Chapter 18 Network Security and Protocols

8/10/2019 Chapter 18 Network Security and Protocols

1/62

Network Security and

Protocols

Chapter 18


2/62

Chapter 18 2

Chapter Objectives - I

Explain the different Network Security Threats

Explain the need for Network Security Discuss the objectives of Cryptography

List the various types of Cryptosystems

Explain the concept of Digital Signatures

Identify the different Authentication Protocols


3/62

Chapter 18 3

Chapter Objectives - II

Discuss the different methods of

ensuring privacy

Explain the concept of Firewall

Discuss the concept of VLAN Explain the various Fault Tolerant And Redundancy

Methods

List the components of a Perfect Server

Demonstrate the implementation External Network

Security

List the different Network Security Protocols


4/62

Chapter 18 4

Recall - I

The combination of centralized processing model

and distributed processing model is called the client-

server model

Advantages of light wave technology are: Cost effective solution

Offers very high bandwidth

Very easy to install


5/62

Chapter 18 5

Recall - II

The different remote access methods used are:

Using phone lines and modems

Using ISDN lines

Using X.25 Advantages of connectionless internetworking are:

flexibility, robust and no unnecessary overhead

The two process involved in routing are host routing

and router routing


6/62

Chapter 18 6

Threats

Prevent users from accessing the requiredresources for performing their work

Types of Threats

Internal External


7/62

Chapter 18 7

Internal Threats

Malicious practices done by the local networks

users that do not allow efficient sharing of the

network resources

Common internal threats are: Unauthorized Access

Data Destruction

Administrative Access

System Crash/Hardware Failure Virus


8/62

Chapter 18 8

Protecting from Internal Threats

Methods of protecting internal threats largely

dependent on policies rather than technology

To protect the network from internal threats you need

to implement: Passwords

User Account Control

Policies

Fault Tolerance


9/62

Chapter 18 9

External Threats

External threats can exist in two forms: Attacker manipulates the user to gain access to the

network

Hacker at a remote location uses technical methods

to gain illegal access to your network

Common external threats are:

Social Engineering

Hacking


10/62

Chapter 18 10

Protecting from External Threats

Securing network from external threat is acompetition between hackers and security people

To protect the network from external threats you

need to provide:

Physical protection

Firewalls

Encryption

Authentication Public Keys and Certificates

VLAN


11/62

Chapter 18 11

Need for Network Security

Network security - Mechanism that protects the

network resources from being attacked by the

outside world

Hackers constantly look out for loopholes in thenetwork security and snoop into a network


12/62

Chapter 18 12

Security Attacks - I

Break the security barrier of the network and access thenetwork resources

Types of Security

Attacks

Active Passive


13/62

Chapter 18 13

Case Study - I

The Customer Service department of MoneyMakerbank provides online services to the customers. It

has been a month since maintenance tasks have

been performed on the computers of the

department at Hyderabad branch. The customerservice department of Hyderabad branch reports

that the response of the computers has become

slow and pop-ups continually plague Internet

browsers. The computers are infected withspyware.


14/62

Chapter 18 14

Problem

The performance of the computers in the costumer

service department has reduced


15/62

Chapter 18 15

Suggested Solution

Spyware is software and not a virus that hides itself

somewhere on the computer and collects

information about the user. Spyware is often

downloaded onto the computer when you downloadother free software or when you visit certain

Websites. To solve the problem the spyware can be

removed using a removal tool such as Spybot. This

will help in improving system performance.


16/62


17/62

Chapter 18 17

Implementing External Network

Security - II

SOHO routers are connected to provide security to

networked systems sharing a single Internet

connection

Large networks employ a dedicated firewall between agateway router and the protected network

A demilitarized zone (DMZ) can also be

implemented to prevent access to the network


18/62

Chapter 18 18

Cryptography

Cryptography is a science that deals with securinginformation

Objectives of Cryptography are:

Message Confidentiality

Message Integrity

Message Authentication

Message Nonrepudiation

Entity Authentication


19/62

Chapter 18 19

Types of Cryptosystems

Cryptographic systems consists of algorithms and

procedures used for encrypting the messages

Types of cryptographic systems:

Symmetric Cryptographic Systems Asymmetric Cryptographic Systems

Symmetric Cryptographic Systems use same keys

for encryption and decryption

Asymmetric Cryptographic Systems use two keys,one for encryption and other for decryption


20/62

Chapter 18 20

Encryption/Decryption

Encryption refers to conversion of plain text into

cipher text

Cipher algorithm is used to transform plain text into

cipher text Different types of traditional ciphers used to encode

the message fall in to two broad categories:

Substitution ciphers

Transposition ciphers


21/62

Chapter 18 21

Public Key Encryption/Decryption

Uses a combination of two keys the private key

and the public key

Private key is known only to the receiver of the

message


22/62

Chapter 18 22

Secret Key Encryption / Decryption

Uses the same key to encrypt and decrypt the

message

Algorithm used for decrypting the message is

inverse of algorithm that is used to encrypt message


23/62

Chapter 18 23

Digital Signatures - I

Used to authenticate the origin of the document

Come under the asymmetric cryptography category

Can be accomplished in two ways:

Signing the document Signing the digest of the document


24/62

Chapter 18 24

Digital Signature - II

Signing the document

Signing the digest


25/62

Chapter 18 25

Authentication Protocol

Authentication is a process by which the identity of

the concerned party is identified before starting the

communication process

Data traffic is encrypted using symmetric keycryptography for performance reasons

Public key cryptography is used for developing

authorization protocols as well as creating a session

key


26/62

Chapter 18 26

Authentication based on Shared Secret

Key -I

Challenge response protocols used for authentication

using shared secret key


27/62

Chapter 18 27

Authentication using Kerberos

Three types of servers involved in Kerberos

protocol:

Authentication Server (AS)

Ticket-Granting Server (TGS) Real Server


28/62

Chapter 18 28

Authentication using PublicKey

Cryptography

Certification Authority : Organization that binds a

public key to an entity and issues a certificate


29/62


30/62

Chapter 18 30

Firewall - II

Demilitarized Zones in Firewall Network that is usually present between an internal

and external network of an organization

DMZ host provides services for external networks thus

providing cover for internal networks against intruders


31/62

Chapter 18 31

Case Study - II

Network administrator John has installed a new

Web browser on the computer of the employee in

the Mumbai branch of the MoneyMaker Bank. Theuser complains to John that he is unable to connect

to the Internet using the new Web browser and a

firewall warning message appears.


32/62

Chapter 18 32

Problem

Cannot view the Web pages on the new browser.


33/62

Chapter 18 33

Suggested Solution

The Windows firewall might block a program from

connecting to the Internet. To solve this problem you

might need to add the program to the exception listof the firewall.


34/62

Chapter 18 34

VLAN - I

Individual broadcast domains created by the switch

are called virtual LANs. Different characteristics used to group stations in a

VLAN are:

Port Numbers

MAC addresses IP addresses

Multicast IP Addresses

Combination

IEEE standard 802.1Q defines format of frametagging in VLAN


35/62

Chapter 18 35

VLAN - II

VLAN can be configured in three ways: Manual,

Automatic, and Semiautomatic

Three methods used for communication between

switches are:

Table Maintenance Frame tagging

Time Division Multiplexing (TDM)

Advantages of VLAN are:

Network Management Creating Virtual Work Groups

Security


36/62

Chapter 18 36

Fault Tolerance and Redundancy

Shared data of a network should have better

protection rather than having to restore the backups

with difficulty

The capability of a server to continue operating incase of a hardware failure is known as fault

tolerance

To implement fault tolerance you have to make the

data redundant on the serving system


37/62


38/62

Chapter 18 38

Network-Attached Storage (NAS)

Used for implementing a server just for file sharing

A prebuilt system usually running LINUX with Samba

and/or Network File System (NFS)

Devices have DHCP enabled and require very little orno configuration to run


39/62

Chapter 18 39

Storage area network (SAN)

SAN is a network whoseprimary aim is to transfer

data between disk arrays,

tape drives and servers

The various SAN

components are:

Fiber channel Switches

Hosts and Host Bus

Adapters

Storage Devices

Cabling and Cable

Connectors


40/62

Chapter 18 40

Tape Backup

Tape backup becomes essential incase of ahardware crash or damage to the server

Magnetic tape is the oldest method of storing datafrom the computer

Tape backup options fall in to three major groups:

Quarter-inch tape (QIC)

Digital Audio Tape (DAT)

Digital Linear Tape (DLT)


41/62

Chapter 18 41

Perfect Server - I

Network that shares data requires specializedhardware so as to share data as fast as possible

Hardware requirement for Speed

Fast NICS : Increasing the data throughput and

making it do more than one task at a time Faster Drives : Using a PATA or a SCSI drive and

implementing RAID 5 for data protection


42/62

Chapter 18 42

Perfect Server - II

Servers require reliability, speed as well as data

protection

Good Power

Antivirus Program Environment


43/62

Chapter 18 43

Hardware Requirement for speed

The hardware requirements for a server and aworkstation differ from each other completely

Workstations do not require the speed, reliabilityand data backup. Servers on the other hand require

reliability, speed, as well as data protection The two things that can make the server provide

good speed are:

Fast NICs

Fast Drives


44/62

Chapter 18 44

Reliability - I

A steady AC power supply is to be provided to allthe systems

The different methods of providing good power are:

Dedicated Circuits

Surge suppressors

Uninterruptible Power Supply (UPS)

Backup Power

Another problem along with faulty power is computerviruses


45/62

Chapter 18 45

Reliability - II

Five typical types of viruses are: Boot sector

Executable

Macro

Trojan Worm

Damage due to virus attacks can be prevented by

not allowing the virus from entering the system

Necessary to provide a good environment for the

server to improve its reliability


46/62

Chapter 18 46

Protocols

Different protocols are used at different layers of theOSI model for providing security to the users

The different protocols used are:

Secure Socket Layer (SSL)

Internet Protocol Security (IPSec)

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Protocol (PPP)

Serial Line Interface Protocol (SLIP)


47/62

Chapter 18 47

SLIP

Serial Line Internet Protocol (SLIP) is used toconnect the computer to the Internet using serial

connection such as the dial-up modem

Serial Line Internet Protocol was designed for Data

link protocol for telephony

However, SLIP only supported TCP/IP and not

NetBEUI or IPX network.


48/62

Chapter 18 48

PPP - I

One of the common protocols for point to point

access

PPP addressed all of the shortcomings of SLIP

Different services provided by PPP are as follows:

Defines the format of the frames to be exchangedbetween devices.

Defines how the devices can negotiate for

establishment of link and exchange of data

Defines how network layer data is encapsulated in thedata link frame.

Defines how the devices can authenticate each other


49/62

Chapter 18 49

PPP - II

Provides multiple network layer services thatsupport different network layer protocols.

Provides connection over multiple links.

Provides network address configuration which isuseful incase a user needs a temporary network

address to connect to the Internet


50/62

Chapter 18 50

PPTP

Network protocol that allows secure transfer of datafrom a remote client to a private server

It is the Microsoft VPN encryption protocol

The three processes involved in PPTP are:

PPTP connection and communication

PPTP control connection

PPTP data tunnelling


51/62

Chapter 18 51

IPSec

Protocol set that was developed by InternetEngineering Task Force (IETF) for providing security

to a packet at the network level

IPSec operates in two modes:

Transport Mode

Tunnel Mode


52/62

Chapter 18 52

SSL

SSL is a protocol developed by Netscape for

transmitting private documents over the Internet.

Web pages that use SSL have URLs starting with

https

Different services provided by SSL for the datareceived by application layer are:

Fragmentation

Compression

Message Integrity Confidentiality

Framing


53/62

Chapter 18 53

Summary - I

There are two types of threats: Internal and External

threats

Internal threats are malicious practices done by the

local networks users that do not allow efficientsharing of the network resources

External threats are threats in which a hacker at a

remote location uses technical methods to gain

illegal access to your network


54/62

Chapter 18 54

Summary - II

Network security is a mechanism that protects thenetwork resources from being attacked by the

outside world

Security attacks can be passive or active

Cryptography is a science that deals with securinginformation and involves securing of messages,

authentication, and digital signatures


55/62

Chapter 18 55

Summary - III

Symmetric cryptographic systems

use the same

keys to encrypt and decrypt the message

Asymmetric cryptographic systems use two keys

one for encryption and the other for decryption for

securely transmitting the data

In digital signatures private key is used to encrypt

the message and public key is used to decrypt it


56/62

Chapter 18 56

Summary - IV

Authentication based on shared secret key uses

challenge response protocols

Encryption refers to conversion of plain text into

cipher text and the cipher algorithm is used to

transform plain text into cipher text

Decryption means converting cipher text back to

plain text and same cipher algorithms are used

decrypting


57/62

Chapter 18 57

Summary - V

Public key encryption / decryption use public key to

encrypt the message and private key to decrypt the

message

Secret key encryption / decryption use the shared

secret key to encrypt and decrypt the message

Firewall is a system that blocks all unwanted and

unauthorized access of the system resources

Demilitarized zone (DMZ) is a network that is usuallypresent between an internal and external network of

an organization

S


58/62

Chapter 18 58

Summary - VI

A Virtual local area network (VLAN) is a switchednetwork that is logically segmented with respect tofunctions, project teams, or applications

IEEE standard used for VLAN 802.1Q defines the

format of frame tagging and the format to be used inmulti-switched backbones

Station in a VLAN can be configured in three ways:manual, semiautomatic, and automatic

RAID uses different techniques of using multipledevices for data protection and increasing thespeeds

S VII


59/62

Chapter 18 59

Summary - VII

Network Attached Storage (NAS) is used forimplementing a server for file sharing

Storage area network (SAN) is a network whoseprimary aim is to transfer data between computer

storage devices and computer systems Tape backup becomes essential incase of a

hardware crash or damage to the server room

S VIII


60/62

Chapter 18 60

Summary - VIII

Perferct servers require reliability, speed, dataprotection and specialized hardware

NIC can be made faster by increasing the datathroughput and making the NIC smarter by making it

do more than one task at a time Reliability can be achieved by providing a secure

environment for the server and providing redundanthardware components for the server in case of

component failure

S IX


61/62

Chapter 18 61

Summary - IX

Small office/home office connection is a setup wherefew networked systems share a single Internetconnection

SSL is designed to provide security and

compression services to data generated from theapplication layer

IPSec is a protocol set that was developed byInternet Engineering Task Force (IETF) for providing

security to a packet at the network level

S X


62/62

Summary - X

Point-to-Point Tunneling Protocol (PPTP) is a

network protocol that allows secure transfer of data

from a remote client to a private server

Point-to-Point Protocol (PPP) is one of the common

protocols for point to point access

SLIP was designed to send IP datagram from one

device to another that were connected serially

Chapter 18 Network Security and Protocols

Documents