UNIT V CRYPTOGRAPHY & NETWORK SECURITY

NETWORK SECURITY

Key Management:
In cryptography, it is a very tedious task to distribute the public and private keys
between sender and receiver.
Key managements includes the use of a key-distribution center (KDC), certification
authorities (CAs), and public-key infrastructure (PKI).
1. Key-Distribution Center: KDC (previous unit)
2. Certification Authority : CA
3. Public-Key Infrastructures (PKI)

Certification Authority : CA
Bob wants two things; he wants people to know his public key, and he wants no one to
accept a forged(duplicate) public key as his. Bob can go to a certification authority
(CA), a federal or state organization that binds a public key to an entity and issues a
certificate. The CA has a well-known public key itself that cannot be forged. The CA
checks Bob’s identification (using a picture ID along with other proof). It then asks for
Bob’s public key and writes it on the certificate.
To prevent the certificate itself from being forged, the CA signs the certificate with its
private key. Now Bob can upload the signed certificate. Anyone who wants Bob’s
public key downloads the signed certificate and uses the center’s public key to extract
Bob’s public key.

X.509
Although the use of a CA has solved the problem of public-key fraud, it has created a
side-effect. Each certificate may have a different format. If Alice wants to use a
program to automatically download different certificates and digests belonging to
different people, the program may not be able to do this. One certificate may have the
public key in one format and another in a different format. The public key may be on
the first line in one certificate, and on the third line in another. Anything that needs to
be used universally must have a universal format.
To remove this side effect, the ITU has designed X.509, a recommendation that has
been accepted by the Internet with some changes. X.509 is a way to describe the
certificate in a structured way. It uses a well-known protocol called ASN.1 (Abstract
Syntax Notation 1) that defines fields familiar to C programmers.

1
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Fig: Certificate Format

A certificate has the following fields:
❏ Version number. This field defines the version of X.509 of the certificate. The
version number started at 0; the current version (third version) is 2.
❏ Serial number. This field defines a number assigned to each certificate. The value
is unique for each certificate issuer.
❏ Signature algorithm ID. This field identifies the algorithm used to sign the
certificate. Any parameter that is needed for the signature is also defined in this field.
❏ Issuer name. This field identifies the certification authority that issued the
certificate. The name is normally a hierarchy of strings that defines a country, a state,
organization, department, and so on.
❏ Validity Period. This field defines the earliest time (not before) and the latest time
(not after) the certificate is valid.
❏ Subject name. This field defines the entity to which the public key belongs. It is
also a hierarchy of strings. Part of the field defines what is called the common name,
which is the actual name of the beholder of the key.
❏ Subject public key. This field defines the owner’s public key, the heart of the
certificate. The field also defines the corresponding public-key algorithm (RSA, for
example) and its parameters.
❏ Issuer unique identifier. This optional field allows two issuers to have the same
issuer field value, if the issuer unique identifiers are different.
❏ Subject unique identifier. This optional field allows two different subjects to have
the same subject field value, if the subject unique identifiers are different.

2
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

❏ Extensions. This optional field allows issuers to add more private information to
the certificate.
❏ Signature. This field is made of three sections. The first section contains all other
fields in the certificate. The second section contains the digest of the first section
encrypted with the CA’s public key. The third section contains the algorithm identifier
used to create the second section.

Public-Key Infrastructures (PKI)

Public-Key Infrastructure (PKI) is a model for creating, distributing, and revoking
certificates based on the X.509.
The Public key infrastructure (PKI) is the set of hardware, software, policies,
processes, and procedures required to create, manage, distribute, use, store, and
revoke digital certificates and public-keys.
The principal objective for developing a PKI is to enable secure, convenient, and
efficient acquisition of public keys.

Duties
Several duties have been defined for a PKI. The most important ones are shown in
fig:

3
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

❏ Certificates’ issuing, renewal, and revocation. These are duties defined in the
X.509. Because the PKIX is based on X.509, it needs to handle all duties related to
certificates.
❏ Keys’ storage and update. A PKI should be a storage place for private keys of those
members that need to hold their private keys somewhere safe. In addition, a PKI is
responsible for updating these keys on members’ demands.
❏ Providing services to other protocols. Some Internet security protocols, such as
IPSec and TLS, are relying on the services by a PKI.
❏ Providing access control. A PKI can provide different levels of access to the
information stored in its database. For example, an organization PKI may provide
access to the whole database for the top management, but limited access for
employees.

4
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

PGP (Pretty Good Privacy) :

PGP was invented by Phil Zimmermann to provide email with privacy, integrity,
and authentication. PGP can be used to create a secure e-mail message or to
store a file securely for future retrieval.

○ PGP stands for Pretty Good Privacy (PGP) which was invented by Phil

Zimmermann.

○ PGP was designed to provide all four aspects of security, i.e., privacy,

integrity, authentication, and non-repudiation in the sending of email.

○ PGP uses a digital signature (a combination of hashing and public key

encryption) to provide integrity, authentication, and non-repudiation. PGP

uses a combination of secret key encryption and public key encryption to
provide privacy. Therefore, we can say that the digital signature uses one
hash function, one secret key, and two private-public key pairs.

○ PGP is an open source and freely available software package for email

security.

○ PGP provides authentication through the use of Digital Signature.

○ It provides confidentiality through the use of symmetric block encryption.

At Sender site:

At Receiver Site:

5
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

○ PGP combines some of the best features of both conventional and public

key cryptography. PGP is a hybrid cryptosystem. When a user encrypts

plaintext with PGP, PGP first compresses the plaintext. Data compression
saves modem transmission time and disk space and, more importantly,
strengthens cryptographic security. Most cryptanalysis techniques exploit
patterns found in the plaintext to crack the cipher. Compression reduces
these patterns in the plaintext, thereby greatly enhancing resistance to
cryptanalysis. (Files that are too short to compress or which don't
compress well aren't compressed.)

○ PGP then creates a session key, which is a one-time-only secret key. This

key is a random number generated from the random movements of your

mouse and the keystrokes you type. This session key works with a very
secure, fast conventional encryption algorithm to encrypt the plaintext;
the result is ciphertext. Once the data is encrypted, the session key is then
encrypted to the recipient's public key. This public key-encrypted session
key is transmitted along with the ciphertext to the recipient.

6
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

IP Sec (IP Security):

IP Security (IPSec) is a collection of protocols designed by the Internet

Engineering Task Force (IETF) to provide security for a packet at the
network level. The network layer in the Internet is often referred to as the
Internet Protocol or IP layer. IPSec helps create authenticated and
confidential packets for the IP layer.

IPSec can be useful in several areas. First, it can enhance the security of
those client/server programs, such as electronic mail, that use their own
security protocols. Second, it can enhance the security of those client/
server programs, such as HTTP, that use the security services provided at
the transport layer. It can provide security for those client/server
programs that do not use the security services provided at the transport
layer. It can provide security for node-to-node communication programs
such as routing protocols.

7
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

TWO MODES

IPSec operates in one of two different modes: transport mode or tunnel

mode.

Transport Mode

In transport mode, IPSec protects what is delivered from the transport

layer to the network layer. In other words, transport mode protects the
network layer payload, the payload to be encapsulated in the network
layer.

Transport mode is normally used when we need host-to-host (end-to-end)

protection of data. The sending host uses IPSec to authenticate and/or
encrypt the payload delivered from the transport layer. The receiving host
uses IPSec to check the authentication and/or decrypt the IP packet and
deliver it to the transport layer.

Tunnel Mode

In tunnel mode, IPSec protects the entire IP packet. It takes an IP packet,

including the header, applies IPSec security methods to the entire packet,

8
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

and then adds a new IP header.

The new IP header, as we will see shortly, has different information than
the original IP header. Tunnel mode is normally used between two
routers, between a host and a router, or between a router and a host, In
other words, tunnel mode is used when either the sender or the receiver is
not a host. The entire original packet is protected from intrusion between
the sender and the receiver, as if the whole packet goes through an
imaginary tunnel.

TWO SECURITY PROTOCOLS

IPSec defines two protocols the Authentication Header (AH) Protocol

and the Encapsulating Security Payload (ESP) Protocol To provide
authentication and/or encryption for packets at the IP level.

i) Authentication Header (AH)

The Authentication Header (AH) Protocol is designed to authenticate the

source host and to ensure the integrity of the payload carried in the IP
packet. The protocol uses a hash function and a symmetric key to create a
message digest; the digest is inserted in the authentication header. The

9
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

AH is then placed in the appropriate location, based on the mode

(transport or tunnel).

A brief description of each field follows:

❏ Next header. The 8-bit next header field defines the type of payload
carried by the IP datagram (such as TCP, UDP, ICMP, or OSPF). It has
the same function as the protocol field in the IP header before
encapsulation. In other words, the process copies the value of the protocol
field in the IP datagram to this field. The value of the protocol field in the
new IP datagram is now set to 51 to show that the packet carries an
authentication header.

❏ Payload length. The name of this 8-bit field is misleading. It does not
define the length of the payload; it defines the length of the authentication
header in 4-byte multiples, but it does not include the first 8 bytes.

❏ Security parameter index. The 32-bit security parameter index (SPI)

field plays the role of a virtual circuit identifier and is the same for all

10
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

packets sent during a connection called a Security Association (discussed

later).

❏ Sequence number. A 32-bit sequence number provides ordering

information for a sequence of datagrams. The sequence numbers prevent
a playback. Note that the sequence number is not repeated even if a
packet is retransmitted. A sequence number does not wrap around after it
reaches 232; a new connection must be established.

❏ Authentication data. Finally, the authentication data field is the result

of applying a hash function to the entire IP datagram except for the fields
that are changed during transit (e.g., time-to-live).

ii) Encapsulating Security Payload (ESP)

The AH protocol does not provide privacy, only source authentication and
data integrity. IPSec later defined an alternative protocol, Encapsulating
Security Payload (ESP), that provides source authentication, integrity, and
privacy. ESP adds a header and trailer.

11
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

The fields for the header and trailer are as follows:

❏ Security parameter index. The 32-bit security parameter index field is

similar to that defined for the AH protocol.

❏ Sequence number. The 32-bit sequence number field is similar to that

defined for the AH protocol.

❏ Padding. This variable-length field (0 to 255 bytes) of 0s serves as padding.

❏ Pad length. The 8-bit pad-length field defines the number of padding bytes.
The value is between 0 and 255; the maximum value is rare.

❏ Next header. The 8-bit next-header field is similar to that defined in the AH
protocol. It serves the same purpose as the protocol field in the IP header before
encapsulation.

❏ Authentication data. Finally, the authentication data field is the result of

applying an authentication scheme to parts of the datagram. Note the difference
between the authentication data in AH and ESP. In AH, part of the IP header is
included in the calculation of the authentication data; in ESP, it is not.

12
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

SSL (Secure Socket Layer):

13
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

SSL defines four protocols in two layers, as shown in Figure

● The Record Protocol is the carrier. It carries messages from three other protocols as
well as the data coming from the application layer. Messages from the Record
Protocol are payloads to the transport layer, normally TCP.
● TCP. The Handshake Protocol provides security parameters for the Record Protocol. It
establishes a cipher set and provides keys and security parameters. It also
authenticates the server to the client and the client to the server if needed.
● The ChangeCipherSpec Protocol is used for signalling the readiness of cryptographic
secrets.
● The Alert Protocol is used to report abnormal conditions.

i. Handshake Protocol

The Handshake Protocol uses messages to negotiate the cipher suite, to authenticate the
server to the client and the client to the server if needed, and to exchange information for
building the cryptographic secrets. The handshaking is done in four phases, as shown in
Figure:

14
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Phase I: Establishing Security Capability

ClientHello The client sends the ClientHello message. It contains the following:
a. The highest SSL version number the client can support.
b. A 32-byte random number (from the client) that will be used for master secret generation.
c. A session ID that defines the session.
d. A cipher suite that defines the list of algorithms that the client can support.
e. A list of compression methods that the client can support.

Phase II: Server Key Exchange and Authentication

In phase II, the server authenticates itself if needed. The sender may send its certificate,its
public key, and may also request certificates from the client. At the end, the server
announces that the serverHello process is done.

Phase III: Client Key Exchange and Authentication

Phase III is designed to authenticate the client. Up to three messages can be sent from the
client to the server.

a. Certificate To certify itself to the server, the client sends a Certificate message.

15
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

b. ClientKeyExchange After sending the Certificate message, the client sends a Client-
KeyExchange message, which includes its contribution to the pre-master secret. The
contents of this message are based on the key-exchange algorithm used.

c. CertificateVerify If the client has sent a certificate declaring that it owns the public
key in the certificate, it needs to prove that it knows the corresponding private key.
This is needed to thwart an impostor who sends the certificate and claims that it
comes from the client. The proof of private-key possession is done by creating a
message and signing it with the private key. The server can verify the message with
the public key already sent to ensure that the certificate actually belongs to the
client.

Phase IV: Finalizing and Finishing

In Phase IV, the client and server send messages to change cipher specification and
to finish the handshaking protocol. Four messages are exchanged in this phase,

ChangeCipherSpec The client sends a ChangeCipherSpec message to show that it has

moved all of the cipher suite set and the parameters from the pending state to the
active state.

Finished The next message is also sent by the client. It is a Finished message that
announces the end of the handshaking protocol by the client.

ChangeCipherSpec The server sends a ChangeCipherSpec message to show that it

has also moved all of the cipher suite set and parameters from the pending state to
the active state.

Finished Finally, the server sends a Finished message to show that handshaking is
totally completed.

16
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

ii. ChangeCipherSpec Protocol

The ChangeCipherSpec Protocol defines the process of moving values between the
pending and active states.

This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL
record Output will be in a pending state. After the handshake protocol, the Pending state is
converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have
only one value. This protocol’s purpose is to cause the pending state to be copied into the
current state

iii. Alert Protocol

SSL uses the Alert Protocol for reporting errors and abnormal conditions. It has only
one message type, the Alert message, that describes the problem and its level
(warning or fatal).

17
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

iv. Record Protocol

The Record Protocol carries messages from the upper layer (Handshake Protocol,
ChangeCipherSpec Protocol, Alert Protocol, or application layer). The message is
fragmented and optionally compressed; a MAC is added to the compressed message
using the negotiated hash algorithm. The compressed fragment and the MAC are
encrypted using the negotiated encryption algorithm. Finally, the SSL header is
added to the encrypted message. The process at the receiver is reversed.

18
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

An Intrusion Detection System (IDS):

An Intrusion Detection System (IDS) is a monitoring system that detects suspicious

activities and generates alerts when they are detected. Based upon these alerts, a
security operations center (SOC) analyst or incident responder can investigate the
issue and take the appropriate actions to remediate the threat.

How does an IDS work?

● An IDS (Intrusion Detection System) monitors the traffic on a computer

network to detect any suspicious activity.

● It analyzes the data flowing through the network to look for patterns and signs
of abnormal behavior.

● The IDS compares the network activity to a set of predefined rules and patterns
to identify any activity that might indicate an attack or intrusion.

● If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.

● The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.

19
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Classification of Intrusion Detection Systems

Intrusion detection systems are designed to be deployed in different environments.

And like many cybersecurity solutions, an IDS can either be host-based or
network-based.

● Host-Based IDS (HIDS): A host-based IDS is deployed on a particular

endpoint and designed to protect it against internal and external threats. Such
an IDS may have the ability to monitor network traffic to and from the
machine, observe running processes, and inspect the system’s logs. A
host-based IDS’s visibility is limited to its host machine, decreasing the
available context for decision-making, but has deep visibility into the host
computer’s internals.

● Network-Based IDS (NIDS): A network-based IDS solution is designed to

monitor an entire protected network. It has visibility into all traffic flowing
through the network and makes determinations based upon packet metadata
and contents. This wider viewpoint provides more context and the ability to
detect widespread threats; however, these systems lack visibility into the
internals of the endpoints that they protect.

20
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

IDS are classified into two categories:

i)Rule-based Detection:

Rule-based techniques detect intrusion by observing events in the system and applying
a set of rules that lead to a decision regarding whether a given pattern of activity is or
is not suspicious. Can characterize approaches as either anomaly detection or
penetration identification, although there is overlap. Rule-based anomaly detection is
similar in terms of its approach and strengths to statistical anomaly detection.
Rule-based penetration identification takes a very different approach based on expert
system technology. It uses rules for identifying known penetrations or penetrations
that would exploit known weaknesses, or identify suspicious behavior. The rules used
are specific to the machine and operating system. The rules are generated by
“experts”, from interviews of system administrators and security analysts. Thus the
strength of the approach depends on the skill of those involved in setting up the rules.

ii) Anomaly-based intrusion detection system:

It is an intrusion detection system for detecting both network and computer intrusions
and misuse by monitoring system activity and classifying it as either normal or
anomalous. The classification is based on heuristics or rules, rather than patterns or
signatures, and attempts to detect any type of misuse that falls out of normal system
operation. This is as opposed to signature-based systems, which can only detect
attacks for which a signature has previously been created.

21
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Intrusion Prevention:

How Intrusion Prevention Systems Work

The IPS is placed inline, directly in the flow of network traffic between the source and
destination. This is what differentiates IPS from its predecessor, the intrusion
detection system (IDS). Conversely, IDS is a passive system that scans traffic and
reports back on threats.

These actions can include:

● Sending an alarm to the administrator (as would be seen in an IDS)

● Dropping the malicious packets
● Blocking traffic from the source address
● Resetting the connection
● Configuring firewalls to prevent future attacks

There are several types of IPS solutions, which can be deployed for different purposes.

These include:

● Network based intrusion prevention system (NIPS), which is installed at

strategic points to monitor all network traffic and scan for threats.

● Host intrusion prevention system (HIPS), which is installed on an endpoint

and looks at inbound/outbound traffic from that machine only. Often combined

with NIPS, an HIPS serves as a last line of defense for threats.

● Network behavior analysis (NBA) analyzes network traffic to detect unusual

traffic flows and spot new malware or zero-day vulnerabilities.

22
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

● Wireless intrusion prevention system (WIPS) scans a Wi-Fi network for

unauthorized access and removes any unauthorized devices.

Firewalls:
Firewalls prevent unauthorized access to networks through software or firmware. By
utilizing a set of rules, the firewall examines and blocks incoming and outgoing
traffic.
Fencing your property protects your house and keeps trespassers at bay; similarly,
firewalls are used to secure a computer network. Firewalls are network security
systems that prevent unauthorized access to a network.
It can be a hardware or software unit that filters the incoming and outgoing traffic
within a private network, according to a set of rules to spot and prevent cyberattacks.
Firewalls are used in enterprise and personal settings. They are a vital component of
network security.
Most operating systems have a basic built-in firewall. However, using a third-party
firewall application provides better protection.
Firewalls are designed with modern security techniques that are used in a wide range
of applications.
In the early days of the internet, networks needed to be built with new security
techniques, especially in the client-server model, a central architecture of modern
computing.
That's where firewalls have started to build the security for networks with varying
complexities. Firewalls are known to inspect traffic and mitigate threats to the devices.

Functions of Firewall

● The most important function of a firewall is that it creates a border between

an external network and the guarded network where the firewall inspects all
packets (pieces of data for internet transfer) entering and leaving the guarded
network. Once the inspection is completed, a firewall can differentiate

23
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

between benign and malicious packets with the help of a set of

pre-configured rules.
● The firewall abides such packets, whether they come in a rule set or not, so
that they should not enter into the guarded network.
● This packet form information includes the information source, its
destination, and the content. These might differ at every level of the
network, and so do the rule sets. Firewalls read these packets and reform
them concerning rules to tell the protocol where to send them.

Firewall Design Principles

i. All traffic from inside to outside and vice versa must pass through the firewall. This
is achieved by physically blocking all access to the local network except via the
firewall. The configurations used for this are screened Host Firewall (Single and Dual)
and Screened Subnet Firewall.
ii. Only authorized traffic as defined by the local security policy will be allowed to
pass. Various types of firewalls that can be used are Packet-Filters, Stateful Filters and
Application Proxy Filters.
iii. The firewall itself is immune to penetration. This implies that use of a trusted
system with a secure operating system.

Types of Firewall:

1. Packet Filtering Firewalls

Packet filtering firewalls are the oldest, most basic type of firewalls. Operating at the
network layer, they check a data packet for its source IP and destination IP, the
protocol, source port, and destination port against predefined rules to determine
whether to pass or discard the packet. Packet filtering firewalls are essentially
stateless, monitoring each packet independently without any track of the established
connection or the packets that have passed through that connection previously. This
makes these firewalls very limited in their capacity to protect against advanced threats
and attacks.

24
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Packet filtering firewalls are fast, cheap, and effective. But the security they provide is
very basic. Since these firewalls cannot examine the content of the data packets, they
are incapable of protecting against malicious data packets coming from trusted source
IPs. Being stateless, they are also vulnerable to source routing attacks and tiny
fragment attacks. But despite their minimal functionality, packet filtering firewalls
paved the way for modern firewalls that offer stronger and deeper security.

2. Circuit-Level Gateways
Working at the session layer, circuit-level gateways verify established Transmission
Control Protocol (TCP) connections and keep track of the active sessions. They are
quite similar to packet filtering firewalls in that they perform a single check and utilize
minimal resources. However, they function at a higher layer of the Open Systems
Interconnection (OSI) model. Primarily, they determine the security of an established
connection. When an internal device initiates a connection with a remote host,
circuit-level gateways establish a virtual connection on behalf of the internal device to
keep the identity and IP address of the internal user hidden.

Circuit-level gateways are cost-efficient, simplistic, barely impact a network’s

performance. However, their inability to inspect the content of data packets makes
them an incomplete security solution on their own. A data packet containing malware
can bypass a circuit-level gateway easily if it has a legitimate TCP handshake. That is
why another type of firewall is often configured on top of circuit-level gateways for
added protection.

3. Stateful Inspection Firewalls

A step ahead of circuit-level gateways, stateful inspection firewalls, and verifying and
keeping track of established connections also perform packet inspection to provide
better, more comprehensive security. They work by creating a state table with source
IP, destination IP, source port, and destination port once a connection is established.
They create their own rules dynamically to allow expected incoming network traffic
instead of relying on a hardcoded set of rules based on this information. They
conveniently drop data packets that do not belong to a verified active connection.

Stateful inspection firewalls check for legitimate connections and source and
destination IPs to determine which data packets can pass through. Although these
extra checks provide advanced security, they consume a lot of system resources and
can slow down traffic considerably. Hence, they are prone to DDoS (distributed
denial-of-service attacks).

25
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

4. Application-Level Gateways (Proxy Firewalls)

Application-level gateways, also known as proxy firewalls, are implemented at the
application layer via a proxy device. Instead of an outsider accessing your internal
network directly, the connection is established through the proxy firewall. The
external client sends a request to the proxy firewall. After verifying the authenticity of
the request, the proxy firewall forwards it to one of the internal devices or servers on
the client’s behalf. Alternatively, an internal device may request access to a webpage,
and the proxy device will forward the request while hiding the identity and location of
the internal devices and network.

Unlike packet filtering firewalls, proxy firewalls perform stateful and deep packet
inspection to analyze the context and content of data packets against a set of
user-defined rules. Based on the outcome, they either permit or discard a packet. They
protect the identity and location of your sensitive resources by preventing a direct
connection between internal systems and external networks. However, configuring
them to achieve optimal network protection can be tricky. You must also keep in mind
the tradeoff—a proxy firewall is essentially an extra barrier between the host and the
client, causing considerable slowdowns.

Password Management:
Since passwords are meant to keep the files and data secret and safe so it is prevented
the unauthorized access, password management refers to the practices and set of rules
or principles or standards that out must follow or at least try to seek help from in order
to be a good/strong password and along with its storage and management for the
future requirements.

Methods to Manage Password:

There are a lot of good practices that we can follow to generate a strong password and
also the ways to manage them.
● Strong and long passwords: A minimum length of 8 to 12 characters long,
also it should contain at least three different character sets (e.g., uppercase
characters, lowercase characters, numbers, or symbols)

26
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

● Password Encryption: Using irreversible end-to-end encryption is

recommended. In this way, the password remains safe even if it ends up in
the hands of cybercriminals.
● Multi-factor Authentication (MFA): Adding some security questions and
a phone number that would be used to confirm that it is indeed you who is
trying to log in will enhance the security of your password.
● Make the password pass the test: Yes, put your password through some
testing tools that you might find online in order to ensure that it falls under
the strong and safe password category.
● Avoid updating passwords frequently: Though it is advised or even made
mandatory to update or change your password as frequently as in 60 or 90
days.

Viruses

A virus is a piece of software that can "infect" other programs by modifying

them; the modification includes a copy of the virus program, which can then go
on to infect other programs.

A virus can do anything that other programs do. The only difference is that it
attaches itself to another program and executes secretly when the host program
is run. Once a virus is executing, it can perform any function, such as erasing
files and programs.

During its lifetime, a typical virus goes through the following four phases:

27
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Dormant phase: The virus is idle. The virus will eventually be activated by
some event, such as a date, the presence of another program or file, or the
capacity of the disk exceeding some limit. Not all viruses have this stage.

Propagation phase: The virus places an identical copy of itself into other
programs or into certain system areas on the disk. Each infected program will
now contain a clone of the virus, which will itself enter a propagation phase.

Triggering phase: The virus is activated to perform the function for which it
was intended. As with the dormant phase, the triggering phase can be caused by
a variety of system events, including a count of the number of times that this
copy of the virus has made copies of itself.

Execution phase: The function is performed. The function may be harmless,

such as a message on the screen, or damaging, such as the destruction of
programs and data files.

Virtual Private Networks (VPN)

A Virtual Private Networks (VPN) is a way to extend a private network through

a public network such as the Internet. Users may then use the VPN to access
data on the private network through the Internet as if they are directly connected
to the private network.

Virtual Private Networks are defined broadly as a way to extend a private

network through the public network such as the Internet (Brown, 1999). A
private network is a network that exists in a Local Area Network (LAN). The

28
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

extension of a private network that is done with the use of VPN technology can
be used to access other private networks remotely through the use of a VPN
tunnel. A tunnel in networking is a way to send data that is not normally
supported by a network protocol by repackaging data in a packet to another
protocol. If two routers have tunneling configured it is possible to encapsulate
the data to send directly to each other over the Internet and then decapsulate the
payload that was sent through the tunnel to send it onwards to the destination.

Figure a is the first example of a VPN type, it is called host-to-network or

remote access. It is used as the name suggests, to connect one computer to a
private network, for example a remote worker that needs to access private
company files on the company network.

fig: a

Figure b shows a site-to-site network, which is used to connect the private

networks of two branches of the same company to share their local private
network and data. It is also possible to utilize this type of VPN between two
different companies or organizations to collaborate.

29
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

Fig: b

Web security

Web Security is very important nowadays. Websites are always prone to

security threats/risks. Web Security deals with the security of data over the
internet/network or web or while it is being transferred to the internet. For e.g.
when you are transferring data between client and server and you have to
protect that data that security of data is your web security.

Web security threats are constantly emerging and evolving, but many threats
consistently appear at the top of the list of web security threats. These include:

● Cross-site scripting (XSS)

● SQL Injection
● Phishing
● Ransomware
● Code Injection
● Viruses and worms
● Spyware
● Denial of Service

30
Prof. Andleeb Sahar
UNIT V CRYPTOGRAPHY & NETWORK SECURITY

31
Prof. Andleeb Sahar