0% found this document useful (0 votes)
26 views19 pagesCns Mid2 (Unit-5)
Crypotography Networking System(cse)
Uploaded by
ry6957679Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
26 views19 pagesCns Mid2 (Unit-5)
Crypotography Networking System(cse)
Uploaded by
ry6957679Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 19
The exchange can be viewed in 4 phas.
8:
Phase 41. Establish Security Capabilities - this Phase is used by the client to
initiate a logical connection and to establish the security capabilities that will be
associated with it
Phase 2. Server Authentication and ey Exchange - the server begins this phase
by sending its certificate if it needs to be authenticated,
Phase 3. Client Authentication and Key Exchange -
the client should verify that the
‘Server provided a valid certificate if required and check that the server_hello parameters
are acceptable
Phase 4. Finish - this phase completes the setting up of a secure connection. The client
‘sends a change _cipher_spec message and copies the Pending CipherSpec into the
current CipherSpec. At this point the handshake is complete and the client and server may
begin to exchange application layer data.
Stent hetio Prase 1
[Extrbanh securaty capabilities, inctuding
protcol version: setuon ID. cipher sate
sto Sompression meilsod, and initial randoss
so umber
eS Pree 2
ee Soyer may send cotificate, key cachanss.
Sed requan conidcae Server tgnals
ceitente$ pera scien
done
server belles
cient hey Phase 3
ey Cita sends cortiicate i requested. Client
aes Sang eines Chest od
Stine seriy Seruificate verification.
See cipher apa
Boisbeg
vrnase 4
ia ‘Change cipher suite and finite
_sipbet INamahake prowl
ise
Note: Shadod transfers are
Optional or utuation-dopsadent
Seatges that arc moe always rot
Figure 17.6 Handshake Protocol Action
Change-cipher Protocol:
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the
SSL record Output will be in a pending state. After the handshake protocol, the Pending state
is converted into the current state. Change-cipher protocol consists of a single message which
is I byte in length and can have only one value. This protocol’s purpose is to cause the
pending state to be copied into the current state.
1 byte
Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this
protocol contains 2 bytes.
‘The level is further classified into two parts
‘Warning devel
This Alert has no impact on the connection between sender and receiver. Some of them are:
Bad certificate: When the received certificate is corrupt.
No certificate: When an appropriate certificate is not available,
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing the certificate,
rendering it unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the connection.
Unsupported certificate: The type of certificate received is not supported.
Certificate revoked: The certificate received is in revocation list,
Fatal Error (level = 2):
This Alert breaks the connection between sender and receiver. The connection will be
stopped, cannot be resumed but can be restarted. Some of them are
Handshake failure: When the sender is unable to negotiate an acceptable set of security
parameters given the options available
Decompression failure: When the decompression function receives improper input.
legal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.
‘The second byte in the Alert protocol describes the error
Salient Features of Secure Sacke
Ssrinewaus
A frewol 2 s)sem designed to prevent unauthorized access 00 from a prvate network. Frewals
nb implemented in both hordare and sfware
Firewall
| Penal 3 secur sition for he computers o device that ae connects toa network, they ean
be etherin form af hareware as welasin orm af sftmre t monitors and contol the neon and
outgoing ale [the amount of data moving aos 9 computer nebwrk at ny given ine |.
“Thermaior purpose ofthe network frowal ito protect an inne natwore by separating fom the oer
network ner Nework canbe snp calles 3 network creates nid an erganzatin and 2 retwore
Uhatisnot inthe range inne network ean be considered as Outer Networs
55. Types of Network Firewall:
packet tere
This tecnigue use to control network access by mentoring outgoing ad incoming packets
tnd allowing them to pss or halt based onthe source and destination rtrnet Potoel (9)
oreo, prota sho ports. Thi frevale so inown3¢ ate few
1 Stata inspection Firewalls
Ieis aoa typeof pocket tering whch used to control how data packets move trough 3
frewal fe als ald dame packet tering, Thee firewalls ean Inpec ha if the packat
belongs to paral session oF rot. only pris com munition and aly the sessions
perfectly etaisned between two enspoiets se wil block he communicator
i, Application Layer Firewalls
These rewals on examine application layer (of 081 model) information ie an HFT request.
tna some sspiscusapleation that an be response for harming out network oF tat snot
ssf for our network, tent get blocked rh a3
Ih. Next-generation Frewals
“Thao frewate ar ald inteligntrawall These reals con perfor all the tsk hat are
perfor bythe other typesaieewals that weleamed previous buton top of hat includes
action fentursne appcation awaraness an control, ntearate inusion prevention,
Aloud -telvered threat nelgenc
ee Gheuieevel gateways
‘Acecutlovel gateways fiewal thatproldesUser Datagram Protocol {UDF 3nd Transmission
Cantal Prtoc! TCP connestinseerty and works between an Open Sjtems Intereannection
(OSi network mets anspor and apoaton layers suc asthe session ayer
Software Frewall
Thestware Wewalisa typeof compute software that uns on our omputers protects cur
system from any eterna attacks ich a unauthorized acces, mallu attack, ty Noting
Us about the dager that can occur we open» parculr maior we ty to open 8 website
that isnot secure,
wi WorawareFewall
‘Anacowarefrewal sa physical appliance that i deployed to enforce a aetwork boundary. All
network nk crossing tvs boundary pashrovgh trea whch enables to perform 39
Inspection of oth intound an astound network Wai and enforce acces corto and ther
il, Cloud Firewall
“Thve ar cotwarebate, cloud deployed network devices, This dovd-bsed firewall protect 3
praate network for any unwanted acces Unike tational frewal, 3 ous ecules
fata tthe cloud level.
‘TypesofFirewalls
Firewallsaregenerallyclassifiedasthreetypes:packetflters,application-levelgateways,é circuit-
Packet-filteringRouter
A packet-fltering router applies a set of rules to each incoming and outgoing IP packet to
forwardordiscardthepacket. Filteringrules arebasedoninformation containedin anetwork packet
‘such as sre & dest IP addresses, ports, transport protocol & interface.
router
(a) Packet hitering router
Ifthereis nomatch toanyrule, thenoneoftwo defaultpoliciesareapplied:
> thatwhichisnotexpresslypermittedisprohibited(defaultactionisdiscard
packet) conservative policy
» thatwhichisnotexpresslyprohibitedispermitted(defaultactionisforward
packet), permissive policy
“The default discard policy is more conservative. Initially, everything is blocked, and servicesmust
be added on a case-by-case bass. Ths policy is more visible to users, who are more likelyto see
the firewall as « hindrance, The default forward policy increases ease of use for end users but
provides reduced security, the security administrator must, in essence, react to each new security
threat as it becomes known. One advantage oft
——————
| StatefulPacket Filters
‘skeintoconsderationanyhigherlayercontertAsatefulinspectonpacketfilertighensup the rules
‘or TCP traffic bycreatng a dectryf outbound TCP connections, and wil allow incoming
‘taflic to high-numbered ports only for those packets thi tthe profile of one ofthe entries inthis
‘rectory. Hence they are better able to detect bogus packets sent out of context
APPLICATIONLEVELGATEWAY
RATIONLEVELGATEWAY,
‘An applicaton-level gateway (or proxy server), ats as a relay of epplication-level traffic.
‘The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the
‘Sateway asks the user forthe name of the remote host to be accessed. When the user responds and.
‘Provides a valid user ID and authentication information, the gateway contacts the application on
‘the remote host and relays TCP segments containing the application data between the two
endpoints. Ifthe gateway does not implement the proxy code for a specific application, the
service is not supported nd cannot be forwarded across the firewall
(©) Application-evel gateway
Application-level gateways tnd to be more secure than packet ites. Rather than trying to deal
With the numerous possible combinations that are tobe allowed and forbidden at theTCP and IP
level, the application level gateway nood only scrutinize few allowable applications. In
sudition, it is easy wo Jog and audit all incoming tlt at the applictoalevel A. prime