10.

Implementing Network Security

A password is a secret word or string of characters that is used for authentication, to prove
identity or gain access to a resource (example: an access code is a type of password). The
password should be kept secret from those not allowed access.

The use of passwords is known to be ancient. Sentries would challenge those wishing to
enter an area or approaching it to supply a password or watchword. Sentries would only
allow a person or group to pass if they knew the password. In modern times, user names
and passwords are commonly used by people during a log in process that controls access to
protected computer operating systems, mobile phones, cable TV decoders, automated teller
machines (ATMs), etc. A typical computer user may require passwords for many purposes:
logging in to computer accounts, retrieving e-mail from servers, accessing programs,
databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords
which are not actual words may be harder to guess, a desirable property. Some passwords
are formed from multiple words and may more accurately be called a passphrase. The term
passcode is sometimes used when the secret information is purely numeric, such as the
personal identification number (PIN) commonly used for ATM access. Passwords are
generally short enough to be easily memorized and typed.

For the purposes of more compellingly authenticating the identity of one computing device
to another, passwords have significant disadvantages (they may be stolen, spoofed,
forgotten, etc.) over authentications systems relying on cryptographic protocols, which are
more difficult to circumvent.

The easier a password is for the owner to remember generally means it will be easier for an
attacker to guess. Passwords which are difficult to remember will reduce the security of a
system because (a) users might need to write down or electronically store the password,
(b) users will need frequent password resets and (c) users are more likely to re-use the
same password. Similarly, the more stringent requirements for password strength, e.g.
"have a mix of uppercase and lowercase letters and digits" or "change it monthly," the
greater the degree to which users will subvert the system.

In The Memorability and Security of Passwords, Jeff Yan et al. examine the effect of advice
given to users about a good choice of password. They found that passwords based on
thinking of a phrase and taking the first letter of each word are just as memorable as
naively selected passwords, and just as hard to crack as randomly generated passwords.
Combining two unrelated words is another good method. Having a personally designed
"algorithm" for generating obscure passwords is another good method.

However, asking users to remember a password consisting of a “mix of uppercase and

lowercase characters” is similar to asking them to remember a sequence of bits: hard to
remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-
letter passwords, less if the user simply capitalises the first letter). Asking users to use
"both letters and digits" will often lead to easy-to-guess substitutions such as 'E' --> '3' and
'I' --> '1', substitutions which are well known to attackers. Similarly typing the password
one keyboard row higher is a common trick known to attackers.

A firewall is a part of a computer system or network that is designed to block unauthorized

access while permitting authorized communications. It is a device or set of devices that is
configured to permit or deny network transmissions based upon a set of rules and other
criteria.

Firewalls can be implemented in either hardware or software, or a combination of both.

Firewalls are frequently used to prevent unauthorized Internet users from accessing
private networks connected to the Internet, especially intranets. All messages entering or
leaving the intranet pass through the firewall, which inspects each message and blocks
those that do not meet the specified security criteria.

There are several types of firewall techniques:

1. Packet filter: Packet filtering inspects each packet passing through the network and
accepts or rejects it based on user-defined rules. Although difficult to configure, it is
fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as
FTP and Telnet servers. This is very effective, but can impose a performance
degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection
is established. Once the connection has been made, packets can flow between the
hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses.

Types

There are several classifications of firewalls depending on where the

communication is taking place, where the communication is intercepted and the
state that is being traced.
Network layer and packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of
the TCP/IP protocol stack, not allowing packets to pass through the firewall unless
they match the established rule set. The firewall administrator may define the rules;
or default rules may apply. The term "packet filter" originated in the context of BSD
operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and stateless.
Stateful firewalls maintain context about active sessions, and use that "state
information" to speed packet processing. Any existing network connection can be
described by several properties, including source and destination IP address, UDP
or TCP ports, and the current stage of the connection's lifetime (including session
initiation, handshaking, data transfer, or completion connection). If a packet does
not match an existing connection, it will be evaluated according to the ruleset for
new connections. If a packet matches an existing connection based on comparison
with the firewall's state table, it will be allowed to pass without further processing.
Stateless firewalls require less memory, and can be faster for simple filters that
require less time to filter than to look up a session. They may also be necessary for
filtering stateless network protocols that have no concept of a session. However,
they cannot make more complex decisions based on what stage communications
between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source IP
address, source port, destination IP address or port, destination service like WWW
or FTP. They can filter based on protocols, TTL values, netblock of originator, of the
source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various), ipfw
(FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).

Application-layer

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all
browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to
or from an application. They block other packets (usually dropping them without
acknowledgment to the sender). In principle, application firewalls can prevent all
unwanted outside traffic from reaching protected machines.
On inspecting all packets for improper content, firewalls can restrict or prevent
outright the spread of networked computer worms and trojans. The additional
inspection criteria can add extra latency to the forwarding of packets to their
destination.

Proxies
A proxy device (running either on dedicated hardware or as software on a general-
purpose machine) may act as a firewall by responding to input packets (connection
requests, for example) in the manner of an application, whilst blocking other
packets.
Proxies make tampering with an internal system from the external network more
difficult and misuse of one internal system would not necessarily cause a security
breach exploitable from outside the firewall (as long as the application proxy
remains intact and properly configured). Conversely, intruders may hijack a
publicly-reachable system and use it as a proxy for their own purposes; the proxy
then masquerades as that system to other internal machines. While use of internal
address spaces enhances security, crackers may still employ methods such as IP
spoofing to attempt to pass packets to a target network.

Network address translation

Firewalls often have network address translation (NAT) functionality, and the hosts
protected behind a firewall commonly have addresses in the "private address
range", as defined in RFC 1918. Firewalls often have such functionality to hide the
true address of protected hosts. Originally, the NAT function was developed to
address the limited number of IPv4 routable addresses that could be used or
assigned to companies or individuals as well as reduce both the amount and
therefore cost of obtaining enough public addresses for every computer in an
organization. Hiding the addresses of protected devices has become an increasingly
important defense against network reconnaissance.