6/3/2021

Outline
• Virtual private networks
• Firewall
• Intrusion detection system
Network Security

1 2

Friends and enemies: Alice, Bob, Trudy Network security objectives

• Well-known in network security world
• Bob, Alice want to communicate “securely” • Confidentiality: only sender, intended receiver should
“understand” message contents
• Trudy (intruder) may intercept, delete, add messages
• sender encrypts message
• receiver decrypts message
Alice Bob • Authentication: sender, receiver want to confirm identity of
channel data, control
messages
each other
• Message integrity: sender, receiver want to ensure message is
secure secure
data data not altered (in transit, or afterwards) without detection
sender receiver
• Access and availability: services must be accessible and
available to users
Trudy

8-3 8-4

Firewalls Firewall Example: Application gateways

Firewall
Isolates organization’s internal net from larger Internet, allowing • Also known as application proxy or application-level proxy
some packets to pass, blocking others. • Application Gateway is a type of firewall that provides
application-level control over network traffic.
• It is an application program that runs on a firewall system
between two networks.
• It filters incoming node traffic to certain specifications which
mean that transmitted network application data can be
allowed or denied.
administered public
network Internet

firewall

8-5 8-6

1
 6/3/2021

Firewall Example: Application gateways Firewall Example: Application gateways gateway-to-remote

host telnet session
host-to-gateway
telnet session
• Application gateways can be used to deny access to the • Filters packets on application
resources of private networks to distrusted users over the data as well as on application router and filter
gateway
Internet. IP/TCP/UDP fields.
• Example network applications include File Transfer Protocol • Example: allow select
internal users to telnet
(FTP), Telnet, Real Time Streaming Protocol (RTSP) and outside.
BitTorrent.
• Application gateways examine incoming packets at the 1. Require all telnet users to telnet through gateway.
application level and then use proxies to create secure 2. For authorized users, gateway sets up telnet connection to
sessions with remote users. dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.

8-7 8-8

Firewall Example: Application gateways Firewall Example: Application gateways

• When a client program establishes a connection to • Once connected, the proxy makes all packet-forwarding
a destination service, it connects to an application gateway, decisions.
or proxy. • Since all communication is conducted through the proxy
• The client then negotiates with the proxy server in order to server, computers behind the firewall are protected
communicate with the destination service.
• In effect, the proxy establishes the connection with the
destination behind the firewall and acts on behalf of the
client, hiding and protecting individual computers on the
network behind the firewall.
• Two connections are created:
– one between the client and the proxy server
– And another one between the proxy server and the destination.

8-9 8-10

Intrusion detection systems Intrusion detection systems

• An intrusion detection system (IDS) inspects all inbound • Multiple IDSs: different types of checking at different
and outbound network activity and identifies suspicious locations
patterns that may indicate a network or system attack
from someone attempting to break into or compromise a
system. Application Firewall
• Packet filtering: Gateway

– Operates on TCP/IP headers only Internet

– No correlation check among sessions
Internal
• IDS: intrusion detection system Network Web
– Deep packet inspection: look at packet contents (e.G., Check Ids Server Dns
character strings in packet against database of known virus, attack Sensors Server
Ftp
strings) Server Demilitarized
Zone
8-11 8-12

2
 6/3/2021

Virtual Private Networks (VPN) Virtual Private Networks (VPN)

• A VPN is a private data network that makes use of the public
telecommunication infrastructure, such as the Internet, by
adding security procedures over the unsecure communication
channels.
• The security procedures that involve encryption are achieved
through the use of a tunneling protocol.
• There are two types of VPNs:
– Remote access which lets single users connect to the protected
company network
– Site-to-site which supports connections between two protected
company networks.
• In either mode, VPN technology gives a company the facilities
of expensive private leased lines at much lower cost by using
the shared public infrastructure like the Internet.

13 14

Virtual Private Networks (VPN) Virtual Private Networks (VPN)

• The two components of a VPN are: • VPN technology must do the following activities:
– Two terminators: – IP encapsulation:
• Perform encryption, decryption and authentication services.
• This involves enclosing TCP/IP data packets within another packet
• They also encapsulate the information
with an IP-address of either a firewall or a server that acts as a
• Are either software or hardware.
VPN end-point.
– A tunnel:
• This encapsulation of host IP-address helps in hiding the host.
• The tunnel is a secure communication link between the end-points and networks
such as the Internet. – Encryption – is done on the data part of the packet.
• This tunnel is virtually created by the end-points.

15 16