one shared Internet connection, you should protect it by enabling Internet Connection Firewall. Individual client computers may also have adapters, such as a dial-up or DSL modem, that provide individual connections to the Internet and are vulnerable without firewall protection. ICF can only check the communications that cross the Internet connection on which it is enabled. Because ICF works on a per connection basis, you need to enable it on all computers with connections to the Internet, in order to ensure protection for your entire network. If you have enabled the firewall on the ICS host computer's Internet connection, but a client computer with a direct Internet connection is not using the firewall for protection, your network will be vulnerable through that unprotected connection.

27

The service definitions that allow services to operate across ICF also work on a per connection basis. If your network has multiple firewall connections, service

definitions must be configured for each fire walled connection you want the service to work through.

4.3 DIGITAL SIGNATURES:

The authenticity is of many legal, by the financial & other of case an of of

documents authorized

determined

presence But a in

handwritten

signatures. there is

computerized

networking

problem

replacement of handwritten signatures hence another cryptographic technique comes into picture that is nothing but a Digital Signature. These are basically done in such a way that The receiver can verify the claimed identity of the sender. The sender cannot later repudiate the contents of the message.

28

 The receiver cannot possibly have concocted the message. The first requirement is needed for e.g. when a customers computer orders a banks computer to buy ton of gold, the banks computer needs to be able to make sure that the computer giving identity belongs to that company only. The second requirement is needed to protect the bank against fraud i.e. a dishonest customer might sue the bank claiming that he never placed any order to buy gold. The third requirement is needed to protect the customer in the event that if the price of gold rises up & the bank tries to construct a signed message that the order of one bar of gold rather than one ton of gold was placed. Under digital signatures also fall two categories-

SECRET KEY SIGNATURES.

In this approach to digital signatures there is a central authority that knows everything say Big brother (BB). Each user then chooses a secret key & carries it by hand to BBs office. For e.g. when A wants to send a message to
29

B she generates a key & sends it, the BB sees the message decrypts it & sends to B.This is shown in the fig below.

Digital Signature With Big Brother

The only disadvantage with this technique is replay attacks in which one is shown the same message again & again.

PUBLIC KEY SIGNATURES

One structural problem with the secret key cryptography for digital signatures is that one has to always trust the big brother (BB). The public key cryptography can make important contribution here suppose A wants to send a plaintext message P by transmitting (Dp) to B. Here A knows her own (private) decryption key as well as Bs public key and constructs a message. When B receives
30

the, message he transforms it using his private key decrypts & gets the original message. This is shown in the fig below.

Digital Signature Using Public Key Cryptography

4.4 SECURITY IDENTIFIERS:

Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry (ACE), there exists a SID that identifies the user or group for whom access is allowed, denied, or audited. Well-known identities)Well-known SID Anonymous Logon Security identifiers (special

Description A user who has connected to the computer without supplying a user name and

(S-1-5-7) password. Authenticate Includes all users and computers whose

31

Users

identities

have

been

authenticated.

(S-1-5-11) Batch (S-1-5-3) Creator Owner (S-1-3-0) Creator Group (S-1-3-1) Dialup (S-1-5-1)

Authenticated Users does not include Guest even if the Guest account has a password. Includes all users who have logged on through a batch queue facility such as task scheduler jobs. A placeholder control entry in an inheritable When the access ACE is

(ACE).

inherited, the system replaces this SID with the SID for the object's current owner. A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's current owner. Includes all users who are logged on to the system through a dial-up connection. On computers running Windows XP Professional, Authenticated Everyone Users and includes Guest. On

Everyone (S-1-1-0)

computers running earlier versions of the operating system, Users Everyone and includes plus Authenticated Guest

Anonymous Logon. . Includes all users logging on locally or

Interactive

(S-1-5-4) through a Remote Desktop connection. Local System A service account that is used by the (S-1-5-18) Network (S-1-5-2) operating system. Includes all users who are logged on through a network connection. Access tokens for
32

interactive users do not contain the Network SID. A placeholder in an ACE on a user, group, or computer object in Active Directory. When Self (S-1-5-10) (or you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. A group that includes all security principals Service (S-1-5-6) that have logged on as a service. Membership is controlled by the operating system. Terminal Server Users (S-1-5-13) Includes all users who have logged on to a Terminal Services server that is in Terminal Services version 4.0 application compatibility mode.

Principal Self)

5. APPLICATIONS OF NETWORK
33

SECURITY:
5.1 E-MAIL SECURITY
As E-mail has become an integral part of the networking world hence its more susceptible to security attacks. An unencrypted e-mail can be known by unauthorized

members while it traverses on the net or some malicious attachments or viruses can be sent through which can activate this malicious content on ones desktop. Also junk mail may clutter the LAN with unwanted messages. Thus in order to sort out these problems different security measures are being taken like Pretty Good Privacy (PGP) ( public key method used for protecting messages on the Internet) , Virtual private networking solutions ,virus scanning ,E-mail filters etc that help in traversing a secure mail on the net.

5.2PASS WORDS
Many hackers are authorized users with limited access trying to get unlimited access. These hackers have a valid
34

user ID and password & are often looking for the weakness of the system. In most of the systems, passwords are stored in an encrypted file. They are generally encrypted using the data encryption algorithm. While its quite easy to encrypt a password but is quite difficult to decrypt it so due to serious design flaw a hacker may write a program satisfying log in program. So with the various encryption algorithms like DES or the IDEA such security breaches can be prevented & the system can be saved.

5.3MODEM CONNECTIONS
Any time the user gets connected to the network through the modem additional risks are introduced in the system. Apart from viruses the major trouble causing elements are these hackers who can have an easy access to your network. In the past many companies used dial back techniques to reduce modem risks. Now days hardware encryption techniques as well as firewalls are turning out to be good security options keeping the hackers at bay.

35

5.4ACCESS CONTROL
Access control is the mechanisms and policies on security that restrict access to computer resources. One of recent advancement in this field is product called Your eyes only developed by Symantec corporation which offers features like Boot lock that protects boot process, Screen lock & Smart lock folders (based on encryption & decryption) that prevent the unauthorized access on ones computer.

36

6. CONCLUSION:
As the Internet market continues to explode there has been significant rise in number of network users. The wide spread use of networking has enabled one to get linked globally. But at the same time security on the network is of utmost importance as its necessary to protect the data from unauthorized access, damage, destruction &

deliberate

modification.

Through

different

Security

measures of different volumes at different levels of the networks like encryption, keying, firewalls & passwords the user data can be protected during transportation. Moreover with the rapid technological innovations coming up in the field of computing new measures of security are coming up in the market thereby increasing the

proliferation of secured & effective networks all around the globe. Thus with the advent of new innovations in the field of network security one can hope for a secured & reliable networks.

37

7.REFRENCES

ABOUT THE BOOK:

F.KUROSE & KEITH W.ROSSCOMPUTER

JAMES

NETWORKING. ANDREW TANENBAUM- COMPUTER NETWORKS.

JAE

K.SHIM

&

ANIQUE

QURESHI

COMPUTER

SECURITY.

ABOUT THE WEB :

WWW .GOOGLES.COM WWW.ITPAPERS.COM

38