Unit - 4

26.1
TCP/IP and OSI model
Unit – 4:
Session,
Presentation,
and
Application,

Unit – 3:
Network and
Transport

Unit – 2:
Data link

Unit – 1:
Physical

2
 Addressing
 Four levels of addresses are used in an internet employing the
TCP/IP protocols.

3
 Chapter 25 Domain Name System/Server
 DNS is a client/server application.
 A DNS client/server program can support an e-mail program to find
the IP address of an e-mail recipient.
 It enables the use of application layer addresses, such as an email
address, instead of network layer logical addresses.
 It resolves an IP address to a host name or vice-versa.
 It is a distributed mapping service.

26.4
 Why?

 All devices that are connected to the Internet are

identified by an IP address (i. e. numbers).
 To make it easy for people to remember names (host
names) are used to identify all devices on a network.

26.5
  To identify an entity, TCP/IP protocols use the IP address,
which uniquely identifies the connection of a host to the
Internet.
 However, people prefer to use names instead of numeric
addresses.
 Therefore, we need a system that can map a name to an
address or an address to a name.
 When the Internet was small, mapping was done by using a
host file.
 The host file had only two columns: name and address.
 Every host could store the host file on its disk and update it
periodically from a master host file.
 When a program or a user wanted to map a name to an
address, the host consulted the host file and found the
mapping.
26.6
  Today, however, it is impossible to have one single
host file to relate every address with a name and vice
versa.
 The host file would be too large to store in every host.
 In addition, it would be impossible to update all the
host files every time there was a change.

26.7
  Solutions:
 1. To store the entire host file in a single computer and allow
access to this centralized information to every computer that
needs mapping.
 But we know that this would create a huge amount of traffic
on the Internet.
 2. The one used today, is to divide this huge amount of
information into smaller parts and store each part on a
different computer.
 In this method, the host that needs mapping can contact the
closest computer holding the needed information.
 This method is used by the Domain Name System (DNS).

26.8
 DOMAIN NAME SPACE
 To have a hierarchical name space, a domain name space was
designed.
 In this design the names are defined in an inverted-tree
structure with the root at the top.
 The tree can have only 128 levels: level 0 (root) to level 127

26.9
  Label:
 Each node in the tree has a
label, which is a string with
a maximum of 63
characters.
 The root label is a null
string (empty string).
 DNS requires that children
of a node (nodes that
branch from the same node)
have different labels, which
guarantees the uniqueness
of the domain names.

26.10
  Domain Name:
 Each node in the tree has a
domain name.
 A full domain name is a
sequence of labels separated by
dots (.).
 The domain names are always
read from the node up to the root.
 The last label is the label of the
root (null).
 This means that a full domain
name always ends in a null label,
which means the last character is
a dot because the null string is
nothing.

26.11
  Domain
 A domain is a subtree of the domain name space.
 The name of the domain is the domain name of the node at the
top of the subtree.
 Note that a domain may itself be divided into domains (or
subdomains as they are sometimes called).

26.12
  DISTRIBUTION OF NAME SPACE
 The information contained in the domain name space must be
stored.
 However, it is very inefficient and also unreliable to have just
one computer store such a huge amount of information.
 It is inefficient because responding to requests from all over
the world places a heavy load on the system.
 It is not unreliable because any failure makes the data
inaccessible.

26.13
  Hierarchy of Name Servers
 The solution to these problems is to distribute the information
among many computers called DNS servers.
 One way to do this is to divide the whole space into many
domains based on the first level.
 In other words, we let the root stand alone and create as many
domains (subtrees) as there are first-level nodes.

26.14
  Because a domain created in this way could be very large,
DNS allows domains to be divided further into smaller
domains (subdomains).
 Each server can be responsible (authoritative) for either a large
or a small domain.
 In other words, we have a hierarchy of servers in the same way
that we have a hierarchy of names

26.15
  Zone:
 A server is responsible for or has authority is called a zone.
 We can define a zone as a contiguous part of the entire tree.
 If a server accepts responsibility for a domain and does not
divide the domain into smaller domains, the domain and the
zone refer to the same thing.

26.16
  Root Server:
 A root server is a server whose zone consists of the whole tree.
 There are several root servers, each covering the whole
domain name space.
 The servers are distributed all around the world.

26.17
  Primary and Secondary Servers:
 DNS defines two types of servers: primary and secondary.

Primary server:
 It is a server that stores a file about the zone for which it is an

authority.
 It is responsible for creating, maintaining, and updating the

zone file.
 It stores the zone file on a local disk.

Secondary:
 It transfers the complete information about a zone from
another server (primary or secondary) and stores the file on its
local disk.
 It neither creates nor updates the zone files.

 The primary and secondary servers are both authoritative for

the zones they serve.

26.18
 DNS in the Internet
 DNS is a protocol that can be used in different platforms.
 In the Internet, the DNS (tree) is divided into three different
sections: generic domains, country domains, and the inverse
domain.

26.19
  Generic Domains:
 It define registered hosts according to their generic behavior.
 Each node in the tree defines a domain, which is an index to
the DNS database .

26.20
  Country Domains:
 The country domains section uses
two-character country abbreviations
(e.g., us for United States).
 Second labels can be
organizational, or they can be more
specific, national designations.
 The United States, for example,
uses state abbreviations as a
subdivision of us (e.g., ca.us.).
 The address anza.cup.ca.us can be
translated to De Anza College in
Cupertino, California, in the US.

26.21
  Inverse Domain:
 It is used to map an address to a name.
 This may happen, for example, when a server has received a request from a
client to do a task.
 This type of query is called an inverse or pointer (PTR) query.

26.22
 RESOLUTION
 Mapping a name to an address or an address to a
name is called name-address resolution.
Resolver:
 DNS is designed as a client/server application.

 A host that needs to map an address to a name or a

name to an address calls a DNS client called a
resolver.

26.23
  Recursive Resolution:
 The client (resolver) can ask for a recursive answer from a name
server.
 This means that the resolver expects the server to supply the final
answer.
 When the query is finally resolved, the response travels back until it
finally reaches the requesting client.

26.24
  Iterative Resolution:
 If the client does not ask for a recursive answer, the mapping
can be done iteratively.
 If the server is an authority for the name, it sends the answer.
 This process is called iterative resolution because the client
repeats the same query to multiple servers.

26.25
 Unit - 4

26.26
Chapter 26 : Electronic Mail and File Transfer
 One of the most popular Internet services is electronic mail (e-
mail).
 The popularity of this application program not imagined.
 It allows users to exchange messages.
 Implementation of client/server programming should be
implemented in another way: using some intermediate
computers (servers).
 Initially: Short messages (only text)
 Today: Text, Audio, and Video
 Today‟s e-mail systems are based on a stored-and-forward
model.
 Email servers accept, forward, deliver, and store messages.
 Neither the users nor their computers are required to be online
simultaneously.
 Architecture : Common scenario

1
Client pushes Client pulls
9
messages messages
2
8

A mail spool is a
file that stores the 3 7
mail header and Boxes contains
message of the delivered emails.
body of every 4 5 6
email for a
particular account
 Services of user agent
UA provides service to the user to make the process of sending and
receiving a message easier. A user agent is a software package (program)
that composes, reads, replies to, and forwards messages. It also handles
mailboxes.

Composing messages:
 A user agent helps the user compose the e-mail message to be sent
out.
 Template
 built-in editor (spell checking, grammar checking, and other tasks
expected from a sophisticated word processor.)
 Services of user agent

Reading messages:
1. Number field.
2. A flag field: status of the mail (new, already read but not replied
to, or read and replied to.
3. The size of the message.
4. The sender.
5. The optional subject field.
 Services of user agent

Replying to messages:
 After reading a message, a user can use the UA to reply to a
message.
 Reply to :
 Original sender
 All recipients of the message.
 It contain the original message (for quick reference) and the new
message.
 Services of user agent

Forwarding messages: Sending the message to a third party.

 Services of user agent

Handling Mailboxes:
 A UA normally creates two mailboxes:
1. Inbox (all the received mails)
2. Outbox (Sent e-mails)
 Most UAs today are capable of creating customized mailboxes.
Format of an e-mail
E-mail address
 Concept of Network Virtual Terminal

TELNET: TErminal NETwork : It is a general-purpose client/server

application program.

26.36
 MIME (Multipurpose Internet Mail Extensions)

E-mail:
 Simple structure.
 It was inexpensive.
 It can send messages only in 7-bit ASCII format
 It cannot be used for languages (French, German, etc) that are not
supported by 7-bit ASCII.
 Also, it cannot be used to send binary files or video or audio data.
Need of MIME : It is a supplementary protocol that allows non-ASCII
data to be sent through e-mail.
 Five headers in MIME

 MIME- Version (1.1)

 Content- Type
 Content-Transfer-Encoding
 Content-Id
 Content-Description (body is image, audio, or video)
 Content-Type
Type of data used in the body of the message

Content-Types: < type / subtype; parameters>

26.39
 Content-Transfer-Encoding

It defines the method used to encode the messages into 0s and 1s

for transport.

Content-Transfer-Encoding: <type>

26.40
 Base64 conversion

26.41
 Protocols used in electronic mail

 MTA:
 To send mail, a system must have a client MTA
 To receive mail, a system must have a server MTA.
 SMTP (Push protocol)
 It defines the MTA client/server programs.
 It also defines commands and responses
 MAA: POP and IMAP (Pull protocol)
Commands and responses
SMTP format and Commands
 SMTP responses

26.45
 SMTP responses (Continued)

26.46
 Mail Transfer Phases

26.47
 Message Access Agent (MAA)- Pull protocol
POP3 (Post Office Protocol)
IMAP4 (Internet Mail Access Protocol)
 POP3 (Post Office Protocol)

 It is simple and limited in functionality

 It is a software for client/server programs
 It has two modes: Delete and Keep
 Limitations:
 It does not allow to organize the mail (folder creations) on the
server.
 It does not allow the user to partially check the contents of the
mail before downloading.
 IMAP4 (Internet Mail Access Protocol)

 It is similar to POP3, but it has more features.

 It is more powerful and more complex.
 Extra functions:
 User can check the e-mail header prior to downloading
 User can search the contents of the e-mail
 User can partially download e-mail (useful in limited
bandwidth applications)
 User can create, delete, or rename mailboxes on the mail
server.
 Unit - 4

26.51
 Chapter 29 Multimedia
 It refers to a number of different integrated
media, such as text, images, audio, and video,
that are generated, stored, and transmitted
digitally and can be accessed interactively.
 Multimedia today is a broad subject that
cannot be fully discussed in one lecture.
 A. Digitizing
 B. Compression
 C. Multimedia in the Internet into three
categories:
1. Streaming stored audio/video
2. Streaming live audio/video
3. Real-time interactive audio/video
 D. Transport-layer protocols used for
multimedia applications: RTP and RTCP.
26.52
 A. Digitizing Audio and Video
 Audio:
 fs = 8000 samples/second
 n = 8 bits/second
 Bit rate = n × fs = 64 Kbps
 Music:
 fs = 44.1 KHz
 n = 16 bits/sample
 Bit rate = 705.6 Kbps (Mono)
 Bit rate = 1.411 Mbps (Stereo)
 Video:

26.53
 B. Compression
 It plays a crucial role in multimedia communication due to the
large volume of data exchanged.
 In compression, we reduce the volume of data to be
exchanged.
 We can divide compression into two broad categories:
 Lossless: Run-length coding, Dictionary coding, Huffman
coding, and Arithmetic coding.
 Lossless compression has limits on the amount of
compression.
 Lossy: Predictive coding (PCM, DPCM, DM, ADM, and
LPC) and Transform coding: DCT

26.54
CD format: Uncompressed data rate = 1.4 Mbps
AAC files on an iPod: Compressed data rate = 128 Kbps
Compression ratio = 1.4 Mbps/128Kbps = 10.9.
 C. Multimedia in the Internet
1. Streaming Stored Audio/Video:
 User can listen to (or watch) the file after the

downloading has started.

 Files are compressed and stored on a server

 A client downloads the files through the internet-

sometimes called on demand A/V

 Examples:

 Stored audio files: Songs, famous lectures.

 Stored video files: Movies, TV shows and music

video clips.

26.56
 Cont.
2. Streaming Live
Audio/Video:
 A user can listen to

broadcast A/V through the

internet.
 Example: Internet radio

 Radio stations:

 Only on Internet

 Both on Internet and Air

 Internet TV (IP TV)

 UDP and RTP

 TCP

26.57
 Cont.
3. Interactive Audio/Video:
 People use the Internet to interactively communicate

with one another.

 Internet telephony and teleconferencing.

 Voice over IP (VoIP)

 RTP

26.58
 D. Real- time interactive protocols

26.59
 1. Real-time Transport Protocol (RTP)
 It is the protocol designed to handle
real-time traffic on the Internet.
 It allows only one type of message,
one that carries data from the source
to the destination.
 It does not have a delivery mechanism
(multicasting, port numbers, and so
on); it must be used with UDP.
 RTP stands between UDP and the
multimedia application.
 The literature and standards treat RTP
as the transport protocol (not a
transport-layer protocol) that can be
thought of as located in the application
layer.
 It uses an even-numbered UDP port.
26.61
 2. Real-time Transport Control Protocol (RTCP).
 RTP allows only one type of message, one that carries data from the
source to the destination.
 To really control the session, we need more communication between
the participants in a session.
 Control communication in this case is assigned to a separate
protocol called RTCP.
 It provides flow control, quality of data control, and feedback to the
sources.
 It uses an odd-numbered UDP port.
 Unit - 4

26.63
 Chapter 30: Cryptography
 Cryptography is used to achieve Network security.
 The chapter opens the door for studying network security.

 Prevent data from being read by 3rd party.

1. Cryptography: “Secret writing” ( from Greek origins)

 It refer to the science and art of transforming messages to
make them secure and immune to attacks.

Electronic Electronic
locking unlocking

Key Key

Figure 30.1 Cryptography components

26.64
 2. Cipher:
 Encryption and decryption algorithms are known as ciphers.

 It is used to represent different categories of algorithms in

cryptography.
 This is not to say that every sender-receiver pair needs their very own

unique cipher for a secure communication.

 On the contrary, one cipher can serve millions of communicating pairs.

3. Key:
 It is a number (or a set of numbers) that the cipher, as an algorithm,
operates on.
4. Alice, Bob, and Eve:
 Alice is the person who needs to send secure data.

 Bob is the recipient of the data.

 Eve is the person who somehow disturbs the communication between

Alice and Bob by intercepting messages.

 These three names represent computers or processes that actually send
or receive data, or intercept or change data.
26.65
 Figure 30.2 Categories of cryptography

26.66
 1. Symmetric-Key Cryptography
 In symmetric-key cryptography, the same key is used by both
parties.
 It started thousands of years ago when people needed to

exchange secrets (for example, in a war).

 Today‟s ciphers are much more complex

1. a Traditional algorithms - character-oriented.

1. b Modem algorithms - bit-oriented.

Figure 30.3 Symmetric-key cryptography

26.67
 Figure 30.7 Traditional ciphers

Figure 30.8 Transposition cipher

 Obsolete
 Modern ciphers are evolved from it.
 Substitution: A with D or T or Z and 3 with 7 or 2 with 6.
 Monoalphabetic: A (plaintext) with D (ciphertext) – regardless of
the position.
 Polyalphabetic: A with N with D
 Transposition: Reorders symbols in a block of symbols
2 4 1 3 (plaintext)
1 2 3 4 (ciphertext)
26.68
 1.b Modern Ciphers:
 Bit-oriented

 Numbers, Graphics, Audio, and Video data- Digital

data (plain text)

26.69
 2. Asymmetric – Key Cryptography
 Asymmetric-key (public key cryptography) uses two keys: one
private and one public.
 Two algorithms: RSA and Diffie-Hellman.

26.70
 2.A RSA Algorithm
 The most common public key algorithm is RSA,
named for its inventors Rivest, Shamir, and Adleman
(RSA).
 It uses two numbers, e and d, as the public and
private keys.

26.71
 General Algorithm
1. Generate two large random prime numbers, p and q.
2. Compute n = p q and ϕ = (p - 1) (q - 1)
3. Choose an integer „e‟ such that 1 < e < ϕ gcd (e, ϕ) = 1.
4. Compute secret exponent d, 1 < d < ϕ such that ed =1 (mod ϕ).
5. The public key is (e, n) and private key (d, n). Keep secret p, q, ϕ.
Example:
1. p = 7 and q = 11.
2. Compute n = 77 and ϕ = (p - 1) (q - 1) = 60
3. Choose an integer „e‟ such that 1 < e < ϕ gcd (e, ϕ) = 1. e = 13
4. Compute secret exponent d, 1 < d < ϕ such that ed (mod ϕ) = 1. d = 37
Plaintext = 5
Encryption, C= pe mod n Public key (e, n) (13, 77)
Plaintext = Cd mod n Private key (d, n) (37, 77)

26.72
 Advantages:
 Key advantage: difficulty of factoring large integers.

 It is easier to solve the fundamental problems of cryptography.

 Very fast, very simple encryption and verification.

 Easier to understand.

Disadvantages:
 Very slow key generation

 Slow decryption, which is slightly tricky to implement

security.
Applications:
 Used for all, Encryption, Authentication and Digital Signing.

 It is very slow if the message is long.

26.73
 2.B Diffie-Hellman (DH)
 RSA is a public-key cryptosystem that is often used
to encrypt and decrypt symmetric keys.
 Diffie-Hellman, on the other hand, was originally
designed for key exchange.
 In a Diffie-Hellman cryptosystem, two parties create
a symmetric session key to exchange data without
having to remember or store the key for future use.

26.74
26.75
 Unit - 4

26.76
 CHAPTER 31 Network Security
 We are living in the information age.
 Information is an asset that has a value like any other
asset.
 As an asset, information needs to be secured from attacks:
 hidden from unauthorized access (confidentiality)
 protected from unauthorized change (integrity)
 available to an authorized entity when it is needed
(availability)
 It is a set of rules and configurations designed to protect
the integrity, confidentiality and accessibility of
computer networks and data using both software and
hardware technologies.
26.77
 Attacks
 Goals of security ⎯ confidentiality, integrity, and availability ⎯
can be threatened by security attacks.
 Although the literature uses different approaches to
categorizing the attacks, we can divide them into three groups
related to the security goals.

26.78
26.79
  10 most common cyber attack types
1. Denial-of-service (DoS) and distributed DoS (DDos) –
System‟s resources: TCP SYN flood
Solution: place the server behind a firewall configured to stop
SYN packets
2. Man-in-the-middle (MitM): session hijacking, IP Spoofing,
Replay
Solution: Encryption and Digital certificates.
3. Phishing - sending emails that appears to be trusted sources
Critical thinking - do not accept that an email
Move your mouse over the link, but do not click it
Analyzing email headers (“Reply-to” and “Return –Path”)

26.80
 4. Drive-by
 Common method of spreading malware.
 Hackers look for insecure websites and plant a malicious
script into HTTP.
Solution: Keep your browser and OS up to date
5. Password
Common and effective attack approach
Sniffing the connection
Brute-force: Password guessing using random approach by
trying different passwords
Solution: Account lockout policy

26.81
 6. SQL injection
Common for database-driven websites
Solution: Stick to stored procedures (don‟t use dynamic SQL)
7. Cross-site scripting (XSS)
It uses third party web resources.
Solution: Developers can sanitize data input by users in an
HTTP request before response.
8. Eavesdropping:
It occurs through the interception on network traffic
Attacker can obtain passwords, credit card numbers.
Passive: Listening to the message in the network
Active: Tempering
Solution: Data encryption

26.82
 9. Birthday
These are made against hash algorithms that are used to verify
the integrity of a message.
It refers to the probability of finding two random messages
that generate the same message digest (MD)
10. Malware
Malicious software can be described as unwanted software
that is installed in your system without your consent.
Macro viruses, File infectors, Polymorphic viruses, Stealth
viruses, Trojans, Logic bombs, Worms, Droppers,
Ransomware, Adware, Spyware,
Conclusions:
 Keep your system and AV database up to date

 Configure your firewall

 Keep your password strong

 Make regular backups

 Continuously audit your IT systems

26.83
  Attacks Threatening Confidentiality:
Snooping:
 It refers to unauthorized access to or interception of
data.
 How to prevent? the data can be made nonintelligible
to the interceptor by using encipherment techniques.
Traffic Analysis:
 Obtaining some other types of information by
monitoring online traffic.
 For example, finding the electronic address (such as

the e-mail address) of the sender or the receiver.

26.84
  Attacks Threatening Integrity:
Modification:
 After intercepting or accessing information, the attacker modifies
the information to make it beneficial. Bank information.

Masquerading:
 It happens when the attacker impersonates somebody else.

 For example: an attacker might steal the bank card and PIN of a

bank customer.

26.85
 Replaying: (also known as playback)
 It is a form of network attack in which a valid data

transmission is maliciously repeated or delayed.

 In replaying, the attacker obtains a copy of a message sent by a

user.
 This kind of attack has an ability to crash applications which
are designed poorly.
 Timestamping is way of preventing a replay attack.

 Synchronization should be achieved using a secure protocol.

26.86
 Repudiation:
 This type of attack is different from others because it is

performed by one of the two parties in the communication: the

sender or the receiver.
 It happens when an application or system does not adopt
controls to properly track and log users' actions, thus
permitting malicious manipulation or forging the identification
of new actions.

26.87
  Attacks Threatening Availability:
Denial of Service:
 Denial of service (DoS) is a very common attack. It may slow

down or totally interrupt the service of a system.

 The attacker can use several strategies to achieve this.

 The attacker may sent many bogus requests to a server that the

server crashes because of the heavy load.

 The attacker may also intercept requests from the clients,

causing the clients to send requests many times and overload

the system.

26.88
  Services and Techniques:
 ITU-T defines some security services to achieve security goals

and prevent attacks.

 Each of these services is designed to prevent one or more

attacks while maintaining security goals.

 The actual implementation of security goals needs some
techniques.
 Two techniques: one is very general (cryptography) and one is

specific (steganography).
Cryptography - “secret writing” : It means concealing the
contents of a message by enciphering.
Steganography: “covered writing” : It means concealing the
message itself by covering it with something else.

26.89
 SECURITY SERVICES
 A. Message
 B. Entity Authentication

A. Message:
a. Confidentiality or Privacy:
 Sender and receiver expects privacy

 To all other message must be garbage.

 Symmetric and Asymmetric key cryptography.

b. Integrity:
 Data must arrive at the receiver exactly as they were sent.

 There must be no change during the transmission, neither

accidently nor maliciously.

 Data can be modified by unauthorized users.

 Message and fingerprint.

26.90
 Cont.
c. Authentication:
 It is beyond message integrity

 The receiver needs to be sure of the sender‟s identity.

d. Nonrepudiation:
 A Sender must not be able to deny sending a message that he or she

, in fact, did send.

 Message authentication code (MAC) – It uses a secret key

 Digital Signature: Electronic signature – It uses a pair of private-

public keys.
 It is a another way to provide message integrity, authentication, and
nonrepudiation.
 It is a legal concept that is widely used in information security and

refers to a service, which provides proof of the origin of data and

integrity of the data,

26.91
 Cont.
B. Entity Authentication
 Entity or user is verified prior to access to the system

resources.
 An entity can be a person, a process, a client, or a server.

 Fixed password and OTP.

 Message authentication (or data-origin authentication) might

not happen in real time; entity authentication does.

 Message authentication simply authenticates one message; the
process needs to be repeated for each new message.
 Entity authentication authenticates the applicant for the entire
duration of a session.

26.92
  Verification Categories
Something Known:
 This is a secret known only by the claimant that can be

checked by the verifier.

 Examples: a password, a PIN, a secret key, and a private key.

Something Possessed:
 This is something that can prove the claimant‟s identity.

 Examples: a passport, a driver‟s license, an identification card,

a credit card, and a smart card.

Something Inherent:
 This is an inherent characteristic of the claimant.

 Examples: are conventional signatures, fingerprints, voice,

facial characteristics, retinal pattern, and handwriting.

26.93
 CHAPTER 32
Internet Security
 Internet security is normally applied at three layers in the
Internet: the network layer, the transport layer, and the
application layer.
 We also discuss firewalls, a technology that provides system
security for an enterprise.

26.94
 NETWORK-LAYER SECURITY
 At the network layer, security is applied between two hosts,
two routers, or a host and a router.
 The purpose of network-layer security is to protect those
applications that use the service of the network layer directly,
such as routing protocols.
 The only application-layer security we discuss here is called
IPSec.
 IP Security (IPSec) is a collection of protocols designed by
the IETF to provide security for a packet at the network level.
 IPSec helps to create authenticated and confidential packets
for the IP layer.

26.95
 Two Modes
Transport Mode:
 In transport mode, IPSec protects what is delivered from the
transport layer to the network layer.
 It does not protect the IP header.

 It is normally used when we need host-to-host (end-to-end)

protection of data.
Tunnel Mode:
 In tunnel mode, IPSec protects the entire IP packet. It takes an IP

packet, including the header, applies IPSec security methods to the

entire packet, and then adds a new IP header.

26.96
 Two Security Protocols
 IPSec defines two protocols:
 IPSec supports both IPv4 and IPv6.
Authentication Header (AH) Protocol:
 It is designed to authenticate the source host and to ensure the integrity of
the payload carried in the IP packet.
 It does not provide privacy.
Encapsulating Security Payload (ESP) Protocol:
 Used to provide authentication and/or encryption for packets at the IP level.
 It provides Source authentication, Integrity and Privacy.
 It adds a header and trailer.
 ESP‟s authentication data are added at the end of the packet which makes
its calculation easier.

26.97
 FIREWALLS
 All previous security measures cannot prevent Eve from
sending a harmful message to a system.
 These are needed to control access to a system.
 A firewall is a device (usually a router or a computer) installed
between the internal network of an organization and the rest of
the Internet.
 It is designed to forward some packets and filter (not forward)
others.

26.98
  A firewall can be used to deny access to a specific host or a
specific service in the organization.
 A firewall is usually classified as:
 a packet-filter firewall
 a proxy-based firewall.

26.99
 Packet-Filter Firewall
 It can forward or block packets based on the
information in the network-layer and transport-layer
headers:
 source and destination IP addresses
 source and destination port addresses
 Type of protocol (TCP or UDP)
 It is a router that uses a filtering table to decide which
packets must be discarded (not forwarded).

26.100
  1. Incoming packets from network 131.34.0.0 are blocked
(security precaution). Note that the * (asterisk) means “any.”
 2. Incoming packets destined for any internal TELNET server
(port 23) are blocked.
 3. Incoming packets destined for internal host 194.78.20.8 are
blocked. The organization wants this host for internal use only.
 4. Outgoing packets destined for an HTTP server (port 80) are
blocked. The organization does not want employees to browse
the Internet.
26.101
 Proxy Firewall (Computer)
 The packet-filter firewall is based on the information available
in the network layer and transport layer headers (IP and
TCP/UDP).
 However, sometimes we need to filter a message based on the
information available in the message itself (at the application
layer).
 It may also called an application firewall or gateway firewall.

26.102