Computer Network : Lecture Notes Nepal Engineering College Compiled by: Junior Professor: Daya Ram Bud at oki

Nepal Engineering college! C angunarayan C apter":Network #anagement and $ecurity: Introduction to Network management, Internet Network Management framework (SMI & HIB) & SNMP protocol; ata encr!ption, ata "ncr!ption #tandard; Principle# of $r!ptograp%! (S!mmetric &e! & pu'lic ke! "ncr!ption)( Integrit! & Principle# of cr!ptograp%! (S!mmetric &e! & pu'lic ke! "ncr!ption) Integrit! & firewall#(

Introduction to Network Management:

Network management i# defined a# monitoring, te#ting, configuring, and trou'le#%ooting network component# to meet a #et of re)uirement# defined '! an organi*ation( +%e#e re)uirement# include t%e #moot%, efficient operation of t%e network t%at pro,ide# t%e predefined )ualit! of #er,ice for u#er#( +o accompli#% t%i# ta#k, a network management #!#tem u#e# %ardware, #oftware, and %uman#( %unctions of Network #anagement $ystem: -( $onfiguration Management .( /ault Management 0( Performance Management 1( Securit! management 2( 3ccounting management Configuration #anagement 3 large network i# u#uall! made up of %undred# of entitie# t%at are p%!#icall! or logicall! connected to one anot%er( +%e#e entitie# %a,e an initial configuration w%en t%e network i# #et up, 'ut can c%ange wit% time( e#ktop computer# ma! 'e replaced '! ot%er#; application #oftware ma! 'e updated to a newer ,er#ion; and u#er# ma! mo,e from one group to anot%er( +%e configuration management #!#tem mu#t know, at an! time, t%e #tatu# of eac% entit! and it# relation to ot%er entitie# ( $onfiguration management can 'e #u'di,ided into two part# reconfiguration and ocumentation( %ault #anagement: /all# on two categorie#( Reacti&e %ault #anagement 3 reacti,e fault management #!#tem i# re#pon#i'le for detecting, i#olating, correcting, and recording fault#( It %andle# #%ort4term #olution# to fault#( Proacti&e %ault #anagement Proacti,e fault management trie# to pre,ent fault# from occurring( 3lt%oug% t%i# i# not alwa!# po##i'le, #ome t!pe# of failure# can 'e predicted and pre,ented(

Page5-

Performance management: It i# i# clo#el! related to fault management and trie# to monitor and control t%e network to en#ure t%at it i# running a# efficientl! a# po##i'le( $ecurity #anagement Securit! management i# re#pon#i'le for controlling acce## to t%e network 'a#ed on t%e predefined polic!( 'ccounting #anagement 3ccounting management i# t%e control of u#er#6 acce## to network re#ource# t%roug% c%arge#( $%arging doe# not nece##aril! mean ca#% tran#fer; it ma! mean de'iting t%e department# or di,i#ion# for 'udgeting purpo#e#( +oda!, organi*ation# u#e an accounting management #!#tem for t%e following rea#on#5 It pre,ent# u#er# from monopoli*ing limited network re#ource#( It pre,ent# u#er# from u#ing t%e #!#tem inefficientl!( Network manager# can do #%ort4 and long4term planning 'a#ed on t%e demand for network u#e(

SNMP
$imple Network #anagement Protocol ($N#P) i# an 7Internet4#tandard protocol for managing de,ice# on IP network#( e,ice# t%at t!picall! #upport SNMP include router#, #witc%e#, #er,er#, work#tation#, printer#, modem rack#, and more( It i# u#ed mo#tl! in network management #!#tem# to monitor network4attac%ed de,ice# for condition# t%at warrant admini#trati,e attention( The Simple Network Management Protocol (SNMP) is a framework for managing devices in an Internet using the TCPIIP protocol suite. It provides a set of fundamental operations for monitoring and maintaining an Internet. Concept SNMP u#e# t%e concept of manager and agent( +%at i#, a manager, u#uall! a %o#t, control# and monitor# a #et of agent#, u#uall! router# ( SNMP i# an application4le,el protocol in w%ic% a few manager #tation# control a #et of agent#( +%e protocol i# de#igned at t%e application le,el #o t%at it can monitor de,ice# made '! different manufacturer# and in#talled on different p%!#ical network#( #anagers and 'gents 3 management #tation, called a manager, i# a %o#t t%at run# t%e SNMP client program( 3 managed #tation, called an agent, i# a router (or a %o#t) t%at run# t%e SNMP #er,er program( Management i# ac%ie,ed t%roug% #imple interaction 'etween a manager and an agent( +%e agent keep# performance information in a data'a#e( +%e manager %a# acce## to t%e ,alue# in t%e data'a#e( /or e8ample, a router can #tore in appropriate ,aria'le# t%e num'er of packet# recei,ed and forwarded( +%e manager can fetc% and compare t%e ,alue# of t%e#e two ,aria'le# to #ee if t%e router i# conge#ted or not( 'n $N#P*managed network consists of t ree key components: Managed de,ice 3gent 9 #oftware w%ic% run# on managed de,ice# Network management #!#tem (NMS) 9 #oftware w%ic% run# on t%e manager
Page5.

3 managed device i# a network node t%at implement# an SNMP interface t%at allow# unidirectional (read4onl!) or 'idirectional acce## to node4#pecific information( Managed de,ice# e8c%ange node4 #pecific information wit% t%e NMS#( Sometime# called network element#, t%e managed de,ice# can 'e an! t!pe of de,ice, including, 'ut not limited to, router#, acce## #er,er#, #witc%e#, 'ridge#, %u'#, IP telep%one#, IP ,ideo camera#, computer %o#t#, and printer#( 3n agent i# a network4management #oftware module t%at re#ide# on a managed de,ice( 3n agent %a# local knowledge of management information and tran#late# t%at information to or from an SNMP #pecific form( 3 network management system (N#$) e8ecute# application# t%at monitor and control managed de,ice#( NMS# pro,ide t%e 'ulk of t%e proce##ing and memor! re#ource# re)uired for network management( :ne or more NMS# ma! e8i#t on an! managed network( #anagement wit $N#P is based on t ree basic ideas: -( 3 manager c%eck# an agent '! re)ue#ting information t%at reflect# t%e 'e%a,ior of t%e agent( .( 3 manager force# an agent to perform a ta#k '! re#etting ,alue# in t%e agent data'a#e( 0( 3n agent contri'ute# to t%e management proce## '! warning t%e manager of an unu#ual #ituation( SNMP operate# in t%e 3pplication ;a!er of t%e Internet Protocol Suite (;a!er < of t%e :SI model)( +%e SNMP agent recei,e# re)ue#t# on = P port ->-( +%e manager ma! #end re)ue#t# from an! a,aila'le #ource port to port ->- in t%e agent( +%e agent re#pon#e will 'e #ent 'ack to t%e #ource port on t%e manager( +%e manager recei,e# notification# (+rap# and Inform?e)ue#t#) on port ->.( +%e agent ma! generate notification# from an! a,aila'le port( +o do management ta#k#, SNMP u#e# two ot%er protocol#5 -( Structure of Management Information (SMI) .( Management Information Ba#e (MIB)( Role of $N#P SNMP %a# #ome ,er! #pecific role# in network management( It define# t%e format of t%e packet to 'e #ent from a manager to an agent and ,ice ,er#a( It al#o interpret# t%e re#ult and create# #tati#tic# (often wit% t%e %elp of ot%er management #oftware)( +%e packet# e8c%anged contain t%e o'@ect (,aria'le) name# and t%eir #tatu# (,alue#)( SNMP i# re#pon#i'le for reading and c%anging t%e#e ,alue#( Roles of $#+ SMI define# t%e general rule# for naming o'@ect#, defining o'@ect t!pe# (including range and lengt%), and #%owing %ow to encode o'@ect# and ,alue#( SM- doe# not define t%e num'er of o'@ect# an entit! #%ould manage or name t%e o'@ect# to 'e managed or define t%e a##ociation 'etween t%e o'@ect# and t%eir ,alue#( +%e Structure of Management Information, ,er#ion . (SMI,.) i# a component for network management( It# function# are -( +o name o'@ect# .( +o define t%e t!pe of data t%at can 'e #tored in an o'@ect 0( +o #%ow %ow to encode data for tran#mi##ion o,er t%e network
Page50

SMI i# a guideline for SNMP( It emp%a#i*e# t%ree attri'ute# to %andle an o'@ect5 name, data t!pe, and encoding met%od ( Roles of #+B /or eac% entit! to 'e managed, t%i# protocol mu#t define t%e num'er of o'@ect#, name t%em according to t%e rule# defined '! SMI, and a##ociate a t!pe to eac% named o'@ect ( MI creates a collection of named o!"ects# their t$pes# and their relationships to each other in an entit$ to !e managed. "ac% agent %a# it# own MIB., w%ic% i# a collection of all t%e o'@ect# t%at t%e manager can manage( +%e o'@ect# in MIB. are categori*ed under -A different group#5 #!#tem, interface, addre## tran#lation, ip, icmp, tcp, udp, egp, tran#mi##ion, and #nmp( 'nalogy: Be can compare t%e ta#k of network management to t%e ta#k of writing a program( Bot% ta#k# need rule#( In network management t%i# i# %andled '! SMI( Bot% ta#k# need ,aria'le declaration#( In network management t%i# i# %andled '! MIB( Bot% ta#k# %a,e action# performed '! #tatement#( In network management t%i# i# %andled '! SNMP( Network #anagement 'rc itectures Network management #!#tem contain# two primar! element#5 a manager and agent#( +%e Manager i# t%e con#ole t%roug% w%ic% t%e network admini#trator perform# network management function#( 3gent# are t%e entitie# t%at interface to t%e actual de,ice 'eing managed( Bridge#, Hu'#, ?outer# or network #er,er# are e8ample# of managed de,ice# t%at contain managed o'@ect#( +%e#e managed o'@ect# mig%t 'e %ardware, configuration parameter#, performance #tati#tic#, and #o on, t%at directl! relate to t%e current operation of t%e de,ice in )ue#tion( +%e#e o'@ect# are arranged in w%at i# known a# a ,irtual information data'a#e , called a management information 'a#e, al#o called MIB( SNMP allow# manager# and agent# to communicate for t%e purpo#e of acce##ing t%e#e o'@ect#(

Page51

' typical agent usually: Implement# full SNMP protocol( Store# and retrie,e# management data a# defined '! t%e Management Information Ba#e $an a#!nc%ronou#l! #ignal an e,ent to t%e manager $an 'e a pro8! (+%e pro8! agent t%en tran#late# t%e protocol interaction# it recei,e# from t%e management #tation) for #ome non4SNMP managea'le network node( ' typical manager usually: Implemented a# a Network Management Station (t%e NMS) Implement# full SNMP Protocol 3'le to o Cuer! agent# o Det re#pon#e# from agent# o Set ,aria'le# in agent#

Page52

Computer security requirements and Attacks:

$omputer and network #ecurit! addre## four re)uirement#5 -( confidentialit!5 ?e)uire# t%at data onl! 'e acce##i'le '! aut%ori*ed partie#( +%i# t!pe# of acce## include# printing, di#pla!ing and ot%er form# of di#clo#ure of t%e data( .( Integrit!5 ?e)uire# t%at data can 'e modified onl! '! aut%ori*ed u#er#( Modification include# writing, c%anging, c%anging #tatu#, deleting and creating( 0( 3,aila'ilit!5 ?e)uire# t%at data are a,aila'le to aut%ori*ed partie#( 1( 3ut%enticit!5 ?e)uire# t%at %o#t or #er,ice 'e a'le to ,erif! t%e identit! of a u#er( ,ypes of Network 'ttacks +%ere are four primar! cla##e# of attack#( -( Reconnaissance : ?econnai##ance i# t%e unaut%ori*ed di#co,er! and mapping of #!#tem#, #er,ice#, or ,ulnera'ilitie#( It i# al#o known a# information gat%ering and, in mo#t ca#e#, it precede# anot%er t!pe of attack( ?econnai##ance i# #imilar to a t%ief ca#ing a neig%'or%ood for ,ulnera'le %ome# to 'reak into, #uc% a# an unoccupied re#idence, ea#!4to4open door#, or open window#( .( 'ccess : S!#tem acce## i# t%e a'ilit! for an intruder to gain acce## to a de,ice for w%ic% t%e intruder doe# not %a,e an account or a pa##word( "ntering or acce##ing #!#tem# u#uall! in,ol,e# running a %ack, #cript, or tool t%at e8ploit# a known ,ulnera'ilit! of t%e #!#tem or application 'eing attacked( 0( Denial of $er&ice : enial of #er,ice ( oS) i# w%en an attacker di#a'le# or corrupt# network#, #!#tem#, or #er,ice# wit% t%e intent to den! #er,ice# to intended u#er#( oS attack# in,ol,e eit%er cra#%ing t%e #!#tem or #lowing it down to t%e point t%at it i# unu#a'le( But oS can al#o 'e a# #imple a# deleting or corrupting information( In mo#t ca#e#, performing t%e attack in,ol,e# #impl! running a %ack or #cript( /or t%e#e rea#on#, oS attack# are t%e mo#t feared( 1( -orms! .iruses! and ,ro/an 0orses : Maliciou# #oftware can 'e in#erted onto a %o# to damage or corrupt a #!#tem, replicate it#elf, or den! acce## to network#, #!#tem#, or #er,ice#( $ommon name# for t%i# t!pe of #oftware are worm#, ,iru#e#, and +ro@an %or#e#(

Page5>

Data Encryption/Decryption, Cryptography, Integrity & Firewalls:

Cryptography
$r!ptograp%! i# deri,ed from t%e Dreek word#5 kr!ptE#, 7%idden7, and grFp%ein, 7to write7 4 or 7%idden writing7( $r!ptograp%! i# t%e #cience of u#ing mat%ematic# to encr!pt and decr!pt data( $r!ptograp%! ena'le# !ou to #tore #en#iti,e information or tran#mit it acro## in#ecure network# (like t%e Internet) #o t%at it cannot 'e read '! an!one e8cept t%e intended recipient( B%ile cr!ptograp%! i# t%e #cience of #ecuring data, cr!ptanal!#i# i# t%e #cience of anal!*ing and 'reaking #ecure communication( $la##ical cr!ptanal!#i# in,ol,e# an intere#ting com'ination of anal!tical rea#oning, application of mat%ematical tool#, pattern finding, patience, determination, and luck( $r!ptanal!#t# are al#o called attacker#( $r!ptolog! em'race# 'ot% cr!ptograp%! and cr!ptanal!#i#(

Encryption and Decryption

/ig5"ncr!ption and ecr!ption Plain*te1t and Cip er*te1t +%e original me##age, 'efore 'eing tran#formed, i# called plainte8t( 3fter t%e me##age i# tran#formed, it i# called cip%er4te8t( 3n encr!ption algorit%m tran#form# t%e plain te8t into cip%erte8t; a decr!ption algorit%m tran#form# t%e cip%er4te8t 'ack into plain4 te8t( +%e #ender u#e# an encr!ption algorit%m, and t%e recei,er u#e# a decr!ption algorit%m( Cip er Be refer to encr!ption and decr!ption algorit%m# a# cip%er#( +%e term cip%er i# al#o u#ed to refer to different categorie# of algorit%m# in cr!ptograp%!( +%i# i# not to #a! t%at e,er! #ender4recei,er pair need# t%eir ,er! own uni)ue cip%er for a #ecure communication( :n t%e contrar!, one cip%er can #er,e million# of communicating pair#( 2ey 3 ke! i# a num'er (or a #et of num'er#) t%at t%e cip%er, a# an algorit%m, operate# on( +o encr!pt a me##age, we need an encr!ption algorit%m, an encr!ption ke!, and t%e plain4te8t( +%e#e create t%e cip%er4te8t( +o decr!pt a me##age, we need a decr!ption algorit%m, a decr!ption ke!, and t%e cip%er4 te8t( +%e#e re,eal t%e original plain4te8t(
Page5<

'lice! Bob! and E&e In cr!ptograp%!, it i# cu#tomar! to u#e t%ree c%aracter# in an information e8c%ange #cenario; we u#e 3lice, Bo', and ",e( 3lice i# t%e per#on w%o need# to #end #ecure data( Bo' i# t%e recipient of t%e data( ",e i# t%e per#on w%o #ome%ow di#tur'# t%e communication 'etween 3lice and Bo' '! intercepting me##age# to unco,er t%e data or '! #ending %er own di#gui#ed me##age#( +%e#e t%ree name# repre#ent computer# or proce##e# t%at actuall! #end or recei,e data, or intercept or c%ange data(

$r!ptograp%!

S!mmetric &e! Secret &e! /ig5$ategorie# of $r!ptograp%!

3#!mmetric &e! Pu'lic &e!

Symmetric-key
In con,entional cr!ptograp%!, al#o called #ecret4ke! or #!mmetric4ke! encr!ption, one ke! i# u#ed 'ot% for encr!ption and decr!ption( +%e ata "ncr!ption Standard ( "S) i# an e8ample of a con,entional cr!pto#!#tem t%at i# widel! emplo!ed '! t%e /ederal Do,ernment( /igure 'elow #%ow# an illu#tration of t%e con,entional encr!ption proce##( $ ared $ecret 2ey

Page5G

$on,entional encr!ption %a# 'enefit#( It i# ,er! fa#t( It i# e#peciall! u#eful for encr!pting data t%at i# not going an!w%ere( Howe,er, con,entional encr!ption alone a# a mean# for tran#mitting #ecure data can 'e )uite e8pen#i,e #impl! due to t%e difficult! of #ecure ke! di#tri'ution( /or a #ender and recipient to communicate #ecurel! u#ing con,entional encr!ption, t%e! mu#t agree upon a ke! and keep it #ecret 'etween t%em#el,e#( If t%e! are in different p%!#ical location#, t%e! mu#t tru#t a courier, t%e Bat P%one, or #ome ot%er #ecure communication medium to pre,ent t%e di#clo#ure of t%e #ecret ke! during tran#mi##ion( 3n!one w%o o,er%ear# or intercept# t%e ke! in tran#it can later read, modif!, and forge all information encr!pted or aut%enticated wit% t%at ke!(

Asymmetric- ey Cryptography
Pu'lic ke! cr!ptograp%! i# an a#!mmetric #c%eme t%at u#e# a pair of ke!# for encr!ption5 a pu'lic ke!, w%ic% encr!pt# data, and a corre#ponding pri,ate, or #ecret ke! for decr!ption( Hou pu'li#% !our pu'lic ke! to t%e world w%ile keeping !our pri,ate ke! #ecret( 3n!one wit% a cop! of !our pu'lic ke! can t%en encr!pt information t%at onl! !ou can read ( It i# computationall! infea#i'le to deduce t%e pri,ate ke! from t%e pu'lic ke!( 3n!one w%o %a# a pu'lic ke! can encr!pt information 'ut cannot decr!pt it( :nl! t%e per#on w%o %a# t%e corre#ponding pri,ate ke! can decr!pt t%e information(

, e Essential steps in 'symmetric*key cryptograp y are t e following: -( "ac% u#er generate# a pair of ke!# to 'e u#ed for t%e encr!ption and decr!ption of me##age#( .( "ac% u#er place# one of t%e ke!# in a pu'lic regi#ter or ot%er acce##i'le file( +%i# i# t%e pu'lic ke!( +%e companion ke! i# kept pri,ate( "ac% u#er maintain# a collection of pu'lic ke!# o'tained from ot%er#( 0( If Bo' wi#%e# to #end a pri,ate me##age to 3lice, Bo' encr!pt# t%e me##age u#ing 3lice6# pu'lic ke!( 1( B%en 3lice recei,e# t%e me##age, #%e decr!pt# it u#ing %er pri,ate ke!( No ot%er recipient can decr!pt t%e me##age 'ecau#e onl! 3lice know# t%e 3lice6# pri,ate ke!(

Page5I

%ith this approach# all the participants have access to pu!lic ke$s# and private ke$s are generated locall$ !$ each participant and therefore need never !e distri!uted. &s long as a user protects his and her private ke$# incoming communication is secure. &t an$ time# a user change the private ke$ and pu!lish the companion pu!lic ke$ replace the old pu!lic ke$. Comparison ;et u# compare #!mmetric4ke! and a#!mmetric4ke! cr!ptograp%!( "ncr!ption can 'e t%oug%t of a# electronic locking; decr!ption a# electronic unlocking( +%e #ender put# t%e me##age in a 'o8 and lock# t%e 'o8 '! u#ing a ke!; t%e recei,er unlock# t%e 'o8 wit% a ke! and take# out t%e me##age( +%e difference lie# in t%e mec%ani#m of t%e locking and unlocking and t%e t!pe of ke!# u#ed( In #!mmetric4 ke! cr!ptograp%!, t%e #ame ke! lock# and unlock# t%e 'o8( In a#!mmetric4ke! cr!ptograp%!, one ke! lock# t%e 'o8, 'ut anot%er ke! i# needed to unlock it( ,raditional Cip er used in $ymmetric*key Cryptograp y: +wo t!pe#5 -( Su'#titution cip%er .( +ran#po#ition cip%er $ubstitution cip er: 3 #u'#titution cip%er #u'#titute# one #!m'ol wit% anot%er( If t%e #!m'ol# in t%e plain4 te8t are alp%a'etic c%aracter#, we replace one c%aracter wit% anot%er( /or e8ample, we can replace c%aracter 3 wit% , and c%aracter + wit% J( If t%e #!m'ol# are digit# (A to I), we can replace 0 wit% <, and . wit% >( It i# al#o known and $ea#er6# $ip%er w%o in,ented it( /or e8ample, if we encode t%e word KS"$?"+L u#ing $ae#arM# ke! ,alue of 0, we off#et t%e alp%a'et #o t%at t%e 0rd letter down ( ) 'egin# t%e alp%a'et( So #tarting wit% 3B$ "/DHIN&;MN:PC?S+=OBPHJ and #liding e,er!t%ing up '! 0, !ou get "/DHIN&;MN:PC?S+=OBPHJ3B$ w%ere Q3, "QB, /Q$, and #o on( =#ing t%i# #c%eme, t%e plainte8t, KS"$?"+L encr!pt# a# KOH/=HB(L +o allow #omeone el#e to read t%e cip%erte8t, !ou tell t%em t%at t%e ke! i# 0( ,ransposition Cip ers In a tran#po#ition cip%er, t%ere i# no #u'#titution of c%aracter#; in#tead, t%eir location# c%ange( 3 c%aracter in t%e fir#t po#ition of t%e plainte8t ma! appear in t%e tent% po#ition of t%e cip%erte8t( 3 c%aracter in t%e eig%t% po#ition ma! appear in t%e fir#t po#ition( In ot%er word#, a tran#po#ition cip%er reorder# t%e #!m'ol# in a 'lock of #!m'ol#( 2ey In a tran#po#ition cip%er, t%e ke! i# a mapping 'etween t%e po#ition of t%e #!m'ol# in t%e plainte8t and cip%er te8t( /or e8ample, t%e following #%ow# t%e ke! u#ing a 'lock of four c%aracter#5 Plainte8t5 .1-0 $ip%erte8t5 - . 0 1 In encr!ption, we mo,e t%e c%aracter at po#ition . to po#ition -, t%e c%aracter at po#ition 1 to po#ition ., and #o on( In decr!ption, we do t%e re,er#e(
Page5-A

Encryption algorit m: +%e mo#t commonl! u#ed #!mmetric encr!ption are 'lock cip%er#( 3 'lock cip%er proce##e# t%e plain te8t input in fi8ed #i*e 'lock# and produce# a 'lock of cip%er te8t of e)ual #i*e for eac% palinte8t 'lock( +%e two mo#t important #!mmetric algorit%m#, 'ot% of w%ic% are 'lock cip%er#, are ata "ncr!ption Standard ( "S) 3d,anced "ncr!ption Standard (3"S) 'symmetric 2ey Cryptograp y: Some e8ample# of pu'lic4ke! cr!pto#!#tem# are 5 "lgamal (named for it# in,entor, +a%er "lgamal), ?S3 (named for it# in,entor#, ?on ?i,e#t, 3di S%amir, and ;eonard 3dleman), iffie4Hellman (named for it# in,entor#), S3 ,t%e igital Signature 3lgorit%m (in,ented '! a,id &ra,it*)(

Digita! signatures
3 ma@or 'enefit of pu'lic ke! cr!ptograp%! i# t%at it pro,ide# a met%od for emplo!ing digital #ignature#( igital #ignature# ena'le t%e recipient of information to ,erif! t%e aut%enticit! of t%e informationM# origin, and al#o ,erif! t%at t%e information i# intact( +%u#, pu'lic ke! digital #ignature# pro,ide aut%entication and data integrit!( 3 digital #ignature al#o pro,ide# non4repudiation, w%ic% mean# t%at it pre,ent# t%e #ender from claiming t%at %e or #%e did not actuall! #end t%e information( +%e#e feature# are e,er! 'it a# fundamental to cr!ptograp%! a# pri,ac!, if not more( 3 digital #ignature #er,e# t%e #ame purpo#e a# a %andwritten #ignature( Howe,er, a %andwritten #ignature i# ea#! to counterfeit( 3 digital #ignature i# #uperior to a %andwritten #ignature in t%at it i# nearl! impo##i'le to counterfeit, plu# it atte#t# to t%e content# of t%e information a# well a# to t%e identit! of t%e #igner( Some people tend to u#e #ignature# more t%an t%e! u#e encr!ption( /or e8ample, !ou ma! not care if an!one know# t%at !ou @u#t depo#ited R-AAA in !our account, 'ut !ou do want to 'e darn #ure it wa# t%e 'ank teller !ou were dealing wit%( +%e 'a#ic manner in w%ic% digital #ignature# are created i# illu#trated in /igure ( In#tead of encr!pting information u#ing #omeone el#eM# pu'lic ke!, !ou encr!pt it wit% !our pri,ate ke!( If t%e information can 'e decr!pted wit% !our pu'lic ke!, t%en it mu#t %a,e originated wit% !ou(

Page5--

/ig5Simple igital Signature 0'$0 %unction: Ha#% (al#o called a me##age dige#t)54 3 one4wa! %a#% function take# ,aria'le4lengt% input 9 in t%i# ca#e, a me##age of an! lengt%, e,en t%ou#and# or million# of 'it# 9 and produce# a fi8ed4lengt% output; #a!, ->A4'it#( PDP u#e# a cr!ptograp%icall! #trong %a#% function on t%e plainte8t t%e u#er i# #igning( +%i# generate# a fi8ed4lengt% data item known a# a me##age dige#t( 3 %a#% function generate# a fi8ed4lengt% output ,alue 'a#ed on an ar'itrar!4lengt% input file, #a! ->A 'it#( +o ,alidate t%e integrit! of a file, a recipient would calculate t%e %a#% ,alue of t%at file and compare it to t%e %a#% ,alue #ent '! t%e #ender( +%u#, t%e recipient can 'e a##ured t%at t%e #ender %ad t%e file at t%e time %e or #%e created t%e %a#% ,alue( "8ample# of %a#% algorit%m# are M 2, SH34- and ?IP"4M 4->A( Ha#%e# are u#ed in #er,ing aut%entication and integrit! goal# of cr!ptograp%!( 3 cr!ptograp%ic %a#% can 'e de#cri'ed a# f(me##age) Q %a#%( 3 hash function ' i# a tran#formation t%at take# an input m and return# a fi8ed4#i*e #tring, w%ic% i# called t%e %a#% ,alue h (t%at i#, h Q '(m))(

"irewa!!
3n! #!#tem or de,ice t%at allow# #afe network traffic to pa## w%ile re#tricting or den!ing un#afe traffic( /irewall# are u#uall! dedicated mac%ine# running at t%e gatewa! point 'etween !our local network and t%e out#ide world, and are u#ed to control w%o %a# acce## to !our pri,ate corporate network from t%e out#ide9for e8ample, o,er t%e Internet( More generall!, a firewall i# an! #!#tem t%at control# communication 'etween two network#( In toda!M# networking en,ironment in w%ic% corporate network# are connected to t%e Internet9in,iting %acker# to attempt unaut%ori*ed acce## to ,alua'le 'u#ine## information9a corporate firewall i# e##ential(

Page5-.

,ypes of %irewall Network Le&el %irewall: +%e #imple firewall i# #ometime# called a network4le,el firewall 'ecau#e it operate# at t%e lower le,el# of t%e :pen S!#tem# Interconnection (:SI) reference model for networking( Network4le,el firewall# are tran#parent to u#er# and u#e routing tec%nolog! to determine w%ic% packet# are allowed to pa## and w%ic% will 'e denied acce## to t%e pri,ate network( Network4le,el firewall# implemented #olel! on #tand4alone router# are called packet4filtering router# or #creening router#( In it# #imple#t form, a firewall i# e##entiall! a kind of router or computer wit% two network interface card# t%at filter# incoming network packet#( +%i# de,ice i# often called a packet4filtering router( B! comparing t%e #ource addre##e# of t%e#e packet# wit% an acce## li#t #pecif!ing t%e firewallM# #ecurit! polic!, t%e router determine# w%et%er to forward t%e packet# to t%eir intended de#tination# or #top t%em( +%e firewall can #impl! e8amine t%e IP addre## or domain name from w%ic% t%e packet wa# #ent and determine w%et%er to allow or den! t%e traffic( Howe,er, packet4filtering router# cannot 'e u#ed to grant or den! acce## to network# on t%e 'a#i# of a u#erM# credential#(

Packet4filtering router# can al#o 'e configured to 'lock certain kind# of traffic w%ile permitting ot%er#( =#uall! t%i# i# done '! di#a'ling or ena'ling different +$PSIP port# on t%e firewall #!#tem( /or e8ample, port .2 i# u#uall! left open to permit Simple Mail +ran#fer Protocol (SM+P) mail to tra,el 'etween t%e pri,ate corporate network and t%e Internet, w%ile ot%er port# (#uc% a# port .0 for +elnet) mig%t 'e di#a'led to pre,ent Internet u#er# from acce##ing ot%er #er,ice# on corporate network #er,er#( +%e difficult! wit% t%i# approac% i# t%at t%e #i*e of t%e acce## li#t for t%e firewall can 'ecome %uge if a large num'er of domain# or port# are 'locked and a large num'er of e8ception# are configured( Some port# are randoml! a##igned to certain #er,ice# (#uc% a# remote procedure call #er,ice#) on #tartup; it i# more difficult to configure firewall# to control acce## to t%e#e port#(

Circuit*le&el %irewall: 3not%er t!pe of firewall i# a circuit4le,el gatewa!, w%ic% i# u#uall! a component of a pro8! #er,er( $ircuit4le,el gatewa!# e##entiall! operate at a %ig%er le,el of t%e :SI model protocol #tack t%an network4le,el firewall# do( Bit% a circuit4le,el firewall, connection# wit% t%e pri,ate network are %idden from t%e remote u#er( +%e remote u#er connect# wit% t%e firewall, and t%e firewall form# a #eparate connection wit% t%e network re#ource 'eing acce##ed after c%anging t%e IP addre## of t%e
Page5-0

packet# 'eing tran#mitted in eit%er direction t%roug% t%e firewall( +%e re#ult i# a #ort of ,irtual circuit 'etween t%e remote u#er and t%e network re#ource( +%i# i# a #afer configuration t%an a packet4filtering router 'ecau#e t%e e8ternal u#er ne,er #ee# t%e IP addre## of t%e internal network in t%e packet# %e or #%e recei,e#, onl! t%e IP addre## of t%e firewall( 3 popular protocol for circuit4le,el gatewa!# i# t%e S:$&S ,2 protocol(

'pplication Le&el %irewall: 3not%er more ad,anced t!pe of firewall i# t%e application4le,el firewall (or application gatewa!), w%ic% i# al#o u#uall! a component of a pro8! #er,er( 3pplication gatewa!# do not allow an! packet# to pa## directl! 'etween t%e two network# t%e! connect( In#tead, pro8! application# running on t%e firewall computer forward re)ue#t# to #er,ice# on t%e pri,ate network, and t%en forward re#pon#e# to t%e originator# on t%e un#ecured pu'lic network( 3pplication gatewa!# generall! aut%enticate t%e credential# of a u#er 'efore allowing acce## to t%e network, and t%e! u#e auditing and logging mec%ani#m# a# part of t%eir #ecurit! polic!( 3pplication gatewa!# generall! re)uire #ome configuration on t%e part of u#er# to ena'le t%eir client mac%ine# to function properl!, 'ut t%e! are more atomic in t%eir configura'ilit! t%an network4le,el firewall#( /or e8ample, if a /ile +ran#fer Protocol (/+P) pro8! i# configured on an application gatewa!, it can 'e configured to allow #ome /+P command# 'ut den! ot%er#( Hou could al#o configure an SM+P pro8! on an application gatewa! t%at would accept mail from t%e out#ide (wit%out re,ealing internal e4mail addre##e#), and t%en forward t%e mail to t%e internal mail #er,er( Howe,er, 'ecau#e of t%e additional proce##ing o,er%ead, application gatewa!# %a,e greater %ardware re)uirement# and are generall! #lower t%an network4le,el firewall#(

Page5-1