Professional Documents
Culture Documents
Network Security
Network Security
INTRODUCTION:
1.1 DEFINITION & OVERVIEW
Security by the name itself is very important for any individual a machine or also in network. Like the locks help in making tangible property secure, computers and data need provisions that help in keeping the information secure. Moreover , the increased use of networked
computers on Internets,Intranets and Extranets has had a profound impact on the neccesity of network security. As we know that when one PC communicates with other it forms a network & hence there rises a need that whatever secret data is being transferred between the two
computers should not be exposed to outside world. This provision of making data secure within the network has led to concept of Network security i.e security on the net. Since most of the transactions in the world today are taking place on the Internet hence there is a greater need to prevent the unauthorized access of the data. Security on an Internet environment is both important and difficult. Its important as information can be used to create new products and services that yield high value
1
and is difficult as it involves understanding trust between various participating users , computers,& also
understanding technical details of the network hardware and protocols. As the Internet is becoming more complex day by day security administators face the risk of being attacked by external intruders that may: Read
access
Read
or
copy
confidential
information.
Write access- Write to network or perhaps infect
distributed system, security policies as well as securtiy mechanisms must be employed therby providing a secure communication link for data transmission between
authentication,
likewise
in
network
there
are
authentification protocols. 2.3 MESSAGE INTEGRITY- here the sender and reciever want to ensure that apart from
authentication the content of their communcation is not altered, either maliciously or by accident, in transmissions.
3.1 PACKET SNIFFING- A packet sniffer is a program running in a network attached device that passively receives all data link layer frames passing by the network devices interface. In broadcast environment like the Ethernet LAN the packet sniffer receives all frames being transmitted from all to all hosts on the LAN. These frames can then be passed on to application
program that extract application level data. For eg in the telnet scenario shown on the next page.
packet sniffings The login password prompt sent from A to B as well as password entered at B are sniffed at host C. 3.2 IP SPOOFING - Any Internet connected device sends IP data grams into the network. A user with
complete control over that devices software can easily modify the devices protocols to place an arbitrary IP
address into data grams Source Address field. This is known as IP spoofing.
3.3 DENIAL OF SERVICE- In this the attacker deluges the server with the TCP SYN packets, each having a spoofed IP source address. The server being not able to distinguish between legitimate SYN and spoofed SYN completes the second step of TCP handshake allocating data structures and state. The third step of three way hand shake is not completed by the attacker, leaving n number of partially opened connections, this ever increasing load of SYN brings the server down on its knees. Thus an intruder can actively interfere with control or corrupt the network management functions, DNS lookups and updates, routing computations that can really create havoc on the net. Below mentioned are few more perpetrators that can have real impact on the market. ADVERSARY HACKER BUSINESSMAN ACCOUNTANT TERRORIST STOCK BROKER GOAL TO TEST OUT SOMEONES SECURITY SYSTEM TO DISCOVER A COMPETITORS STRATEGIC PLAN TO EMBEZZLE MONEY FROM THE COMPANY TO STEAL GERM WARFARE SECRETS TO DENY PROMISE MADE TO THE CUSTOMER BY MAIL
From the given analysis above its quite clear that to prevent the legitimate messages being captured, to maintain the authenticity of the data network security is greatly needed.
4.NETWORK SECURITY
MECHANISMS:
Before getting into the solutions of the network security its necessary to have a view to which layer belongs to. However theres no such single place. Every layer has something to contribute like in physical layer wire tapping can be prevented by enclosing transmission lines in sealed tubes containing gases at high pressure ,any attempt to drill the tube may cause fall in pressure that in turn could ring an alarm, similarly in data link layer point to point line can be encoded as they leave one machine & can be decoded on other also in network layer firewalls are established. However the problem of authentication in security can be resolved only on the application layer thereby holding a greater importance. network security mechanisms are:Some of the
CRYPTOGRAPHY8
4.1 CRYPTOGRAPHY:
INTRODUCTION
The art of devising ciphers i.e. converting the plaintext into coded format & then decoding it refers to
cryptography. Here the messages to be encrypted are known as plain text & are transformed by a function parameterized by a key. The output of the encryption process is known as cipher text and is then often transmitted by a messenger. At the receiver its decrypted with help of decryption key and the original message is retrieved.
HISTORY
Historically, four groups of people have used &
military has had the most important role as within the military organizations, the messages to be sent were normally encrypted. Until the advent of computers the main constraints of cryptography had been the ability of the code clerk to perform necessary transformations & also difficulty in switching over quickly from one
cryptographic method to another. Earlier there were few traditional methods to prevent the intruders from
4.1.1 SUBSTITUTION CIPHERSIn this method each letter or group of letters is replaced by another letter to disguise it. one of the oldest ways in substitution cipher technique was Caesar cipher in which the cipher text alphabet was shifted by k letters. An improvement made in this technique was that each of the symbol in the plaintext map on to some other letter. PLAINTEXT
w x y z.
a b c d ef g h
j k l m n o p q r s t u v
CIPHERTEXT
c b v.
:qwe r t y u k l m p
a s d f g h j kl
z x
This
general
system
is
known
as
monoalphabetic
corresponding to the full alphabet. At first glance it appeared to be a safe system but by taking the advantage of the statistical properties of the natural language like frequency of words this cipher could be broken.
4.1.2 TRANSPOSITION CIPHER In this method unlike the substitution cipher method the cipher text was reordered form of the plaintext & was not its disguised form. The following example depicts the transposition method. The cipher is keyed by a word or phrase not containing any repeated letters. Here
MEGABUCK is the key. The purpose of the key is to number the columns. The plaintext is written horizontally in rows & the cipher text is read our by columns. MEGABUCK
7 4 5 1 2 8 3 6 P L E A SE TR one million AN S F ERON E M I L L IO N D O AFLLSELATOOSLNMOESILR L L A R S A. CIPHER TEXT: dollars. PLAINTEXT: Please transfer
To break this transposition cipher the cryptanalyst use to be aware that hes dealing with transposition cipher, after
11
that he use to guess the number fo columns & find the probable phrase or word. Thus by hunting for various possibilities the cryptanalyst often could determine the key length & got the message decrypted.
12
In modern cryptography the object is to make the encryption algorithm so complex and involuted that even if the cryptanalyst acquires vast mounds of enciphered text he wont be able to make sense of it all. In modern cryptography transpositions and substitution are
implemented with simple circuits known as P box (Ppermutation) used to affect a transposition on an 8 bit
input. For e.g the input 8 bits are designated from top to bottom as 01234567 them the output of the particular P box can be anything lets say 3607125 depending upon the transposition made.Shown fig below
13
Fig a
Fig b
Fig c
Substitutions are performed by S boxes. Here at the first stage the input selects one of the eight lines & then the second stage is P-box. The third stage selects the input line in binary again. The real power of these basic elements only becomes apparent when we cascade the whole series of boxes to form a product cipher. However this method is less powerful but by including a sufficiently
14
large number of stages the output can be made more complicated. Below illustrated are few of the modernised algorithms-
15
DES ALGORITHM
IDEA(International Standard
Data
Algorithm
16
IDEA was designed by two members in switzerland that introduced a secret tap door. The basic structure of the algorithm resembles the DES in that the 64 bit plaintext
input blocks are mangled in a sequence of parametrized iterations to produce 64 bit cipher text output blocks.The following figure below illustrates the working of this algorithm. IDEA ALGORITHM As with all block ciphers, IDEA can also be used in a cipher feed back mod eor with other DES modes.Moreover it has been constructed with both hardware & software
17
sends it to B. B then decrypts the message by applying the secret key Db that is known to him only. One more terminology used here is that each user has two keys public & private to use for encryption & decryption.
RSA ALGORITHM
This algorithm is known by the initials of the three discoverers (Rivest, Shamir, and Adleman) & is based on simple number theory. Below mentioned is the summary of this algorithm Choose two large primes, p and q. Compute n=p*q and z= (p-1)*(q-1). Choose a number relatively prime to z and call it d. Find e such that e*d=1 modz. With these parameters computed in advance we readily begin the encryption. To encrypt a message P compute C=Pe (modn) & to decrypt P=Cd (modn). The security of this method is based on factoring large numbers i.e. if the cryptanalyst could factor n he could find p & q and then z
19
but according to Rivest it would take 2 billion yrs of computer time to factor 200 digit number. So even if the computers become faster it would take lot of time which is not feasible. The only disadvantage of this algorithm is its speed in handling large volume of data.
4.2
INTERNET
CONNECTION
FIREWALL:
Introduction
A firewall is a security system that acts as a protective boundary between a network and the outside world. Internet Connection Firewall (ICF) is firewall software that is used to set restrictions on what information is communicated from your home or small office network to and from the Internet to your network. If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, ICF should be enabled on the shared Internet connection. However,
20
ICS and ICF can be enabled separately. You should enable ICF on the Internet connection of any computer that is connected directly to the Internet.ICF also protects a single computer connected to the Internet. If you have a single computer connected to the Internet with a cable modem, a DSL modem, or a dial-up modem, ICF protects your Internet connection. You should not enable ICF on VPN connections because it will interfere with the operation of file sharing and other VPN functions.
FIREWALL SCHEME
ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that
21
cross its path and inspects the source and destination address of each message that it handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF
computer. In the case of a single computer, ICF tracks traffic originated from the computer. When used in conjunction with ICS, ICF tracks all traffic originated from the ICF/ICS computer and all traffic originated from private network computers. All inbound traffic from the Internet is compared against the entries in the table. Inbound Internet traffic is only allowed to reach the computers in your network when there is a matching entry in the table that shows that the communication exchange began from within your computer or private network. Communications that originate from a source outside ICF computer, such as the Internet, are dropped by the firewall unless an entry in the Services tab is made to allow passage. Rather than sending you notifications about activity, ICF silently discards unsolicited
such as port scanning. Such notifications could be sent frequently enough to become a distraction. Instead, ICF can create a security log to view the activity that is tracked by the firewall.. Services can be configured to allow unsolicited traffic from the Internet to be forwarded by the ICF computer to the private network. For example, if you are hosting an HTTP Web server service, and have enabled the HTTP service on your ICF computer, unsolicited HTTP traffic will be forwarded by the ICF computer to the HTTP Web server. A set of operational information, known as a service definition, is required by ICF to allow the unsolicited Internet traffic to be forwarded to the Web server on your private network.
As filter based firewalls work on deny or permit rules, these are characterised as firewalls that block traffic as well as firewalls that permit traffic. Firewalls control
23
mechanisms include packet filtering, circuit filtering & application gateways. Packet filtering is the simplest and the fastest
mechanisms
individual packets and blocks or passes through the packets. It takes decision by checking only the individual packets headers whereas circuit filtering collects & checks connection state data associated with the packets & thereby takes decision to forward or block. Application gateways apply true user based access control and behaviour control. The cost of application gateways is higher as it offers more security. The following fig shows the application gateways.
It mainly consists a gateway node & two firewalls on either side of the gate way. Firewall 1 discards packets
24
not addressed to the gateway, thereby controlling the inbound access. Similarly firewall-2 accepts only packets to the gateway ,thereby controlling the outbound access.
PROXY BASED FIREWALLS The proxy based firewall may be an application gateway firewall. As the proxy appears as a server to the client & as ac lient to the server it responds to the clients request without passing the requests to the server , thereby controlling the access right. The proxy software recieves and interprets each service & after checking forwards it to the destination server. If a company wants to make some of its Web server pages accessible to all outside users and to restrict certain pages simple filter firewall doesnt work. The solution is to use an HTTP proxy server. Outsiders can use HTTP/TCP
connection with proxy which after checking the universal resourcs locator (URL) contained in the request , may allow a second HTTP/TCP connection to the companys
25
web server or prohibit the connection. Shown in the fig belowProxy Based Firewall
The proxy server acts as an intermediary between local server & the external client i.e local computer
communicates to the external computer through proxy server & vice versa.
4.2.3
Internet
Connection
Firewall
Considerations
ICF and Home or Small Office communications You should not enable Internet Connection Firewall (ICF) on any connection that does not directly connect to the Internet. If the firewall is enabled on the network adapter of an ICS client computer, it will interfere with some communications between that computer and all other computers on the network. For a similar reason, the Network Setup Wizard does not allow ICF to be enabled on the ICS host private connection, the connection that connects the ICS host computer with the ICS client
26
computers, because enabling a firewall in this location would completely prohibit network communications. Internet Connection Firewall is not needed if your network already has a firewall or proxy server. If your network has only one shared Internet connection, you should protect it by enabling Internet Connection Firewall. Individual client computers may also have adapters, such as a dial-up or DSL modem, that provide individual connections to the Internet and are vulnerable without firewall protection. ICF can only check the communications that cross the Internet connection on which it is enabled. Because ICF works on a per connection basis, you need to enable it on all computers with connections to the Internet, in order to ensure protection for your entire network. If you have enabled the firewall on the ICS host computer's Internet connection, but a client computer with a direct Internet connection is not using the firewall for protection, your network will be vulnerable through that unprotected connection.
27
The service definitions that allow services to operate across ICF also work on a per connection basis. If your network has multiple firewall connections, service
definitions must be configured for each fire walled connection you want the service to work through.
documents authorized
determined
presence But a in
handwritten
signatures. there is
computerized
networking
problem
replacement of handwritten signatures hence another cryptographic technique comes into picture that is nothing but a Digital Signature. These are basically done in such a way that The receiver can verify the claimed identity of the sender. The sender cannot later repudiate the contents of the message.
28
The receiver cannot possibly have concocted the message. The first requirement is needed for e.g. when a customers computer orders a banks computer to buy ton of gold, the banks computer needs to be able to make sure that the computer giving identity belongs to that company only. The second requirement is needed to protect the bank against fraud i.e. a dishonest customer might sue the bank claiming that he never placed any order to buy gold. The third requirement is needed to protect the customer in the event that if the price of gold rises up & the bank tries to construct a signed message that the order of one bar of gold rather than one ton of gold was placed. Under digital signatures also fall two categories-
In this approach to digital signatures there is a central authority that knows everything say Big brother (BB). Each user then chooses a secret key & carries it by hand to BBs office. For e.g. when A wants to send a message to
29
B she generates a key & sends it, the BB sees the message decrypts it & sends to B.This is shown in the fig below.
The only disadvantage with this technique is replay attacks in which one is shown the same message again & again.
the, message he transforms it using his private key decrypts & gets the original message. This is shown in the fig below.
Description A user who has connected to the computer without supplying a user name and
Users
identities
have
been
authenticated.
(S-1-5-11) Batch (S-1-5-3) Creator Owner (S-1-3-0) Creator Group (S-1-3-1) Dialup (S-1-5-1)
Authenticated Users does not include Guest even if the Guest account has a password. Includes all users who have logged on through a batch queue facility such as task scheduler jobs. A placeholder control entry in an inheritable When the access ACE is
(ACE).
inherited, the system replaces this SID with the SID for the object's current owner. A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's current owner. Includes all users who are logged on to the system through a dial-up connection. On computers running Windows XP Professional, Authenticated Everyone Users and includes Guest. On
Everyone (S-1-1-0)
computers running earlier versions of the operating system, Users Everyone and includes plus Authenticated Guest
Interactive
(S-1-5-4) through a Remote Desktop connection. Local System A service account that is used by the (S-1-5-18) Network (S-1-5-2) operating system. Includes all users who are logged on through a network connection. Access tokens for
32
interactive users do not contain the Network SID. A placeholder in an ACE on a user, group, or computer object in Active Directory. When Self (S-1-5-10) (or you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. A group that includes all security principals Service (S-1-5-6) that have logged on as a service. Membership is controlled by the operating system. Terminal Server Users (S-1-5-13) Includes all users who have logged on to a Terminal Services server that is in Terminal Services version 4.0 application compatibility mode.
Principal Self)
5. APPLICATIONS OF NETWORK
33
SECURITY:
5.1 E-MAIL SECURITY
As E-mail has become an integral part of the networking world hence its more susceptible to security attacks. An unencrypted e-mail can be known by unauthorized members while it traverses on the net or some malicious attachments or viruses can be sent through which can activate this malicious content on ones desktop. Also junk mail may clutter the LAN with unwanted messages. Thus in order to sort out these problems different security measures are being taken like Pretty Good Privacy (PGP) ( public key method used for protecting messages on the Internet) , Virtual private networking solutions ,virus scanning ,E-mail filters etc that help in traversing a secure mail on the net.
5.2PASS WORDS
Many hackers are authorized users with limited access trying to get unlimited access. These hackers have a valid
34
user ID and password & are often looking for the weakness of the system. In most of the systems, passwords are stored in an encrypted file. They are generally encrypted using the data encryption algorithm. While its quite easy to encrypt a password but is quite difficult to decrypt it so due to serious design flaw a hacker may write a program satisfying log in program. So with the various encryption algorithms like DES or the IDEA such security breaches can be prevented & the system can be saved.
5.3MODEM CONNECTIONS
Any time the user gets connected to the network through the modem additional risks are introduced in the system. Apart from viruses the major trouble causing elements are these hackers who can have an easy access to your network. In the past many companies used dial back techniques to reduce modem risks. Now days hardware encryption techniques as well as firewalls are turning out to be good security options keeping the hackers at bay.
35
5.4ACCESS CONTROL
Access control is the mechanisms and policies on security that restrict access to computer resources. One of recent advancement in this field is product called Your eyes only developed by Symantec corporation which offers features like Boot lock that protects boot process, Screen lock & Smart lock folders (based on encryption & decryption) that prevent the unauthorized access on ones computer.
36
6. CONCLUSION:
As the Internet market continues to explode there has been significant rise in number of network users. The wide spread use of networking has enabled one to get linked globally. But at the same time security on the network is of utmost importance as its necessary to protect the data from unauthorized access, damage, destruction &
deliberate
modification.
Through
different
Security
measures of different volumes at different levels of the networks like encryption, keying, firewalls & passwords the user data can be protected during transportation. Moreover with the rapid technological innovations coming up in the field of computing new measures of security are coming up in the market thereby increasing the
proliferation of secured & effective networks all around the globe. Thus with the advent of new innovations in the field of network security one can hope for a secured & reliable networks.
37
7.REFRENCES
JAMES
JAE
K.SHIM
&
ANIQUE
QURESHI
COMPUTER
SECURITY.
38