You are on page 1of 62

Network Security and

Protocols
Chapter 18

Chapter Objectives - I

Explain the different Network Security Threats


Explain the need for Network Security
Discuss the objectives of Cryptography
List the various types of Cryptosystems
Explain the concept of Digital Signatures
Identify the different Authentication Protocols

Chapter 18

Chapter Objectives - II

Discuss the different methods of


ensuring privacy
Explain the concept of Firewall
Discuss the concept of VLAN
Explain the various Fault Tolerant And Redundancy
Methods
List the components of a Perfect Server
Demonstrate the implementation External Network
Security
List the different Network Security Protocols

Chapter 18

Recall - I

The combination of centralized processing model


and distributed processing model is called the clientserver model
Advantages of light wave technology are:

Chapter 18

Cost effective solution


Offers very high bandwidth
Very easy to install

Recall - II

The different remote access methods used are:

Using phone lines and modems


Using ISDN lines
Using X.25

Advantages of connectionless internetworking are:


flexibility, robust and no unnecessary overhead
The two process involved in routing are host routing
and router routing

Chapter 18

Threats

Prevent users from accessing the required


resources for performing their work

Types of Threats

Internal

Chapter 18

External

Internal Threats

Malicious practices done by the local networks


users that do not allow efficient sharing of the
network resources
Common internal threats are:

Chapter 18

Unauthorized Access
Data Destruction
Administrative Access
System Crash/Hardware Failure
Virus

Protecting from Internal Threats

Methods of protecting internal threats largely


dependent on policies rather than technology
To protect the network from internal threats you need
to implement:

Chapter 18

Passwords
User Account Control
Policies
Fault Tolerance

External Threats

External threats can exist in two forms:

Attacker manipulates the user to gain access to the


network
Hacker at a remote location uses technical methods
to gain illegal access to your network

Common external threats are:

Social Engineering
Hacking

Chapter 18

Protecting from External Threats

Securing network from external threat is a


competition between hackers and security people
To protect the network from external threats you
need to provide:

Chapter 18

Physical protection
Firewalls
Encryption
Authentication
Public Keys and Certificates
VLAN

10

Need for Network Security

Network security - Mechanism that protects the


network resources from being attacked by the
outside world
Hackers constantly look out for loopholes in the
network security and snoop into a network

Chapter 18

11

Security Attacks - I

Break the security barrier of the network and access the


network resources
Types of Security
Attacks

Active

Chapter 18

Passive

12

Case Study - I
The Customer Service department of MoneyMaker
bank provides online services to the customers. It
has been a month since maintenance tasks have
been performed on the computers of the
department at Hyderabad branch. The customer
service department of Hyderabad branch reports
that the response of the computers has become
slow and pop-ups continually plague Internet
browsers. The computers are infected with
spyware.

Chapter 18

13

Problem

The performance of the computers in the costumer


service department has reduced

Chapter 18

14

Suggested Solution
Spyware is software and not a virus that hides itself
somewhere on the computer and collects
information about the user. Spyware is often
downloaded onto the computer when you download
other free software or when you visit certain
Websites. To solve the problem the spyware can be
removed using a removal tool such as Spybot. This
will help in improving system performance.

Chapter 18

15

Implementing External Network


Security - I

Implementing external network security was not


necessary while dial up connections were used
Arrival of high speed internet connection has
completely changed security aspect for home
computers
Users who use Asymmetric digital subscriber line
(ADSL) or a cable modem is the main target for the
hackers
Windows XP now has an Internet Connection Firewall
(ICF) available

Chapter 18

16

Implementing External Network


Security - II

SOHO routers are connected to provide security to


networked systems sharing a single Internet
connection
Large networks employ a dedicated firewall between a
gateway router and the protected network
A demilitarized zone (DMZ) can also be
implemented to prevent access to the network

Chapter 18

17

Cryptography

Cryptography is a science that deals with securing


information
Objectives of Cryptography are:

Chapter 18

Message Confidentiality
Message Integrity
Message Authentication
Message Nonrepudiation
Entity Authentication

18

Types of Cryptosystems

Cryptographic systems consists of algorithms and


procedures used for encrypting the messages
Types of cryptographic systems:

Symmetric Cryptographic Systems


Asymmetric Cryptographic Systems

Symmetric Cryptographic Systems use same keys


for encryption and decryption
Asymmetric Cryptographic Systems use two keys,
one for encryption and other for decryption

Chapter 18

19

Encryption/Decryption

Encryption refers to conversion of plain text into


cipher text
Cipher algorithm is used to transform plain text into
cipher text
Different types of traditional ciphers used to encode
the message fall in to two broad categories:

Chapter 18

Substitution ciphers
Transposition ciphers

20

Public Key Encryption/Decryption

Uses a combination of two keys the private key


and the public key
Private key is known only to the receiver of the
message

Chapter 18

21

Secret Key Encryption / Decryption

Uses the same key to encrypt and decrypt the


message
Algorithm used for decrypting the message is
inverse of algorithm that is used to encrypt message

Chapter 18

22

Digital Signatures - I

Used to authenticate the origin of the document


Come under the asymmetric cryptography category
Can be accomplished in two ways:

Chapter 18

Signing the document


Signing the digest of the document

23

Digital Signature - II

Signing the document

Signing the digest

Chapter 18

24

Authentication Protocol

Authentication is a process by which the identity of


the concerned party is identified before starting the
communication process
Data traffic is encrypted using symmetric key
cryptography for performance reasons
Public key cryptography is used for developing
authorization protocols as well as creating a session
key

Chapter 18

25

Authentication based on Shared Secret


Key -I

Challenge response protocols used for authentication


using shared secret key

Chapter 18

26

Authentication using Kerberos

Three types of servers involved in Kerberos


protocol:

Chapter 18

Authentication Server (AS)


Ticket-Granting Server (TGS)
Real Server

27

Authentication using Public Key


Cryptography

Certification Authority : Organization that binds a


public key to an entity and issues a certificate

Chapter 18

28

Firewall - I

Firewall is a system that blocks all unwanted and


unauthorized access of the system resources
Firewall can be set using a router, switch, or a
bridge
Firewall is basically present at the junction point or
gateway between two networks like a private and
public network
Firewalls can be hardware or software
Basic types of firewalls are:

Chapter 18

Packet-Filter Firewalls
Proxy Firewalls
29

Firewall - II

Demilitarized Zones in Firewall

Chapter 18

Network that is usually present between an internal


and external network of an organization
DMZ host provides services for external networks thus
providing cover for internal networks against intruders

30

Case Study - II
Network administrator John has installed a new
Web browser on the computer of the employee in
the Mumbai branch of the MoneyMaker Bank. The
user complains to John that he is unable to connect
to the Internet using the new Web browser and a
firewall warning message appears.

Chapter 18

31

Problem

Cannot view the Web pages on the new browser.

Chapter 18

32

Suggested Solution

The Windows firewall might block a program from


connecting to the Internet. To solve this problem you
might need to add the program to the exception list
of the firewall.

Chapter 18

33

VLAN - I

Individual broadcast domains created by the switch


are called virtual LANs.
Different characteristics used to group stations in a
VLAN are:

Port Numbers
MAC addresses
IP addresses
Multicast IP Addresses
Combination

IEEE standard 802.1Q defines format of frame


tagging in VLAN

Chapter 18

34

VLAN - II

VLAN can be configured in three ways: Manual,


Automatic, and Semiautomatic
Three methods used for communication between
switches are:

Table Maintenance
Frame tagging
Time Division Multiplexing (TDM)

Advantages of VLAN are:

Network Management
Creating Virtual Work Groups
Security

Chapter 18

35

Fault Tolerance and Redundancy

Shared data of a network should have better


protection rather than having to restore the backups
with difficulty
The capability of a server to continue operating in
case of a hardware failure is known as fault
tolerance
To implement fault tolerance you have to make the
data redundant on the serving system

Chapter 18

36

RAID

RAID is a technology that uses a collection of hard


disks to share and replicate data
Different levels of RAID are RAID 0, 1, 2, 3, 4, 5, 6,
0+1, 10, 53 and linear RAID

Chapter 18

37

Network-Attached Storage (NAS)

Used for implementing a server just for file sharing


A prebuilt system usually running LINUX with Samba
and/or Network File System (NFS)
Devices have DHCP enabled and require very little or
no configuration to run

Chapter 18

38

Storage area network (SAN)

SAN is a network whose


primary aim is to transfer
data between disk arrays,
tape drives and servers
The various SAN
components are:

Chapter 18

Fiber channel Switches


Hosts and Host Bus
Adapters
Storage Devices
Cabling and Cable
Connectors
39

Tape Backup

Tape backup becomes essential incase of a


hardware crash or damage to the server
Magnetic tape is the oldest method of storing data
from the computer
Tape backup options fall in to three major groups:

Chapter 18

Quarter-inch tape (QIC)


Digital Audio Tape (DAT)
Digital Linear Tape (DLT)

40

Perfect Server - I

Network that shares data requires specialized


hardware so as to share data as fast as possible
Hardware requirement for Speed

Chapter 18

Fast NICS : Increasing the data throughput and


making it do more than one task at a time
Faster Drives : Using a PATA or a SCSI drive and
implementing RAID 5 for data protection

41

Perfect Server - II

Servers require reliability, speed as well as data


protection
Good Power
Antivirus Program
Environment

Chapter 18

42

Hardware Requirement for speed

The hardware requirements for a server and a


workstation differ from each other completely
Workstations do not require the speed, reliability
and data backup. Servers on the other hand require
reliability, speed, as well as data protection
The two things that can make the server provide
good speed are:

Chapter 18

Fast NICs
Fast Drives

43

Reliability - I

A steady AC power supply is to be provided to all


the systems
The different methods of providing good power are:

Dedicated Circuits
Surge suppressors
Uninterruptible Power Supply (UPS)
Backup Power

Another problem along with faulty power is computer


viruses

Chapter 18

44

Reliability - II

Five typical types of viruses are:

Boot sector
Executable
Macro
Trojan
Worm

Damage due to virus attacks can be prevented by


not allowing the virus from entering the system
Necessary to provide a good environment for the
server to improve its reliability

Chapter 18

45

Protocols

Different protocols are used at different layers of the


OSI model for providing security to the users
The different protocols used are:

Chapter 18

Secure Socket Layer (SSL)


Internet Protocol Security (IPSec)
Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point Protocol (PPP)
Serial Line Interface Protocol (SLIP)

46

SLIP

Serial Line Internet Protocol (SLIP) is used to


connect the computer to the Internet using serial
connection such as the dial-up modem
Serial Line Internet Protocol was designed for Data
link protocol for telephony
However, SLIP only supported TCP/IP and not
NetBEUI or IPX network.

Chapter 18

47

PPP - I

One of the common protocols for point to point


access

PPP addressed all of the shortcomings of SLIP


Different services provided by PPP are as follows:

Chapter 18

Defines the format of the frames to be exchanged


between devices.
Defines how the devices can negotiate for
establishment of link and exchange of data
Defines how network layer data is encapsulated in the
data link frame.
Defines how the devices can authenticate each other
48

PPP - II

Provides multiple network layer services that


support different network layer protocols.
Provides connection over multiple links.
Provides network address configuration which is
useful incase a user needs a temporary network
address to connect to the Internet

Chapter 18

49

PPTP

Network protocol that allows secure transfer of data


from a remote client to a private server
It is the Microsoft VPN encryption protocol
The three processes involved in PPTP are:
PPTP connection and communication
PPTP control connection
PPTP data tunnelling

Chapter 18

50

IPSec

Protocol set that was developed by Internet


Engineering Task Force (IETF) for providing security
to a packet at the network level
IPSec operates in two modes:

Chapter 18

Transport Mode
Tunnel Mode

51

SSL

SSL is a protocol developed by Netscape for


transmitting private documents over the Internet.
Web pages that use SSL have URLs starting with
https
Different services provided by SSL for the data
received by application layer are:

Chapter 18

Fragmentation
Compression
Message Integrity
Confidentiality
Framing
52

Summary - I

There are two types of threats: Internal and External


threats
Internal threats are malicious practices done by the
local networks users that do not allow efficient
sharing of the network resources
External threats are threats in which a hacker at a
remote location uses technical methods to gain
illegal access to your network

Chapter 18

53

Summary - II

Network security is a mechanism that protects the


network resources from being attacked by the
outside world
Security attacks can be passive or active
Cryptography is a science that deals with securing
information and involves securing of messages,
authentication, and digital signatures

Chapter 18

54

Summary - III

Symmetric cryptographic systems use the same


keys to encrypt and decrypt the message
Asymmetric cryptographic systems use two keys
one for encryption and the other for decryption for
securely transmitting the data
In digital signatures private key is used to encrypt
the message and public key is used to decrypt it

Chapter 18

55

Summary - IV

Authentication based on shared secret key uses


challenge response protocols
Encryption refers to conversion of plain text into
cipher text and the cipher algorithm is used to
transform plain text into cipher text
Decryption means converting cipher text back to
plain text and same cipher algorithms are used
decrypting

Chapter 18

56

Summary - V

Public key encryption / decryption use public key to


encrypt the message and private key to decrypt the
message
Secret key encryption / decryption use the shared
secret key to encrypt and decrypt the message
Firewall is a system that blocks all unwanted and
unauthorized access of the system resources
Demilitarized zone (DMZ) is a network that is usually
present between an internal and external network of
an organization

Chapter 18

57

Summary - VI

A Virtual local area network (VLAN) is a switched


network that is logically segmented with respect to
functions, project teams, or applications
IEEE standard used for VLAN 802.1Q defines the
format of frame tagging and the format to be used in
multi-switched backbones
Station in a VLAN can be configured in three ways:
manual, semiautomatic, and automatic
RAID uses different techniques of using multiple
devices for data protection and increasing the
speeds

Chapter 18

58

Summary - VII

Network Attached Storage (NAS) is used for


implementing a server for file sharing
Storage area network (SAN) is a network whose
primary aim is to transfer data between computer
storage devices and computer systems
Tape backup becomes essential incase of a
hardware crash or damage to the server room

Chapter 18

59

Summary - VIII

Perferct servers require reliability, speed, data


protection and specialized hardware
NIC can be made faster by increasing the data
throughput and making the NIC smarter by making it
do more than one task at a time
Reliability can be achieved by providing a secure
environment for the server and providing redundant
hardware components for the server in case of
component failure

Chapter 18

60

Summary - IX

Small office/home office connection is a setup where


few networked systems share a single Internet
connection
SSL is designed to provide security and
compression services to data generated from the
application layer
IPSec is a protocol set that was developed by
Internet Engineering Task Force (IETF) for providing
security to a packet at the network level

Chapter 18

61

Summary - X

Point-to-Point Tunneling Protocol (PPTP) is a


network protocol that allows secure transfer of data
from a remote client to a private server
Point-to-Point Protocol (PPP) is one of the common
protocols for point to point access
SLIP was designed to send IP datagram from one
device to another that were connected serially

Chapter 18

62