Network Security and Protocols Chapter 18 Chapter Objectives
Network Security and Protocols Chapter 18
Chapter Objectives - I n n n Explain the different Network Security Threats Explain the need for Network Security Discuss the objectives of Cryptography List the various types of Cryptosystems Explain the concept of Digital Signatures Identify the different Authentication Protocols 2
Chapter Objectives - II n n n n Discuss the different methods of ensuring privacy Explain the concept of Firewall Discuss the concept of VLAN Explain the various Fault Tolerant And Redundancy Methods List the components of a Perfect Server Demonstrate the implementation External Network Security List the different Network Security Protocols 3
Recall - I n n The combination of centralized processing model and distributed processing model is called the clientserver model Advantages of light wave technology are: q q q Cost effective solution Offers very high bandwidth Very easy to install Chapter 18 4
Recall - II n The different remote access methods used are: q q q n n Using phone lines and modems Using ISDN lines Using X. 25 Advantages of connectionless internetworking are: flexibility, robust and no unnecessary overhead The two process involved in routing are host routing and router routing Chapter 18 5
Threats n Prevent users from accessing the required resources for performing their work Types of Threats Internal Chapter 18 External 6
Internal Threats n n Malicious practices done by the local networks users that do not allow efficient sharing of the network resources Common internal threats are: q q q Unauthorized Access Data Destruction Administrative Access System Crash/Hardware Failure Virus Chapter 18 7
Protecting from Internal Threats n n Methods of protecting internal threats largely dependent on policies rather than technology To protect the network from internal threats you need to implement: q q Passwords User Account Control Policies Fault Tolerance Chapter 18 8
External Threats n External threats can exist in two forms: q q n Attacker manipulates the user to gain access to the network Hacker at a remote location uses technical methods to gain illegal access to your network Common external threats are: q q Social Engineering Hacking Chapter 18 9
Protecting from External Threats n n Securing network from external threat is a competition between hackers and security people To protect the network from external threats you need to provide: q q q Physical protection Firewalls Encryption Authentication Public Keys and Certificates VLAN Chapter 18 10
Need for Network Security n n Network security - Mechanism that protects the network resources from being attacked by the outside world Hackers constantly look out for loopholes in the network security and snoop into a network Chapter 18 11
Security Attacks - I n Break the security barrier of the network and access the network resources Types of Security Attacks Active Chapter 18 Passive 12
Case Study - I The Customer Service department of Money. Maker bank provides online services to the customers. It has been a month since maintenance tasks have been performed on the computers of the department at Hyderabad branch. The customer service department of Hyderabad branch reports that the response of the computers has become slow and pop-ups continually plague Internet browsers. The computers are infected with spyware. Chapter 18 13
Problem The performance of the computers in the costumer service department has reduced Chapter 18 14
Suggested Solution Spyware is software and not a virus that hides itself somewhere on the computer and collects information about the user. Spyware is often downloaded onto the computer when you download other free software or when you visit certain Websites. To solve the problem the spyware can be removed using a removal tool such as Spybot. This will help in improving system performance. Chapter 18 15
Implementing External Network Security - I n n Implementing external network security was not necessary while dial up connections were used Arrival of high speed internet connection has completely changed security aspect for home computers Users who use Asymmetric digital subscriber line (ADSL) or a cable modem is the main target for the hackers Windows XP now has an Internet Connection Firewall (ICF) available Chapter 18 16
Implementing External Network Security - II n n n SOHO routers are connected to provide security to networked systems sharing a single Internet connection Large networks employ a dedicated firewall between a gateway router and the protected network A demilitarized zone (DMZ) can also be implemented to prevent access to the network Chapter 18 17
Cryptography n n Cryptography is a science that deals with securing information Objectives of Cryptography are: q q q Message Confidentiality Message Integrity Message Authentication Message Nonrepudiation Entity Authentication Chapter 18 18
Types of Cryptosystems n n Cryptographic systems consists of algorithms and procedures used for encrypting the messages Types of cryptographic systems: q q n n Symmetric Cryptographic Systems Asymmetric Cryptographic Systems Symmetric Cryptographic Systems use same keys for encryption and decryption Asymmetric Cryptographic Systems use two keys, one for encryption and other for decryption Chapter 18 19
Encryption/Decryption n Encryption refers to conversion of plain text into cipher text Cipher algorithm is used to transform plain text into cipher text Different types of traditional ciphers used to encode the message fall in to two broad categories: q q Substitution ciphers Transposition ciphers Chapter 18 20
Public Key Encryption/Decryption n n Uses a combination of two keys the private key and the public key Private key is known only to the receiver of the message Chapter 18 21
Secret Key Encryption / Decryption n n Uses the same key to encrypt and decrypt the message Algorithm used for decrypting the message is inverse of algorithm that is used to encrypt message Chapter 18 22
Digital Signatures - I n n n Used to authenticate the origin of the document Come under the asymmetric cryptography category Can be accomplished in two ways: q q Signing the document Signing the digest of the document Chapter 18 23
Digital Signature - II n Signing the document n Signing the digest Chapter 18 24
Authentication Protocol n n n Authentication is a process by which the identity of the concerned party is identified before starting the communication process Data traffic is encrypted using symmetric key cryptography for performance reasons Public key cryptography is used for developing authorization protocols as well as creating a session key Chapter 18 25
Authentication based on Shared Secret Key -I n Challenge response protocols used for authentication using shared secret key Chapter 18 26
Authentication using Kerberos n Three types of servers involved in Kerberos protocol: q q q Authentication Server (AS) Ticket-Granting Server (TGS) Real Server Chapter 18 27
Authentication using Public – Key Cryptography n Certification Authority : Organization that binds a public key to an entity and issues a certificate Chapter 18 28
Firewall - I n n n Firewall is a system that blocks all unwanted and unauthorized access of the system resources Firewall can be set using a router, switch, or a bridge Firewall is basically present at the junction point or gateway between two networks like a private and public network Firewalls can be hardware or software Basic types of firewalls are: q q Packet-Filter Firewalls Proxy Firewalls Chapter 18 29
Firewall - II n Demilitarized Zones in Firewall q q Network that is usually present between an internal and external network of an organization DMZ host provides services for external networks thus providing cover for internal networks against intruders Chapter 18 30
Case Study - II Network administrator John has installed a new Web browser on the computer of the employee in the Mumbai branch of the Money. Maker Bank. The user complains to John that he is unable to connect to the Internet using the new Web browser and a firewall warning message appears. Chapter 18 31
Problem Cannot view the Web pages on the new browser. Chapter 18 32
Suggested Solution The Windows firewall might block a program from connecting to the Internet. To solve this problem you might need to add the program to the exception list of the firewall. Chapter 18 33
VLAN - I n n Individual broadcast domains created by the switch are called virtual LANs. Different characteristics used to group stations in a VLAN are: q q q n Port Numbers MAC addresses IP addresses Multicast IP Addresses Combination IEEE standard 802. 1 Q defines format of frame tagging in VLAN Chapter 18 34
VLAN - II n n VLAN can be configured in three ways: Manual, Automatic, and Semiautomatic Three methods used for communication between switches are: q q q n Table Maintenance Frame tagging Time Division Multiplexing (TDM) Advantages of VLAN are: q q q Network Management Creating Virtual Work Groups Security Chapter 18 35
Fault Tolerance and Redundancy n n n Shared data of a network should have better protection rather than having to restore the backups with difficulty The capability of a server to continue operating in case of a hardware failure is known as fault tolerance To implement fault tolerance you have to make the data redundant on the serving system Chapter 18 36
RAID n n RAID is a technology that uses a collection of hard disks to share and replicate data Different levels of RAID are RAID 0, 1, 2, 3, 4, 5, 6, 0+1, 10, 53 and linear RAID Chapter 18 37
Network-Attached Storage (NAS) n n n Used for implementing a server just for file sharing A prebuilt system usually running LINUX with Samba and/or Network File System (NFS) Devices have DHCP enabled and require very little or no configuration to run Chapter 18 38
Storage area network (SAN) n n SAN is a network whose primary aim is to transfer data between disk arrays, tape drives and servers The various SAN components are: q q Fiber channel Switches Hosts and Host Bus Adapters Storage Devices Cabling and Cable Connectors Chapter 18 39
Tape Backup n n n Tape backup becomes essential incase of a hardware crash or damage to the server Magnetic tape is the oldest method of storing data from the computer Tape backup options fall in to three major groups: q q q Quarter-inch tape (QIC) Digital Audio Tape (DAT) Digital Linear Tape (DLT) Chapter 18 40
Perfect Server - I n n Network that shares data requires specialized hardware so as to share data as fast as possible Hardware requirement for Speed q q Fast NICS : Increasing the data throughput and making it do more than one task at a time Faster Drives : Using a PATA or a SCSI drive and implementing RAID 5 for data protection Chapter 18 41
Perfect Server - II n n Servers require reliability, speed as well as data protection Good Power Antivirus Program Environment Chapter 18 42
Hardware Requirement for speed n n n The hardware requirements for a server and a workstation differ from each other completely Workstations do not require the speed, reliability and data backup. Servers on the other hand require reliability, speed, as well as data protection The two things that can make the server provide good speed are: q q Fast NICs Fast Drives Chapter 18 43
Reliability - I n n A steady AC power supply is to be provided to all the systems The different methods of providing good power are: q q n Dedicated Circuits Surge suppressors Uninterruptible Power Supply (UPS) Backup Power Another problem along with faulty power is computer viruses Chapter 18 44
Reliability - II n Five typical types of viruses are: q q q n n Boot sector Executable Macro Trojan Worm Damage due to virus attacks can be prevented by not allowing the virus from entering the system Necessary to provide a good environment for the server to improve its reliability Chapter 18 45
Protocols n n Different protocols are used at different layers of the OSI model for providing security to the users The different protocols used are: q q q Secure Socket Layer (SSL) Internet Protocol Security (IPSec) Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Protocol (PPP) Serial Line Interface Protocol (SLIP) Chapter 18 46
SLIP n n n Serial Line Internet Protocol (SLIP) is used to connect the computer to the Internet using serial connection such as the dial-up modem Serial Line Internet Protocol was designed for Data link protocol for telephony However, SLIP only supported TCP/IP and not Net. BEUI or IPX network. Chapter 18 47
PPP - I n One of the common protocols for point to point access n PPP addressed all of the shortcomings of SLIP Different services provided by PPP are as follows: n q q Defines the format of the frames to be exchanged between devices. Defines how the devices can negotiate for establishment of link and exchange of data Defines how network layer data is encapsulated in the data link frame. Defines how the devices can authenticate each other Chapter 18 48
PPP - II n n n Provides multiple network layer services that support different network layer protocols. Provides connection over multiple links. Provides network address configuration which is useful incase a user needs a temporary network address to connect to the Internet Chapter 18 49
PPTP n n n Network protocol that allows secure transfer of data from a remote client to a private server It is the Microsoft VPN encryption protocol The three processes involved in PPTP are: q PPTP connection and communication q PPTP control connection q PPTP data tunnelling Chapter 18 50
IPSec n n Protocol set that was developed by Internet Engineering Task Force (IETF) for providing security to a packet at the network level IPSec operates in two modes: q q Chapter 18 Transport Mode Tunnel Mode 51
SSL n n n SSL is a protocol developed by Netscape for transmitting private documents over the Internet. Web pages that use SSL have URLs starting with https Different services provided by SSL for the data received by application layer are: q q q Chapter 18 Fragmentation Compression Message Integrity Confidentiality Framing 52
Summary - I n n n There are two types of threats: Internal and External threats Internal threats are malicious practices done by the local networks users that do not allow efficient sharing of the network resources External threats are threats in which a hacker at a remote location uses technical methods to gain illegal access to your network Chapter 18 53
Summary - II n n n Network security is a mechanism that protects the network resources from being attacked by the outside world Security attacks can be passive or active Cryptography is a science that deals with securing information and involves securing of messages, authentication, and digital signatures Chapter 18 54
Summary - III n n n Symmetric cryptographic systems use the same keys to encrypt and decrypt the message Asymmetric cryptographic systems use two keys one for encryption and the other for decryption for securely transmitting the data In digital signatures private key is used to encrypt the message and public key is used to decrypt it Chapter 18 55
Summary - IV n n n Authentication based on shared secret key uses challenge response protocols Encryption refers to conversion of plain text into cipher text and the cipher algorithm is used to transform plain text into cipher text Decryption means converting cipher text back to plain text and same cipher algorithms are used decrypting Chapter 18 56
Summary - V n n Public key encryption / decryption use public key to encrypt the message and private key to decrypt the message Secret key encryption / decryption use the shared secret key to encrypt and decrypt the message Firewall is a system that blocks all unwanted and unauthorized access of the system resources Demilitarized zone (DMZ) is a network that is usually present between an internal and external network of an organization Chapter 18 57
Summary - VI n n A Virtual local area network (VLAN) is a switched network that is logically segmented with respect to functions, project teams, or applications IEEE standard used for VLAN 802. 1 Q defines the format of frame tagging and the format to be used in multi-switched backbones Station in a VLAN can be configured in three ways: manual, semiautomatic, and automatic RAID uses different techniques of using multiple devices for data protection and increasing the speeds Chapter 18 58
Summary - VII n n n Network Attached Storage (NAS) is used for implementing a server for file sharing Storage area network (SAN) is a network whose primary aim is to transfer data between computer storage devices and computer systems Tape backup becomes essential incase of a hardware crash or damage to the server room Chapter 18 59
Summary - VIII n n n Perferct servers require reliability, speed, data protection and specialized hardware NIC can be made faster by increasing the data throughput and making the NIC smarter by making it do more than one task at a time Reliability can be achieved by providing a secure environment for the server and providing redundant hardware components for the server in case of component failure Chapter 18 60
Summary - IX n n n Small office/home office connection is a setup where few networked systems share a single Internet connection SSL is designed to provide security and compression services to data generated from the application layer IPSec is a protocol set that was developed by Internet Engineering Task Force (IETF) for providing security to a packet at the network level Chapter 18 61
Summary - X n n n Point-to-Point Tunneling Protocol (PPTP) is a network protocol that allows secure transfer of data from a remote client to a private server Point-to-Point Protocol (PPP) is one of the common protocols for point to point access SLIP was designed to send IP datagram from one device to another that were connected serially Chapter 18 62
- Slides: 62