Copy of network security

Document Sample
Copy of network security Powered By Docstoc


Network security



With worldwide connections, someone can get into your system in the middle of the night when your building is locked up. The Internet allows the electronic equivalent of an intruder who looks for open windows and doors. Now, a person can check for hundreds of vulnerabilities in just a few hours. A ``network'' has been defined as ``any set of interlinking lines resembling a net, a network of roads, an interconnected system, a network of alliances.'' This definition suits our purpose well: a computer network is simply a system of interconnected computers. Network security means protecting our computer from any outside attack. With increasing threat due to viruses various methods have been designed to protect computers from them. In this paper three main technologies that are being used are discussed. Firewall a hardware/software configuration, which sits at this perimeter, controlling access into and out of your network. Encryption is the coding of data through an algorithm or transform table into apparently unintelligible garbage. Cryptology meaning hidden writing is being widely used now a day.


In many real world applications sensitive information must be kept in log files on an untrusted machine. In the event that an attacker captures this machine, we should protect the log files such that the attacker gain little or no information from the log files and should limit his ability to corrupt the files.

Security Threats
     Information disclosure/Information leakage Integrity violation Masquerading Denial of service Illegitimate use

Security Requirements
• Protection from disclosure to unauthorized persons.

• Maintaining data consistency.

• Assurance of identity of person or originator of data.

• Originator of communications can’t deny it later.

•Legitimate users have access when they need it.

Access control
• Unauthorized users are kept out.

These are often combined
• User authentication used for access control purposes. • Non-repudiation combined with authentication.


Techniques discussed
Different techniques are being used ,of which the two that are being used recently are:   Cryptology & Encryption.

Besides these techniques firewall is being increasingly used to protect the systems from any outside attack.

The dictionary (in my case the Oxford English), defines cryptography as hidden writing. Cryptography is used whenever someone want to send a secret message to someone else, in a situation where anyone might be able to get hold of the message and read it. Generals to send orders to their armies often used it. The most famous encryption machine invented was the Enigma, used in the Second World War to send military messages.

One of the best examples of early cryptography is the Caesar cipher, named after Julius Caesar because he is thought to have used it even if he didn’t actually invent it. t to have used it even if he didn’t actually invent it. It works like this. A piece of paper is taken and along the top edge the alphabet is written. Another piece of paper is taken and the same thing is done. Then two lines of letters like this are taken: ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ A message like this is taken. SEND MONEY TONIGHT .One of pieces of paper is moved along to the right one or more letters so that they no longer line up. That looks like this: ABCDEFGHIJKLMNOPQRSTUVWXYZ YZABCDEFGHIJKLMNOPQRSTUVWX


Now every time you see a letter of your message in the top line, write down instead the letter on the bottom line. SEND MONEY TONIGHT becomes QCLB KMLCW RMLGEFR A cryptographic transformation (encrypted) is done on the message. To do it an algorithm is used (for each letter in your message, move a number of locations on in the alphabet and write that one down instead) and a key, in this case the value 2 because we moved A two places forwards on the bottom line. The person receiving the message should know the key and the algorithm. As long as they know it’s the Caesar cipher and the key is 2 they can put their lower line two places to the right, and by taking each letter of the message and writing down the letter immediately above it, they can re-create the original message. The symmetric cipher Until we started using computers, these ciphers, with very much better algorithms and much more complex keys were the order of the day. However, the basic approach to this way of creating secret messages has not really changed. So now you understand the basic method used in any symmetric cipher. Taking our example above, the operation is as follows:
   

take your message (plaintext) take an algorithm (Caesar) take a key (a number between 1 and 25) transform the message according to the algorithm using the key

Now you have an encrypted message (ciphertext). The recipient then:

takes the encrypted message (ciphertext)


  

takes the algorithm (Caesar) takes the same key (the same number as chosen above) transforms the encrypted message according to the algorithm using the key

Now they have the original message back (plaintext). This is called a symmetric cipher because you use the same algorithm and the same key to carry out both encryption and decryption.

Encryption means 1. To put into code or cipher. 2. Computer Science. To scramble access codes to (computerized information) so as to prevent unauthorized access. Encryption is used to provide confidentiality, can provide authentication and integrity protection. Different methods used in encrypting data are  Letter substitution  Using a keyword  One time pad Letter Substitution The most simple method used for hiding text from people is‘Letter substitution codes'. Here the English alphabet is taken and one letter for another is substituted. In computing a commonly used letter substitution code is rot13. This takes each letter in the alphabet and substitutes it for the one 13 places forward or backward along the alphabet. Since the alphabet has 26 letters this arithmetic is modulo 26 and so rot13 is it's own inverse. rot13(`aliens') = `nyvraf' rot13(`nyvraf') = `aliens' This is often used on usenet to hide text. To hide text from people any letter substitution code is not adequate, since they are all easy to


crack. At first glance the 26! ~~ 4 * 1026 possible arrangements seems too many to consider checking each one individually, but we don't have to. It is commonly known that `E' is the most common letter in the english alphabet, and we can use patterns like this to `crack the code'. Using a keyword A more complex approach would be to choose a word, and somehow combine each letter of this word with successive letters of the message. A trivial example of this that is used in the computing world is to convert the message and the word(or key) into a binary representation and then use XOR (exclusive OR) to combine the two streams of bits. To allow for the fact that the key is (presumably) shorter than the message we repeat it over and over again to provide enough bits to encode the message. However, there are still at least two ways we can attempt to crack this sort of message. 1. If the message is many times longer than the key then we can use the same method as for the simple letter substitution code - since if we know that the key has length n then then letters in the message at positions n, 2n,3n… will all get encrypted with the same letter from the codeword. Since the each letter in the coded message is the result of a 1-1 function between the corresponding letter in the plaintext (unencrypted) form of the message and the corresponding letter from the codeword it is easy to see that this is no better than a letter substitution code. 2.We can use knowledge of what the message is likely to contain to obtain the key. We can then use the key to decrypt the rest of the message. For example, if we were decoding something we suspected to be a letter it would be reasonable to assume that it contained `Dear, ' somewhere near the beginning. Since the encoding function for each letter was 1-1 it has an inverse - and we can use this to calculate the key given part of the original message. 3. One time pad In the above two methods the cracking of message relied on the key being substantially shorter than the message. This leads to a method of encryption called the one time pad. This method of encryption has been proved to be impossible to crack and it is very simple: generate a key longer than the message and


combine the two using a 1-1 function. It doesn't matter how simple our function is since knowing it's inverse doesn't help. It's slightly more complex than the previous method. In order to ensure that it is impossible to crack the message we must guarantee that the key is entirely unpredictable at every stage (i.e. entirely random) and the encoded message is also statistically indistinguishable from random `noise'. For large messages it is quite difficult to find anything with enough entropy to create an entirely random key. This isn't the biggest problem with the one time pad. The big problem is that we need to have a secure data channel over which we can send the key. We have to transfer as much, if not more, data over this secure channel (i.e. the key itself) than we do over the insecure channel through which we are sending the message over.

Almost by definition, a "firewall" provides a filter that incoming or outgoing packets must pass through. The simplest firewall could just be an Ethernet bridge that you keep powered off, only to be made available when the connection is needed These filtering firewall products can take many forms. They may be a replacement TCP/IP stack that you load on an existing system, or a software module that exclusively communicates with an existing stack. At the other end of the extreme, the product may be a completely independent operating system written explicitly with Internet security as the objective. There are also application-specific firewall products that only offer protection for certain types of Internet connectivity, such as SMTP or HTTP. There are also hardware-based products that typically fall into the router realm, allowing you to set filters for incoming and outgoing connections. Prices range from free (bundled with the stack or app) to tens of thousands of dollars.

All of these products can rightly be called "firewalls" because essentially they trap inbound or outbound packets, analyze them, and then either send them on their way or toss them out. Any one of these products may or may not suit your needs. Once you've got a handle on the issues, however, you should be able to do your own product elimination, simply by comparing functional specifications.


At the least, almost all firewall products offer IP address filtering. These filters work by examining the header of the IP packet and making pass/fail decisions based on the source and destination IP addresses. For examplea simple two-segment network with a firewall separating them is shown. One segment has a UNIX host, and the other has a PC client.

When the PC client tries to Telnet to the UNIX host, the Telnet client on the PC generates a TCP packet, and hands it to the local stack for delivery. In turn, the stack places the TCP packet inside of an IP packet, and then sends to the UNIX host via the route defined in the PC client's TCP/IP stack. In our case, the PC client is sending the IP packet to the firewall for delivery to the UNIX host. Suppose that we have told the firewall that it is not to accept any packets destined for the UNIX host, as depicted in below. Then the firewall would reject the IP packet, perhaps bothering to tell the client or perhaps not. Since no IP traffic for that destination would get forwarded, only users on the same segment would be able to access the UNIX host.


In the above the firewall has been configured so that it simply will not accept any packets from that PC in particular. Then other systems could connect to the UNIX host, but that specific PC could not.

This type of filtering is the most basic of all. By setting accept or reject filters per IP address, these types of products can provide very basic protection mechanisms for a simple LAN. If the systems are not allowed to communicate because of source or destination IP address filters, then the packets are simply rejected. Additional Security Measures The two methods available are 1.Bi-directional filters & 2.ACK bit set.

Bi-directional filters One potential solution to this problem is to build bi-directional filters into your firewall. You may want to define the filters so that you only allow packets that are


from well-known services into your network, and reject any packets that are not from specific applications. ACK bit set If you can't trust the source IP addresses, and you can't even trust the source port numbers, then it doesn't seem like you can do much in the way of protecting your network from intruders. However, there is one foolproof mechanism that you can use reliably, although only with TCP. TCP is a "reliable" protocol that supports errorcorrection and other robust capabilities. To achieve this reliability, every TCP connection begins with a handshaking sequence that establishes specific parameters of the connection. Also, every packet that gets sent must be responded to with an acknowledgment before another packet is sent. Rather than generate special-purpose ACK packets for every TCP packet, a special bit in the TCP header is used for just this purpose. Therefore, whenever a response packet is generated, the ACK bit gets set, and a marker is noted to indicate what packet the ACK is for. The very first packet in a negotiation is not acknowledging anything, and so it does not have the ACK bit set. However, every subsequent TCP packet in an exchange must have the ACK bit set for the connection to be maintained.

Types of Firewalls
There are three basic types of firewalls, and we'll consider each of them. Application Gateways The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer Packet Filtering Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa.


Hybrid Systems Hybrid systems use both i.e the security of the application layer gateways with the flexibility and speed of packet filtering. In some of these systems, new connections must be authenticated and approved at the application layer. Once this has been done, the remainder of the connection is passed down to the session layer, where packet filters watch the connection to ensure that only packets that are part of an ongoing (already authenticated and approved) conversation are being passed.

Security has become a deep routed concern. Today, viruses are being developed that specifically spread through internet via mail. Another critical security issue is whether the person you are sending a message is there .For all you know, someone else might be faking as the recipient of your message and could extract confidential information. The security systems used do not directly prevent fraud, but detect fraud. An unaltered log should make it difficult for the attacker to cover his tracks, so that the victim can recognize that his machine has been under attack and can take necessary action to retrieve back the information. The key for building a secure network is to define what security means to your organization. Once that has been defined, everything that goes on with the network can be evaluated with respect to that policy. Projects and systems can then be broken down into their components, and it becomes much simpler to decide whether what is proposed will conflict with your security policies and practices.




Cryptology: Albrecht Beutelspacher. Mathematical Association of America.

 R.T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Computing Science Technical Report , AT&T Bell Laboratories, Murray Hill, New Jersey.  S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review.  J.P. Holbrook, J.K. Reynolds. ``Site Security Handbook.'' .

Shared By: