0% found this document useful (0 votes)
26 views

Chapter 9

This document provides an overview of computer network management and security. It discusses network management frameworks, the SNMP protocol, data encryption standards, and cryptographic principles including symmetric and public key encryption. It also briefly covers network management functions such as configuration management, fault management, performance management, security management, and accounting management.

Uploaded by

shashankniec
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
26 views

Chapter 9

This document provides an overview of computer network management and security. It discusses network management frameworks, the SNMP protocol, data encryption standards, and cryptographic principles including symmetric and public key encryption. It also briefly covers network management functions such as configuration management, fault management, performance management, security management, and accounting management.

Uploaded by

shashankniec
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Computer Network : Lecture Notes Nepal Engineering College Compiled by: Junior Professor: Daya Ram Bud at oki

Nepal Engineering college! C angunarayan C apter":Network #anagement and $ecurity: Introduction to Network management, Internet Network Management framework (SMI & HIB) & SNMP protocol; ata encr!ption, ata "ncr!ption #tandard; Principle# of $r!ptograp%! (S!mmetric &e! & pu'lic ke! "ncr!ption)( Integrit! & Principle# of cr!ptograp%! (S!mmetric &e! & pu'lic ke! "ncr!ption) Integrit! & firewall#(

Introduction to Network Management:


Network management i# defined a# monitoring, te#ting, configuring, and trou'le#%ooting network component# to meet a #et of re)uirement# defined '! an organi*ation( +%e#e re)uirement# include t%e #moot%, efficient operation of t%e network t%at pro,ide# t%e predefined )ualit! of #er,ice for u#er#( +o accompli#% t%i# ta#k, a network management #!#tem u#e# %ardware, #oftware, and %uman#( %unctions of Network #anagement $ystem: -( $onfiguration Management .( /ault Management 0( Performance Management 1( Securit! management 2( 3ccounting management Configuration #anagement 3 large network i# u#uall! made up of %undred# of entitie# t%at are p%!#icall! or logicall! connected to one anot%er( +%e#e entitie# %a,e an initial configuration w%en t%e network i# #et up, 'ut can c%ange wit% time( e#ktop computer# ma! 'e replaced '! ot%er#; application #oftware ma! 'e updated to a newer ,er#ion; and u#er# ma! mo,e from one group to anot%er( +%e configuration management #!#tem mu#t know, at an! time, t%e #tatu# of eac% entit! and it# relation to ot%er entitie# ( $onfiguration management can 'e #u'di,ided into two part# reconfiguration and ocumentation( %ault #anagement: /all# on two categorie#( Reacti&e %ault #anagement 3 reacti,e fault management #!#tem i# re#pon#i'le for detecting, i#olating, correcting, and recording fault#( It %andle# #%ort4term #olution# to fault#( Proacti&e %ault #anagement Proacti,e fault management trie# to pre,ent fault# from occurring( 3lt%oug% t%i# i# not alwa!# po##i'le, #ome t!pe# of failure# can 'e predicted and pre,ented(

Page5-

Performance management: It i# i# clo#el! related to fault management and trie# to monitor and control t%e network to en#ure t%at it i# running a# efficientl! a# po##i'le( $ecurity #anagement Securit! management i# re#pon#i'le for controlling acce## to t%e network 'a#ed on t%e predefined polic!( 'ccounting #anagement 3ccounting management i# t%e control of u#er#6 acce## to network re#ource# t%roug% c%arge#( $%arging doe# not nece##aril! mean ca#% tran#fer; it ma! mean de'iting t%e department# or di,i#ion# for 'udgeting purpo#e#( +oda!, organi*ation# u#e an accounting management #!#tem for t%e following rea#on#5 It pre,ent# u#er# from monopoli*ing limited network re#ource#( It pre,ent# u#er# from u#ing t%e #!#tem inefficientl!( Network manager# can do #%ort4 and long4term planning 'a#ed on t%e demand for network u#e(

SNMP
$imple Network #anagement Protocol ($N#P) i# an 7Internet4#tandard protocol for managing de,ice# on IP network#( e,ice# t%at t!picall! #upport SNMP include router#, #witc%e#, #er,er#, work#tation#, printer#, modem rack#, and more( It i# u#ed mo#tl! in network management #!#tem# to monitor network4attac%ed de,ice# for condition# t%at warrant admini#trati,e attention( The Simple Network Management Protocol (SNMP) is a framework for managing devices in an Internet using the TCPIIP protocol suite. It provides a set of fundamental operations for monitoring and maintaining an Internet. Concept SNMP u#e# t%e concept of manager and agent( +%at i#, a manager, u#uall! a %o#t, control# and monitor# a #et of agent#, u#uall! router# ( SNMP i# an application4le,el protocol in w%ic% a few manager #tation# control a #et of agent#( +%e protocol i# de#igned at t%e application le,el #o t%at it can monitor de,ice# made '! different manufacturer# and in#talled on different p%!#ical network#( #anagers and 'gents 3 management #tation, called a manager, i# a %o#t t%at run# t%e SNMP client program( 3 managed #tation, called an agent, i# a router (or a %o#t) t%at run# t%e SNMP #er,er program( Management i# ac%ie,ed t%roug% #imple interaction 'etween a manager and an agent( +%e agent keep# performance information in a data'a#e( +%e manager %a# acce## to t%e ,alue# in t%e data'a#e( /or e8ample, a router can #tore in appropriate ,aria'le# t%e num'er of packet# recei,ed and forwarded( +%e manager can fetc% and compare t%e ,alue# of t%e#e two ,aria'le# to #ee if t%e router i# conge#ted or not( 'n $N#P*managed network consists of t ree key components: Managed de,ice 3gent 9 #oftware w%ic% run# on managed de,ice# Network management #!#tem (NMS) 9 #oftware w%ic% run# on t%e manager
Page5.

3 managed device i# a network node t%at implement# an SNMP interface t%at allow# unidirectional (read4onl!) or 'idirectional acce## to node4#pecific information( Managed de,ice# e8c%ange node4 #pecific information wit% t%e NMS#( Sometime# called network element#, t%e managed de,ice# can 'e an! t!pe of de,ice, including, 'ut not limited to, router#, acce## #er,er#, #witc%e#, 'ridge#, %u'#, IP telep%one#, IP ,ideo camera#, computer %o#t#, and printer#( 3n agent i# a network4management #oftware module t%at re#ide# on a managed de,ice( 3n agent %a# local knowledge of management information and tran#late# t%at information to or from an SNMP #pecific form( 3 network management system (N#$) e8ecute# application# t%at monitor and control managed de,ice#( NMS# pro,ide t%e 'ulk of t%e proce##ing and memor! re#ource# re)uired for network management( :ne or more NMS# ma! e8i#t on an! managed network( #anagement wit $N#P is based on t ree basic ideas: -( 3 manager c%eck# an agent '! re)ue#ting information t%at reflect# t%e 'e%a,ior of t%e agent( .( 3 manager force# an agent to perform a ta#k '! re#etting ,alue# in t%e agent data'a#e( 0( 3n agent contri'ute# to t%e management proce## '! warning t%e manager of an unu#ual #ituation( SNMP operate# in t%e 3pplication ;a!er of t%e Internet Protocol Suite (;a!er < of t%e :SI model)( +%e SNMP agent recei,e# re)ue#t# on = P port ->-( +%e manager ma! #end re)ue#t# from an! a,aila'le #ource port to port ->- in t%e agent( +%e agent re#pon#e will 'e #ent 'ack to t%e #ource port on t%e manager( +%e manager recei,e# notification# (+rap# and Inform?e)ue#t#) on port ->.( +%e agent ma! generate notification# from an! a,aila'le port( +o do management ta#k#, SNMP u#e# two ot%er protocol#5 -( Structure of Management Information (SMI) .( Management Information Ba#e (MIB)( Role of $N#P SNMP %a# #ome ,er! #pecific role# in network management( It define# t%e format of t%e packet to 'e #ent from a manager to an agent and ,ice ,er#a( It al#o interpret# t%e re#ult and create# #tati#tic# (often wit% t%e %elp of ot%er management #oftware)( +%e packet# e8c%anged contain t%e o'@ect (,aria'le) name# and t%eir #tatu# (,alue#)( SNMP i# re#pon#i'le for reading and c%anging t%e#e ,alue#( Roles of $#+ SMI define# t%e general rule# for naming o'@ect#, defining o'@ect t!pe# (including range and lengt%), and #%owing %ow to encode o'@ect# and ,alue#( SM- doe# not define t%e num'er of o'@ect# an entit! #%ould manage or name t%e o'@ect# to 'e managed or define t%e a##ociation 'etween t%e o'@ect# and t%eir ,alue#( +%e Structure of Management Information, ,er#ion . (SMI,.) i# a component for network management( It# function# are -( +o name o'@ect# .( +o define t%e t!pe of data t%at can 'e #tored in an o'@ect 0( +o #%ow %ow to encode data for tran#mi##ion o,er t%e network
Page50

SMI i# a guideline for SNMP( It emp%a#i*e# t%ree attri'ute# to %andle an o'@ect5 name, data t!pe, and encoding met%od ( Roles of #+B /or eac% entit! to 'e managed, t%i# protocol mu#t define t%e num'er of o'@ect#, name t%em according to t%e rule# defined '! SMI, and a##ociate a t!pe to eac% named o'@ect ( MI creates a collection of named o!"ects# their t$pes# and their relationships to each other in an entit$ to !e managed. "ac% agent %a# it# own MIB., w%ic% i# a collection of all t%e o'@ect# t%at t%e manager can manage( +%e o'@ect# in MIB. are categori*ed under -A different group#5 #!#tem, interface, addre## tran#lation, ip, icmp, tcp, udp, egp, tran#mi##ion, and #nmp( 'nalogy: Be can compare t%e ta#k of network management to t%e ta#k of writing a program( Bot% ta#k# need rule#( In network management t%i# i# %andled '! SMI( Bot% ta#k# need ,aria'le declaration#( In network management t%i# i# %andled '! MIB( Bot% ta#k# %a,e action# performed '! #tatement#( In network management t%i# i# %andled '! SNMP( Network #anagement 'rc itectures Network management #!#tem contain# two primar! element#5 a manager and agent#( +%e Manager i# t%e con#ole t%roug% w%ic% t%e network admini#trator perform# network management function#( 3gent# are t%e entitie# t%at interface to t%e actual de,ice 'eing managed( Bridge#, Hu'#, ?outer# or network #er,er# are e8ample# of managed de,ice# t%at contain managed o'@ect#( +%e#e managed o'@ect# mig%t 'e %ardware, configuration parameter#, performance #tati#tic#, and #o on, t%at directl! relate to t%e current operation of t%e de,ice in )ue#tion( +%e#e o'@ect# are arranged in w%at i# known a# a ,irtual information data'a#e , called a management information 'a#e, al#o called MIB( SNMP allow# manager# and agent# to communicate for t%e purpo#e of acce##ing t%e#e o'@ect#(

Page51

' typical agent usually: Implement# full SNMP protocol( Store# and retrie,e# management data a# defined '! t%e Management Information Ba#e $an a#!nc%ronou#l! #ignal an e,ent to t%e manager $an 'e a pro8! (+%e pro8! agent t%en tran#late# t%e protocol interaction# it recei,e# from t%e management #tation) for #ome non4SNMP managea'le network node( ' typical manager usually: Implemented a# a Network Management Station (t%e NMS) Implement# full SNMP Protocol 3'le to o Cuer! agent# o Det re#pon#e# from agent# o Set ,aria'le# in agent#

Page52

Computer security requirements and Attacks:


$omputer and network #ecurit! addre## four re)uirement#5 -( confidentialit!5 ?e)uire# t%at data onl! 'e acce##i'le '! aut%ori*ed partie#( +%i# t!pe# of acce## include# printing, di#pla!ing and ot%er form# of di#clo#ure of t%e data( .( Integrit!5 ?e)uire# t%at data can 'e modified onl! '! aut%ori*ed u#er#( Modification include# writing, c%anging, c%anging #tatu#, deleting and creating( 0( 3,aila'ilit!5 ?e)uire# t%at data are a,aila'le to aut%ori*ed partie#( 1( 3ut%enticit!5 ?e)uire# t%at %o#t or #er,ice 'e a'le to ,erif! t%e identit! of a u#er( ,ypes of Network 'ttacks +%ere are four primar! cla##e# of attack#( -( Reconnaissance : ?econnai##ance i# t%e unaut%ori*ed di#co,er! and mapping of #!#tem#, #er,ice#, or ,ulnera'ilitie#( It i# al#o known a# information gat%ering and, in mo#t ca#e#, it precede# anot%er t!pe of attack( ?econnai##ance i# #imilar to a t%ief ca#ing a neig%'or%ood for ,ulnera'le %ome# to 'reak into, #uc% a# an unoccupied re#idence, ea#!4to4open door#, or open window#( .( 'ccess : S!#tem acce## i# t%e a'ilit! for an intruder to gain acce## to a de,ice for w%ic% t%e intruder doe# not %a,e an account or a pa##word( "ntering or acce##ing #!#tem# u#uall! in,ol,e# running a %ack, #cript, or tool t%at e8ploit# a known ,ulnera'ilit! of t%e #!#tem or application 'eing attacked( 0( Denial of $er&ice : enial of #er,ice ( oS) i# w%en an attacker di#a'le# or corrupt# network#, #!#tem#, or #er,ice# wit% t%e intent to den! #er,ice# to intended u#er#( oS attack# in,ol,e eit%er cra#%ing t%e #!#tem or #lowing it down to t%e point t%at it i# unu#a'le( But oS can al#o 'e a# #imple a# deleting or corrupting information( In mo#t ca#e#, performing t%e attack in,ol,e# #impl! running a %ack or #cript( /or t%e#e rea#on#, oS attack# are t%e mo#t feared( 1( -orms! .iruses! and ,ro/an 0orses : Maliciou# #oftware can 'e in#erted onto a %o# to damage or corrupt a #!#tem, replicate it#elf, or den! acce## to network#, #!#tem#, or #er,ice#( $ommon name# for t%i# t!pe of #oftware are worm#, ,iru#e#, and +ro@an %or#e#(

Page5>

Data Encryption/Decryption, Cryptography, Integrity & Firewalls:

Cryptography
$r!ptograp%! i# deri,ed from t%e Dreek word#5 kr!ptE#, 7%idden7, and grFp%ein, 7to write7 4 or 7%idden writing7( $r!ptograp%! i# t%e #cience of u#ing mat%ematic# to encr!pt and decr!pt data( $r!ptograp%! ena'le# !ou to #tore #en#iti,e information or tran#mit it acro## in#ecure network# (like t%e Internet) #o t%at it cannot 'e read '! an!one e8cept t%e intended recipient( B%ile cr!ptograp%! i# t%e #cience of #ecuring data, cr!ptanal!#i# i# t%e #cience of anal!*ing and 'reaking #ecure communication( $la##ical cr!ptanal!#i# in,ol,e# an intere#ting com'ination of anal!tical rea#oning, application of mat%ematical tool#, pattern finding, patience, determination, and luck( $r!ptanal!#t# are al#o called attacker#( $r!ptolog! em'race# 'ot% cr!ptograp%! and cr!ptanal!#i#(

Encryption and Decryption

/ig5"ncr!ption and ecr!ption Plain*te1t and Cip er*te1t +%e original me##age, 'efore 'eing tran#formed, i# called plainte8t( 3fter t%e me##age i# tran#formed, it i# called cip%er4te8t( 3n encr!ption algorit%m tran#form# t%e plain te8t into cip%erte8t; a decr!ption algorit%m tran#form# t%e cip%er4te8t 'ack into plain4 te8t( +%e #ender u#e# an encr!ption algorit%m, and t%e recei,er u#e# a decr!ption algorit%m( Cip er Be refer to encr!ption and decr!ption algorit%m# a# cip%er#( +%e term cip%er i# al#o u#ed to refer to different categorie# of algorit%m# in cr!ptograp%!( +%i# i# not to #a! t%at e,er! #ender4recei,er pair need# t%eir ,er! own uni)ue cip%er for a #ecure communication( :n t%e contrar!, one cip%er can #er,e million# of communicating pair#( 2ey 3 ke! i# a num'er (or a #et of num'er#) t%at t%e cip%er, a# an algorit%m, operate# on( +o encr!pt a me##age, we need an encr!ption algorit%m, an encr!ption ke!, and t%e plain4te8t( +%e#e create t%e cip%er4te8t( +o decr!pt a me##age, we need a decr!ption algorit%m, a decr!ption ke!, and t%e cip%er4 te8t( +%e#e re,eal t%e original plain4te8t(
Page5<

'lice! Bob! and E&e In cr!ptograp%!, it i# cu#tomar! to u#e t%ree c%aracter# in an information e8c%ange #cenario; we u#e 3lice, Bo', and ",e( 3lice i# t%e per#on w%o need# to #end #ecure data( Bo' i# t%e recipient of t%e data( ",e i# t%e per#on w%o #ome%ow di#tur'# t%e communication 'etween 3lice and Bo' '! intercepting me##age# to unco,er t%e data or '! #ending %er own di#gui#ed me##age#( +%e#e t%ree name# repre#ent computer# or proce##e# t%at actuall! #end or recei,e data, or intercept or c%ange data(

$r!ptograp%!

S!mmetric &e! Secret &e! /ig5$ategorie# of $r!ptograp%!

3#!mmetric &e! Pu'lic &e!

Symmetric-key
In con,entional cr!ptograp%!, al#o called #ecret4ke! or #!mmetric4ke! encr!ption, one ke! i# u#ed 'ot% for encr!ption and decr!ption( +%e ata "ncr!ption Standard ( "S) i# an e8ample of a con,entional cr!pto#!#tem t%at i# widel! emplo!ed '! t%e /ederal Do,ernment( /igure 'elow #%ow# an illu#tration of t%e con,entional encr!ption proce##( $ ared $ecret 2ey

Page5G

$on,entional encr!ption %a# 'enefit#( It i# ,er! fa#t( It i# e#peciall! u#eful for encr!pting data t%at i# not going an!w%ere( Howe,er, con,entional encr!ption alone a# a mean# for tran#mitting #ecure data can 'e )uite e8pen#i,e #impl! due to t%e difficult! of #ecure ke! di#tri'ution( /or a #ender and recipient to communicate #ecurel! u#ing con,entional encr!ption, t%e! mu#t agree upon a ke! and keep it #ecret 'etween t%em#el,e#( If t%e! are in different p%!#ical location#, t%e! mu#t tru#t a courier, t%e Bat P%one, or #ome ot%er #ecure communication medium to pre,ent t%e di#clo#ure of t%e #ecret ke! during tran#mi##ion( 3n!one w%o o,er%ear# or intercept# t%e ke! in tran#it can later read, modif!, and forge all information encr!pted or aut%enticated wit% t%at ke!(

Asymmetric- ey Cryptography
Pu'lic ke! cr!ptograp%! i# an a#!mmetric #c%eme t%at u#e# a pair of ke!# for encr!ption5 a pu'lic ke!, w%ic% encr!pt# data, and a corre#ponding pri,ate, or #ecret ke! for decr!ption( Hou pu'li#% !our pu'lic ke! to t%e world w%ile keeping !our pri,ate ke! #ecret( 3n!one wit% a cop! of !our pu'lic ke! can t%en encr!pt information t%at onl! !ou can read ( It i# computationall! infea#i'le to deduce t%e pri,ate ke! from t%e pu'lic ke!( 3n!one w%o %a# a pu'lic ke! can encr!pt information 'ut cannot decr!pt it( :nl! t%e per#on w%o %a# t%e corre#ponding pri,ate ke! can decr!pt t%e information(

, e Essential steps in 'symmetric*key cryptograp y are t e following: -( "ac% u#er generate# a pair of ke!# to 'e u#ed for t%e encr!ption and decr!ption of me##age#( .( "ac% u#er place# one of t%e ke!# in a pu'lic regi#ter or ot%er acce##i'le file( +%i# i# t%e pu'lic ke!( +%e companion ke! i# kept pri,ate( "ac% u#er maintain# a collection of pu'lic ke!# o'tained from ot%er#( 0( If Bo' wi#%e# to #end a pri,ate me##age to 3lice, Bo' encr!pt# t%e me##age u#ing 3lice6# pu'lic ke!( 1( B%en 3lice recei,e# t%e me##age, #%e decr!pt# it u#ing %er pri,ate ke!( No ot%er recipient can decr!pt t%e me##age 'ecau#e onl! 3lice know# t%e 3lice6# pri,ate ke!(

Page5I

%ith this approach# all the participants have access to pu!lic ke$s# and private ke$s are generated locall$ !$ each participant and therefore need never !e distri!uted. &s long as a user protects his and her private ke$# incoming communication is secure. &t an$ time# a user change the private ke$ and pu!lish the companion pu!lic ke$ replace the old pu!lic ke$. Comparison ;et u# compare #!mmetric4ke! and a#!mmetric4ke! cr!ptograp%!( "ncr!ption can 'e t%oug%t of a# electronic locking; decr!ption a# electronic unlocking( +%e #ender put# t%e me##age in a 'o8 and lock# t%e 'o8 '! u#ing a ke!; t%e recei,er unlock# t%e 'o8 wit% a ke! and take# out t%e me##age( +%e difference lie# in t%e mec%ani#m of t%e locking and unlocking and t%e t!pe of ke!# u#ed( In #!mmetric4 ke! cr!ptograp%!, t%e #ame ke! lock# and unlock# t%e 'o8( In a#!mmetric4ke! cr!ptograp%!, one ke! lock# t%e 'o8, 'ut anot%er ke! i# needed to unlock it( ,raditional Cip er used in $ymmetric*key Cryptograp y: +wo t!pe#5 -( Su'#titution cip%er .( +ran#po#ition cip%er $ubstitution cip er: 3 #u'#titution cip%er #u'#titute# one #!m'ol wit% anot%er( If t%e #!m'ol# in t%e plain4 te8t are alp%a'etic c%aracter#, we replace one c%aracter wit% anot%er( /or e8ample, we can replace c%aracter 3 wit% , and c%aracter + wit% J( If t%e #!m'ol# are digit# (A to I), we can replace 0 wit% <, and . wit% >( It i# al#o known and $ea#er6# $ip%er w%o in,ented it( /or e8ample, if we encode t%e word KS"$?"+L u#ing $ae#arM# ke! ,alue of 0, we off#et t%e alp%a'et #o t%at t%e 0rd letter down ( ) 'egin# t%e alp%a'et( So #tarting wit% 3B$ "/DHIN&;MN:PC?S+=OBPHJ and #liding e,er!t%ing up '! 0, !ou get "/DHIN&;MN:PC?S+=OBPHJ3B$ w%ere Q3, "QB, /Q$, and #o on( =#ing t%i# #c%eme, t%e plainte8t, KS"$?"+L encr!pt# a# KOH/=HB(L +o allow #omeone el#e to read t%e cip%erte8t, !ou tell t%em t%at t%e ke! i# 0( ,ransposition Cip ers In a tran#po#ition cip%er, t%ere i# no #u'#titution of c%aracter#; in#tead, t%eir location# c%ange( 3 c%aracter in t%e fir#t po#ition of t%e plainte8t ma! appear in t%e tent% po#ition of t%e cip%erte8t( 3 c%aracter in t%e eig%t% po#ition ma! appear in t%e fir#t po#ition( In ot%er word#, a tran#po#ition cip%er reorder# t%e #!m'ol# in a 'lock of #!m'ol#( 2ey In a tran#po#ition cip%er, t%e ke! i# a mapping 'etween t%e po#ition of t%e #!m'ol# in t%e plainte8t and cip%er te8t( /or e8ample, t%e following #%ow# t%e ke! u#ing a 'lock of four c%aracter#5 Plainte8t5 .1-0 $ip%erte8t5 - . 0 1 In encr!ption, we mo,e t%e c%aracter at po#ition . to po#ition -, t%e c%aracter at po#ition 1 to po#ition ., and #o on( In decr!ption, we do t%e re,er#e(
Page5-A

Encryption algorit m: +%e mo#t commonl! u#ed #!mmetric encr!ption are 'lock cip%er#( 3 'lock cip%er proce##e# t%e plain te8t input in fi8ed #i*e 'lock# and produce# a 'lock of cip%er te8t of e)ual #i*e for eac% palinte8t 'lock( +%e two mo#t important #!mmetric algorit%m#, 'ot% of w%ic% are 'lock cip%er#, are ata "ncr!ption Standard ( "S) 3d,anced "ncr!ption Standard (3"S) 'symmetric 2ey Cryptograp y: Some e8ample# of pu'lic4ke! cr!pto#!#tem# are 5 "lgamal (named for it# in,entor, +a%er "lgamal), ?S3 (named for it# in,entor#, ?on ?i,e#t, 3di S%amir, and ;eonard 3dleman), iffie4Hellman (named for it# in,entor#), S3 ,t%e igital Signature 3lgorit%m (in,ented '! a,id &ra,it*)(

Digita! signatures
3 ma@or 'enefit of pu'lic ke! cr!ptograp%! i# t%at it pro,ide# a met%od for emplo!ing digital #ignature#( igital #ignature# ena'le t%e recipient of information to ,erif! t%e aut%enticit! of t%e informationM# origin, and al#o ,erif! t%at t%e information i# intact( +%u#, pu'lic ke! digital #ignature# pro,ide aut%entication and data integrit!( 3 digital #ignature al#o pro,ide# non4repudiation, w%ic% mean# t%at it pre,ent# t%e #ender from claiming t%at %e or #%e did not actuall! #end t%e information( +%e#e feature# are e,er! 'it a# fundamental to cr!ptograp%! a# pri,ac!, if not more( 3 digital #ignature #er,e# t%e #ame purpo#e a# a %andwritten #ignature( Howe,er, a %andwritten #ignature i# ea#! to counterfeit( 3 digital #ignature i# #uperior to a %andwritten #ignature in t%at it i# nearl! impo##i'le to counterfeit, plu# it atte#t# to t%e content# of t%e information a# well a# to t%e identit! of t%e #igner( Some people tend to u#e #ignature# more t%an t%e! u#e encr!ption( /or e8ample, !ou ma! not care if an!one know# t%at !ou @u#t depo#ited R-AAA in !our account, 'ut !ou do want to 'e darn #ure it wa# t%e 'ank teller !ou were dealing wit%( +%e 'a#ic manner in w%ic% digital #ignature# are created i# illu#trated in /igure ( In#tead of encr!pting information u#ing #omeone el#eM# pu'lic ke!, !ou encr!pt it wit% !our pri,ate ke!( If t%e information can 'e decr!pted wit% !our pu'lic ke!, t%en it mu#t %a,e originated wit% !ou(

Page5--

/ig5Simple igital Signature 0'$0 %unction: Ha#% (al#o called a me##age dige#t)54 3 one4wa! %a#% function take# ,aria'le4lengt% input 9 in t%i# ca#e, a me##age of an! lengt%, e,en t%ou#and# or million# of 'it# 9 and produce# a fi8ed4lengt% output; #a!, ->A4'it#( PDP u#e# a cr!ptograp%icall! #trong %a#% function on t%e plainte8t t%e u#er i# #igning( +%i# generate# a fi8ed4lengt% data item known a# a me##age dige#t( 3 %a#% function generate# a fi8ed4lengt% output ,alue 'a#ed on an ar'itrar!4lengt% input file, #a! ->A 'it#( +o ,alidate t%e integrit! of a file, a recipient would calculate t%e %a#% ,alue of t%at file and compare it to t%e %a#% ,alue #ent '! t%e #ender( +%u#, t%e recipient can 'e a##ured t%at t%e #ender %ad t%e file at t%e time %e or #%e created t%e %a#% ,alue( "8ample# of %a#% algorit%m# are M 2, SH34- and ?IP"4M 4->A( Ha#%e# are u#ed in #er,ing aut%entication and integrit! goal# of cr!ptograp%!( 3 cr!ptograp%ic %a#% can 'e de#cri'ed a# f(me##age) Q %a#%( 3 hash function ' i# a tran#formation t%at take# an input m and return# a fi8ed4#i*e #tring, w%ic% i# called t%e %a#% ,alue h (t%at i#, h Q '(m))(

"irewa!!
3n! #!#tem or de,ice t%at allow# #afe network traffic to pa## w%ile re#tricting or den!ing un#afe traffic( /irewall# are u#uall! dedicated mac%ine# running at t%e gatewa! point 'etween !our local network and t%e out#ide world, and are u#ed to control w%o %a# acce## to !our pri,ate corporate network from t%e out#ide9for e8ample, o,er t%e Internet( More generall!, a firewall i# an! #!#tem t%at control# communication 'etween two network#( In toda!M# networking en,ironment in w%ic% corporate network# are connected to t%e Internet9in,iting %acker# to attempt unaut%ori*ed acce## to ,alua'le 'u#ine## information9a corporate firewall i# e##ential(

Page5-.

,ypes of %irewall Network Le&el %irewall: +%e #imple firewall i# #ometime# called a network4le,el firewall 'ecau#e it operate# at t%e lower le,el# of t%e :pen S!#tem# Interconnection (:SI) reference model for networking( Network4le,el firewall# are tran#parent to u#er# and u#e routing tec%nolog! to determine w%ic% packet# are allowed to pa## and w%ic% will 'e denied acce## to t%e pri,ate network( Network4le,el firewall# implemented #olel! on #tand4alone router# are called packet4filtering router# or #creening router#( In it# #imple#t form, a firewall i# e##entiall! a kind of router or computer wit% two network interface card# t%at filter# incoming network packet#( +%i# de,ice i# often called a packet4filtering router( B! comparing t%e #ource addre##e# of t%e#e packet# wit% an acce## li#t #pecif!ing t%e firewallM# #ecurit! polic!, t%e router determine# w%et%er to forward t%e packet# to t%eir intended de#tination# or #top t%em( +%e firewall can #impl! e8amine t%e IP addre## or domain name from w%ic% t%e packet wa# #ent and determine w%et%er to allow or den! t%e traffic( Howe,er, packet4filtering router# cannot 'e u#ed to grant or den! acce## to network# on t%e 'a#i# of a u#erM# credential#(

Packet4filtering router# can al#o 'e configured to 'lock certain kind# of traffic w%ile permitting ot%er#( =#uall! t%i# i# done '! di#a'ling or ena'ling different +$PSIP port# on t%e firewall #!#tem( /or e8ample, port .2 i# u#uall! left open to permit Simple Mail +ran#fer Protocol (SM+P) mail to tra,el 'etween t%e pri,ate corporate network and t%e Internet, w%ile ot%er port# (#uc% a# port .0 for +elnet) mig%t 'e di#a'led to pre,ent Internet u#er# from acce##ing ot%er #er,ice# on corporate network #er,er#( +%e difficult! wit% t%i# approac% i# t%at t%e #i*e of t%e acce## li#t for t%e firewall can 'ecome %uge if a large num'er of domain# or port# are 'locked and a large num'er of e8ception# are configured( Some port# are randoml! a##igned to certain #er,ice# (#uc% a# remote procedure call #er,ice#) on #tartup; it i# more difficult to configure firewall# to control acce## to t%e#e port#(

Circuit*le&el %irewall: 3not%er t!pe of firewall i# a circuit4le,el gatewa!, w%ic% i# u#uall! a component of a pro8! #er,er( $ircuit4le,el gatewa!# e##entiall! operate at a %ig%er le,el of t%e :SI model protocol #tack t%an network4le,el firewall# do( Bit% a circuit4le,el firewall, connection# wit% t%e pri,ate network are %idden from t%e remote u#er( +%e remote u#er connect# wit% t%e firewall, and t%e firewall form# a #eparate connection wit% t%e network re#ource 'eing acce##ed after c%anging t%e IP addre## of t%e
Page5-0

packet# 'eing tran#mitted in eit%er direction t%roug% t%e firewall( +%e re#ult i# a #ort of ,irtual circuit 'etween t%e remote u#er and t%e network re#ource( +%i# i# a #afer configuration t%an a packet4filtering router 'ecau#e t%e e8ternal u#er ne,er #ee# t%e IP addre## of t%e internal network in t%e packet# %e or #%e recei,e#, onl! t%e IP addre## of t%e firewall( 3 popular protocol for circuit4le,el gatewa!# i# t%e S:$&S ,2 protocol(

'pplication Le&el %irewall: 3not%er more ad,anced t!pe of firewall i# t%e application4le,el firewall (or application gatewa!), w%ic% i# al#o u#uall! a component of a pro8! #er,er( 3pplication gatewa!# do not allow an! packet# to pa## directl! 'etween t%e two network# t%e! connect( In#tead, pro8! application# running on t%e firewall computer forward re)ue#t# to #er,ice# on t%e pri,ate network, and t%en forward re#pon#e# to t%e originator# on t%e un#ecured pu'lic network( 3pplication gatewa!# generall! aut%enticate t%e credential# of a u#er 'efore allowing acce## to t%e network, and t%e! u#e auditing and logging mec%ani#m# a# part of t%eir #ecurit! polic!( 3pplication gatewa!# generall! re)uire #ome configuration on t%e part of u#er# to ena'le t%eir client mac%ine# to function properl!, 'ut t%e! are more atomic in t%eir configura'ilit! t%an network4le,el firewall#( /or e8ample, if a /ile +ran#fer Protocol (/+P) pro8! i# configured on an application gatewa!, it can 'e configured to allow #ome /+P command# 'ut den! ot%er#( Hou could al#o configure an SM+P pro8! on an application gatewa! t%at would accept mail from t%e out#ide (wit%out re,ealing internal e4mail addre##e#), and t%en forward t%e mail to t%e internal mail #er,er( Howe,er, 'ecau#e of t%e additional proce##ing o,er%ead, application gatewa!# %a,e greater %ardware re)uirement# and are generall! #lower t%an network4le,el firewall#(

Page5-1

You might also like