CHAPTER 3

INTRODUCTION TO
NETWORK SECURITY
Compiled By: Mr. Navin Manandhar

Lecturer for Information Management

For Computer Security and Cyber Law
■ Network is the basic structure for data communication
■ It acts as a backbone for data communication
■ It is essential to give security to networks and all
applications used.

Compiled by: Mr. Navin Manandhar 2

Impairment/obstacles on a network

■ Attenuation- loss of signals

■ Distortion- alteration of original message
■ Noise- unwanted signal in a communication

Compiled by: Mr. Navin Manandhar 3

 Model for network security

Compiled by: Mr. Navin Manandhar 4

 There are four basic tasks in designing a
particular security service:

■ Design an algorithm for performing the security-related transformation. The algorithm should
be such that an opponent cannot defeat its purpose.
■ Generate the secret information to be used with the algorithm.
■ Develop methods for the distribution and sharing of the secret information.
■ Specify a protocol to be used by the two principals that makes use of the security

Compiled by: Mr. Navin Manandhar 5

 DMZ (Demilitarized Zone)
screened subnet" or "perimeter network"

Compiled by: Mr. Navin Manandhar 6

A DMZ is and optional and more
secure approach to a firewall and
effectively acts as a proxy server as
well
It prevents outside users from getting
direct access to a server that has
company data.
It is created with the help of IP address
and firewalls.
Compiled by: Mr. Navin Manandhar
Two important characteristics of the
DMZ are:
■ It has a different network ID from
the internal network
■ It is separated from both the
Internet and the internal network
by a firewall
7
Compiled by: Mr. Navin Manandhar 8
Firewalls

■ Acts as a network security post

■ Prevent valuable information from being leaked without knowing.
■ records user activities.
■ prevents modification of other party data.

Compiled by: Mr. Navin Manandhar 9

Packet filtering

■ works at the network layer (OSI model), or the IP layer (TCP/IP).

■ each packet is compared to a set of criteria before it is forwarded.
■ It does not checks payload
■ Depending on the packet and the criteria, the firewall can drop, forward the packet
or send a message to the originator.
■ Rules can be source and destination IP address, source and destination port
number and protocol used by the ACL (Access Control List)
■ The advantages of packet filtering firewalls are their low cost and low impact on
network performance.

Compiled by: Mr. Navin Manandhar 10

Application level gateways

■ It can filter packets at the application layer of the OSI model.

■ Incoming or outgoing packets cannot access services for which there is no proxy.
■ Since it examine packets at application layer, they can filter application specific
commands such as http: post and get, etc.
■ Application level gateways can also be used to log user activity and logins.
■ They offer a high level of security, but have a significant impact on network
performance.
■ Works as a proxy server and filters connections for specific services
■ It filters connections based on the services and protocols, acting as proxies

Compiled by: Mr. Navin Manandhar 11

Circuit level gateways

■ It operates at the session layer

■ Monitors TCP handshakes (by determining sessions) instead of data packets
■ Circuit level firewall allows or prevent data streams and do not filter the individual
packets.
■ It ensures the external sessions which your network encounters arer legitimate
ones.

Compiled by: Mr. Navin Manandhar 12

 State-full Firewall

■ Stateless firewall works by treating each packet as an isolated unit whereas State-full firewall
works by maintain context about active session and use “state information” to speed packet
processing.
■ It combines three types of firewalls (packet filtering, circuit level and application gateway).
■ Checks whether session, packets are legitimate and can evaluate the contents of packets at
application layer. (i.e. tracking logs, activities etc.)
■ Cisco PIX

Compiled by: Mr. Navin Manandhar 13

 State-full Firewall

Source: 156.16.56.32: 667

Destination: 5.6.7.32: 443
Client
Server
State-full firewall is intelligent enough to identify the
Request and response connection
156.16.56.32
5.6.7.32

State-full means
Lower admin
Destination: 202.36.57.132: 876 overhead
Update
Server
Source: 5.6.7.32: 334

202.36.57.132 Compiled by: Mr. Navin Manandhar 14

 What is IPSEC ?
■ IPSEC, short for IP Security, is a suite of protocols, standards, and algorithms to
secure traffic over an untrusted network, such as the Internet.
■ It is a security mechanism applied on web.
■ it uses cryptographic security services to protect communications over internet
protocol (IP) network.
■ It can integrate with routers and firewalls.
■ IPSEC is supported on both Cisco IOS devices and PIX Firewalls.

Compiled by: Mr. Navin Manandhar 15

IPSEC provides four core services:

• Confidentiality – prevents the theft of data, using

encryption.

• Integrity – ensures that data is not tampered or altered,

using a hashing algorithm.

• Authentication – confirms the identity of the host sending

data, using pre-shared keys or a Certificate Authority (CA).

• Anti-replay – prevents duplication of encrypted packets, by

assigning a unique sequencing number.
Compiled by: Mr. Navin Manandhar 16
Transport Mode

■ IPSec in the transport mode does not protect the IP header, does not
■ protect the whole IP packet; it only protects the information coming from the
transport layer.
■ In this mode, the IPSec header and trailer are added to the information
■ coming from the transport layer. The IP header is added later.

Compiled by: Mr. Navin Manandhar 17

Tunnel Mode

■ IPSec protects the entire IP packet.

■ Entire IP packet is encrypted and becomes the data component of a new (and
larger) IP packet
■ Frequently used in an IPsec site-to-site VPN
■ It takes an IP packet, including the header,
■ applies IPSec security methods to the entire packet, and then adds a new IP header.

Compiled by: Mr. Navin Manandhar 18

Transport vs Tunnel mode IPSec

Compiled by: Mr. Navin Manandhar 19

Applications of IPSec

■ It provides secure remote access over the network.

■ It establishes connectivity between internet and extranet.
■ It secures branch connectivity over the organizations.
■ It also enhances ecommerce security.

Compiled by: Mr. Navin Manandhar 20

VPN
■ A service that creates a safe, encrypted online connection.
■ Internet users may use a VPN to give themselves more privacy and anonymity online
or circumvent geographic-based blocking and censorship.
■ VPNs essentially extend a private network across a public network, which should
allow a user to securely send and receive data across the internet.
■ used for virtual privacy by both normal internet users and organizations.
■ Organizations use VPNs to make sure outside users that access their data center
are authorized and using encrypted channels.

Compiled by: Mr. Navin Manandhar 21

VPN Protocols
■ IP Security (IPsec)
■ Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
■ Point-to-Point Tunneling Protocol (PPTP)
■ Layer 2 Tunneling Protocol (L2TP)
■ OpenVPN

VPN are used for:

■ Security purposes
■ To remove country barriers

Compiled by: Mr. Navin Manandhar 22