Chapter seven

Security
 Fundamentals of secure networks;
Cryptography
• Computer data often travels from one computer to another, leaving the safety of
its protected physical surroundings.
• Once the data is out of hand, people with bad intention could modify or forge your
data, either for amusement or for their own benefit.
• Network Security - measures to protect data during their transmission
• Cryptography can reformat and transform our data, making it safer on its trip
between computers.
• The technology is based on the essentials of secret codes, augmented by modern
mathematics that protects our data in powerful ways.
• Cryptography is a method of protecting information and communication through
the use of codes so that only those for whom the information is intended can read
and process it.
Basic terminology in cryptographic system

• plaintext (P)- original message

• ciphertext (C)- coded message
• cipher - algorithm for transforming plaintext to ciphertext
• key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to ciphertext
• decipher (decrypt) - recovering ciphertext from plaintext
• cryptography - study of encryption principles/methods
• cryptanalysis (codebreaking) - study of principles/ methods of deciphering
ciphertext without knowing key
• cryptology - field of both cryptography and cryptanalysis
Types of cryptographic techniques
• Symmetric key encryption
• Asymmetric key encryption

4
 Symmetric encryption systems
• There two basic kinds of encryptions are symmetric (also called "secret key") and
asymmetric (also called "public key").
• The symmetric systems provide a two-way channel to their users: A and B share a
secret key, and they can both encrypt information to send to the other as well as
decrypt information from the other.
• The symmetry of this situation is a major advantage of this type of encryption, but
it also leads to a problem: key distribution. How do A and B obtain their shared
secret key? And only A and B can use that key for their encrypted
communications.
• If A wants to share encrypted communication with another user C, A and C need a
different shared key. Key generation and key distribution is the major difficulty in
using symmetric encryption.

5
 Cont.…
• In general, n users who want to communicate in pairs need n * (n -
1)/2 keys.
• In other words, the number of keys needed increases at a rate
proportional to the square of the number of users! So a property of
symmetric encryption systems is that they require a means of key
distribution.
 Asymmetric encryption systems
• Public key systems excel at key management.
• Asymmetric encryption transforms plaintext into ciphertext using a one of two
keys and an encryption algorithm.
• Using the paired key and a decryption algorithm, the plaintext is recovered from
the ciphertext.
• Public key cryptography solves symmetric key encryption problem of having to
exchange secret key
• Uses two mathematically related digital keys public key (widely
disseminated) and private key (kept secret by owner)
• Once key is used to encrypt message, same key cannot be used to
decrypt message
• For example, sender uses recipients public key to encrypt message;
recipient uses his/her private key to decrypt it 7
 Cont.…
• By the nature of the public key approach, we can send a public key in
an e-mail message or post it in a public directory.
• Only the corresponding private key, which presumably is kept private,
can decrypt what has been encrypted with the public key.
• But for both kinds of encryption, a key must be kept well secured.
• Once the private key is known by an outsider, all messages written
previously or in the future can be decrypted (and hence read or
modified) by the outsider.
• So, for all encryption algorithms, key management is a major issue.
 Firewalls
• Firewalls are network devices that enforce an organization’s security policy
• A firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a
defined set of security rules.
• A network administrator configures the firewall based on the policy of the
organization. The policy may take user productivity and bandwidth usage into
account as well as the security concerns of an organization.
• A firewall is a combination of hardware and software that isolates an
organization’s internal network from the Internet at large, allowing some packets
to pass and blocking others.
• A firewall allows a network administrator to control access between the outside
world and resources within the administered network by managing the traffic flow
to and from these resources.
 Cont.…

• The firewall itself is immune to penetration. The firewall itself is a device

connected to the network.
• If not designed or installed properly, it can be compromised, in which case it
provides only a false sense of security (which is worse
than no firewall at all!).
 Cont.…
• Software firewalls
• Software firewalls are installed separately on individual devices.
• All devices within an intranet may not be compatible with a single software
firewall, and several different firewalls may be required.
• Hardware firewalls
• Are physical devices, each with its own computing resources. They act as
gateways between internal networks and the internet, keeping data packets and
traffic requests from untrusted sources outside the private network.
•
 Cont..
• Firewalls can be classified in three categories:
• Packet filters,
• Stateful filters, and
• Application gateways.
1. Packet filter:
• All traffic leaving and entering the internal network passes through this router, and it is at this
router where packet filtering occurs.
• A packet filter examines each datagram in isolation, determining whether the datagram should be
allowed to pass or should be dropped based on administrator-specific rules.
• Filtering decisions are typically based on:
• Source or destination IP address
• Protocol type in IP datagram field: TCP, UDP, ICMP, OSPF, and so on
• Source and destination port number
•
 Cont.…
2. Stateful filtering
• They work by creating a state table with source IP, destination IP,
source port and destination port once a connection is established.
• They create their own rules dynamically to allow expected incoming
network traffic instead of relying on a hardcoded set of rules based on
this information.
• They conveniently drop data packets that do not belong to a verified
active connection.
 Cont.…
3. Application gateway
• Application-level gateways, also known as proxy firewalls, are implemented at
the application layer via a proxy device.
• Instead of an outsider accessing your internal network directly, the connection is
established through the proxy firewall.
• The external client sends a request to the proxy firewall. After verifying the
authenticity of the request, the proxy firewall forwards it to one of the internal
devices or servers on the client’s behalf.
• Perform deep packet inspection to analyze the context and content of data packets
against a set of user-defined rules. Based on the outcome, they either permit or
discard a packet.