Scribd
Upload
41 views25 pages

Cns Iat 2 Answers

Uploaded by

Ani Anbu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
41 views25 pages

Cns Iat 2 Answers

Uploaded by

Ani Anbu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 25
4-3 Messa Cryptography and Network Security _ Message cryptography orn Gl Authentication Requirements i ifi follows : “5 can be identified as : epicure : Release of message contents to any pei : propriate cryptographic key. possessing the ap 2. Traffic analysis : Discovery of the pattern of traffic betw 3. Masquerade : Insertion of messages into the networl source. 4, Sequence modification : Any modifittuon to a se between parties, including insertion, deletion and reorde 5. Content modification : Changes to the contents of a insertion, deletion, transposition and modification. 6. Timing modification : Delay or replay of messages. 7. Source repudiation : Denial of transmission of message | 8. Destination repudiation : Denial of receipt of message b * Message authentication is a procedure to verify that received the alleged source and have not been altered. Digital signature is an authentication technique that also i counter repudiation by the source. EEE] Authentication Function * Functior that pares at two levels in message authentication. At the lower level Fee etiealor These value is used to authen! level authentica on Js used in the higher level authentication ti Xs message. n Protocol enables a receiver to verify Followin, '§ are the authenticatar TL" types of functions that may be | 8:30.28 8 AF ul 33%8 < CS8792-Cryptography&Ne.. GB Q : we [x0 ac Nana] ‘Authentication Applications : Kerberos URE ESOSTNTTIT “+ Kerberos is an authentication protocol. It provides a way to authenticate clients to services to each other through trast thie party ‘= Kerberos makes the assumption thatthe connection between a client and service is insecure. Pasewords are encrypted to prevent others from reading them, Clients only have to authenticate once during a predefined hfetime ‘+ Kerberos was designed and developed at MIT by Project Athena. Currently, Kerberos is upto Version 5. Version 4 being the first version to be released outside of MI. ‘= Kerberos has been adopted by several private companies as well as added to several operating systems, ‘+ ts creation was inspired by client-server model replacing time-sharing, model Kerberos is a network authentication protocol designed to allow users, cients and servers, authenticate themselves to each other ‘+ This mutual authentication is done using seeretkey cryptography with parties proving to each other thee entity across an insecure network conection. ‘© Communication between the client and the server ean be secure after the clent and server have uses! Kerberos to prove thelr ilentiy ‘+ From this point on, subsequent communication between the wo ean be encrypted to assure privacy and data iter Roquirement of Kerberos ‘© Kerberos client/server authentication requirements are 1, Security : That Kerberos is strong enough to stop potential eavesdroppers from finding it to be a weak link 2 Reliability That Kerberos is highly eliable employing a distributed server architecture where one server is able to back up another. This means that Kerberos systems ae fail safe, meaning, graceful degradation, if t happens 3. Transparency : That user is not aware that authestication is taking. place beyond providing passwords, 4. Scalability: Kerberos systoms accept and support new clients and servers, 12b ptearepy ond Net Socty TECHICAL PUBLICATIONS A ptt ene _Meesage Atereaon an inteoty 1+ To moot these requirements, Kerberos designers proposed a third-party trusted futhentication service to apbitrate between the client and server in their mutual uatentiation, Kerberos Terminology ‘+ Kerberos has its own terminology to define various aspects of the service 1. Authentication Server (AS) : A server that issues tickets for a desired service ‘which are in tur given to users for acess to the service. 2 Client: An entity on the network that can receive a ticket fom Kerberos. Credentials : A temporary st of electronic credentials that verify the identity of a client for a particular service. I also called ticket. 44. Credential cache or ticket file +A file which contains the keys for encrypting communications between user and various network services. 5 Crypt hash : A one-way hash used to authenticate users 6 Key : Data used when encrypting or decrypling ober data, 7. Key Distibution Center (KDC) + A service that sue Kerberos tickets and Which uistlly run on the same host asthe Ticket Granting Server (TGS) ‘8 Realm: A network that uses Kerberos composed of one or more servers called DCs and a potentially lage oumber of clients 9, Ticket Granting Server (TGS) : A server that issues tickets for a deste service which are in turn given to users for acoss to the serview. The TGS ‘ually runs othe same hort asthe KOC, 10, Ticket Granting Ticket (IGT) + A special ticket that allows the cient to obtain additional tckets without applying for them fom the KDC Kerberos Version 4 8:30 2, A & GF ul 33%8 @Q: 1. Credentials +A temporary set of electron credentials that verily the identity of at client for a partcslar service. I alsa called 9 ck. <_ CS8792 - Cryptography & Ne. 44 Credential cache oF ticket file: A file which contains the keys for encrypting ‘ommunications between a user and various network services. 5. Crypt hash = A one-way Ish used to authentiate users. 46 Key: Data used when encrypting or decrypting other data, 7. Key Distbution Center (KDC) + A service that swe Kerberos Hekets and Wich wally ra on the same host as the Ticket Granting Server (TGS) 8 Realm : A network that uses Kerberos composed of one or more servers alle KDC: and a potentially lage number of cients 9, TicketGranting Server (TGS) + A server that issues tickets for a desined service which are in turn given to users for access to the service. The TGS tistally runs om the same host a= the KDC. 10, Ticket-Granting Ticket (TGT) + A special ticket that allows the client to obtain ‘additional tickets without applying for them frem the KDC. Kerberos Version 4 ‘= Kerberos version 4 uses DE version 4 are for providing authentication serece. Some aspect of A)Simple Authentication Dialogue, B) More Secure Authentication Dialogue, BIBT site authentication Ditogue “© For a secure transaction, server should confiem the client and its request. In “unprotested network it creates burden on server, therefore an authentication server (AS) is used. The sutheniation server (AS) maintsins passwvard of all wsers in centralized database. Also the authentication server shares a unique secret key with each sever, ole ‘Clent is represented as © Authentication server fs represented as AS TECHRIGAL PUBLICATIONS Aw Oat rowdy copay and Neer Sci a MosengeAuthentton ar ay Server is represented a V entifie of user on C is represented as ID Identifier of V is represented as 1D Passeard of user on C is Fe Network address of Cis represented a6 ADé Secret encryption ley shared by AS and Vis Ky ‘Then consider a hypothetical dialogue, Sender and receiver Contents of message Lo cas We Ie Dy 2 ASC Ticket . caV 1g I Teer 4 Ticket = EIky Del ADe | Dy Explanation 1. Client Clogs on to workstation requesting to access to server V : The workstation requests user's Pasward and sends mesnage to AS inchuding user ID + server 1D user passwand. The AS checks this message with database and verifies & 2.AS issues ticket + On verifying the tests AS issues ticket containing. user ID + server ID + network address, 8. Client C applies server V + With this ticket, client C asks server V for access Serer V decrypts the ticket and verify the aunthenticty of data then grants the requested service, In above hypothetical dialogue, symbol || represents ‘concatenation, Secate Authentication Dislogue Kink von prea ery iT Authentication Service - ach 7A yin ticket ranting chet. vce authentication dialogue involving thee i Ticketgranting. vice -Fxchat._. Obtain service granting ticket ii] CHient/server authentication - Exchange to obtain service. 0288 AF ul 33%8 < €S8792-Cryptography&Ne.. B Q : 2.AS issues ticket © On veniying the tests AS issues ticket containing, user ID + server ID + network address 3. Client C applies server V : With this ticket, client C asks server V for acces Server V decrypts the ticket and verify the authenticity of data then grants the requested service, In above hypothetical dialogue, symbol || represents Secure Authentication Dialogue 1 Kerberos version 4 protocol ensures secure authentication dialogue involving three i] Authentication Service - Exchange to obtain tcket-granting ticket, ‘Ticket-granting Service - Exchange to obtain service granting ticket, Client /server authentication - Exchange to obtain service. ‘Each of the above session has to stp as shown in table below ‘Session _Step_Sender- Receiver w 1 GaAs ASC 51S (eketgranting server) 1s cov voc ee TECHWCAL PUBLICATIONS? vu har moe i i) ptgraphy and Neon Secrty “0 Message Aberin sedan, Fig. 4.10.1 shows how the steps are executed in Kerberos version 4. 21S vers es Fig, 430.1 Overview of Kerberos ERIE Kors Realms ‘©The constituents ofa fll-service Kerberos environment are 4) A Kerberos server 1b) Clients 9) Number of application server © Requizements of Kerberos sever 4) Kerberos server should have user 1D. by Hashed password forall user. All users should be registered with Kerberos server «d) Kerberos server should have secret hey with exch server ‘9 All servers should be registered with Kerberos server. A Kerberos realm is referred as isthe environment where «all nodes share same secured database hanging and ocessing the Kerberos database requires, Kerberos master password, a read only copy of Kerberos database resides in comps have aiferent realms under different administrative organizations, The reese the servers in other realm provided the users are anes secret key with the server if ater system Network tasers of one realm may luthenticated. The interoperating, Kerberos sh ‘other ream < CS8792- Cryptography & Ne. €) Number of application server. 1 Requirements of Kerberos sever 4) Kerberos server should have user ID. by Hached password for all users 6) All users should be registred with Kerberos servo. «) Kerberos server should have secret key with each server. ©) All servers should be registered with Kerberos server +A Kerberos realm is referred as isthe envisonment sshere + all nodes share same secured database = changing and accessing the Kerberos database requires Kerberos master password, ~ a read only copy of Kerberos database resides in computer system, + Networks have different realms under different administrative organizations. The users of one realm may access the servers in other realm provided the users are authenticated. The interoperating Kerberos shares a secret hey with the server in ‘other realm, TECHNICAL PUBLICATIONS? «An up Ort or monoge Comer ad Net Secu “0 Message Auentaton and ieaty Kerberos Version 5 ‘Versio. 4 of Kerberos have some environmental shortcoming and. technical deficiencies. Environmental shortcomings of version 4 1 Encryption system dependence 2. ntemet protocol dependence 2. Metage byte ordering 4. Teka time 5. Authentication forwarding 6 Inter eal authentication. Technical deficiencies of version 4 1. Double encryption 2. CBC (Propagating C 2. Sesson keys 4 Password atacks Version § Authentication Dialogue +The Kesberos version 5 mestage exchange Involves three session, these are 1. Authentication Service Exchange er Block Chaining) encryption 2. Ticket - Granting Exehnage 3. Client/Server Authentication Exchange + Each session has two steps. Table 4.10.1 summarizes session, steps and their functions Session step Function 1 ApatonSevieFachange CAS To cbuin det aing da ASC TW Teetcrantiy Seve Eacange CFTC To chan ericeraning tect. To59¢ [ul Chow/SereeAuthemiaton Fachange CFV To btn eve, vac tA ECHUCA PURLIOATIONS® nm to bnton 8:30, 288 AF ul 33%8 < €S8792- Cryptography &Ne.. GB Q : ypiarapty and Neto Sacnty 4 Messe Auten deity ‘+ The flags field is expanded in ticket in version 5 of Kerberos. Vazious flags that may be included in a ticket, ae INTIAL 1) PRE - AUTHENT i HW-AUTHENT ly) RENEWABLE) MAY-POSTDATE v PosTDATED vi) INVALID it) PROXIABLE 1) PROXY ») FORWARDABLE xi) FORWARDED. EERIZ] Comparison betwoen Kerberos Versions 4 and 5 ‘Parameters Kerberos Versions 4 Kerberos Versions § Encryption alga wed DES only RS and ther encopions “ik iti 5 ni nt Mi = 1280 St en ine ity “agg! menage wit dering Asa! stn notation on ‘Heaps by ontiig oe iste tn al Pasword tack Tn equa incr ad we Ned sed Ir ape stack sentation “Two ine enrypton Supported Not pports ‘Seon ik ‘Sub se ay ne Keys ply wing opened oy once oy icra of Reale its pi “Transition allows Strengths of Kerberos 1, Passwords are never sent across the network unencrypted. This prevents those unscrupulous people from being able 10 read the most important data teat over the network 2. Clients and applications services mutually authenticate, Mutual asthentication allows for both ends to know that they truly know whom they are communicating with, 4. Tickets have limited lifetime, if they are stolen, unauthorized use is Uimited to the time frame that the ticket is vali 44, Authentication through the AS only has to happen once. This makes the security of Kerberos more convenient 5. Shared secret keys betiveen clients and services are more ecient than publickeys. 6, Many implementations of Kerberos have a large support base and have been put through serious testing 7, Authenticators, created by clients, can only be used once. This feature prevents the tse of stolen authenticator TECHNICAL PUBLCRTIONS® An pth rnc Spbaphy and Nat Seorty as Message Autanicaton ond git of Kerberos. 1. Kerberos only provides authentication for cients and services, 2, Kerberos 4 uses DES, which has heen show to be vulnerable to brute-forceattacks with litle computing power 3. The princpal-hey database on the KDC hus to be hardened or else bad things can happen, 4, Like any security tool, it is also vulnerable to users making, poor password choles, 5, Kerberos doesnt work well in time-sharing envionment. 6, Kerberos requires a continuously available Kerberos Server. Ifthe Kerberos Server goes down, the Kerberos network is unusable 7, Kerberos does not protect against modifications to system software like Trojan horses Difference between Kerberos and SSL 8:29 8 AS GF Wl 33%8 < €S8792-Cryptography&Ne.. GB Q ? TECHCAL PUBLICATIONS? - An wo Ot a nowt open aa Neat Secrty Mosangesutertston ana X509 Authentication Services ED “+ X508 is part of XS0D recommandations for directory service ie set of servers ‘which maintains a database of information about users and other attibutes. + X500 de 0 services eg. certificale struchre and authentication protocols, Also X09 also defines alternative asthentcaion protocols base on ose Sf pubickey certificates. The X50 certificate format is emplied in S/MIME, IP Security, SET and SSL/TL ‘© X09 standard wes RSA_ algorithm and hash function for digital signature. es authentic Fg. 4111 shows generation of public hey certiicate ‘Unig create hae ce ato =D 4 I | Exton otha ode str tn aunty - ©) pate ey oom sare signed | ina ig. 11 Pubkc hay cotcate X.609 Format of Certificate ‘+ The current version of the standard is version 3, called as XSQHVS. The general focmat of digital certificate XSOOV3 is shown in Fig. 4112 Crate Serial Number —_| Sate Algo ei) 13b ==. eer UnigusIentsor Subject Unique enter senso Fig 4112 500 Digital ceria ECHUCA PUBLICATIONS? - An wo har oye copra and Neer Sci os 1. Version: Identifies successive versions of certificate format the default is version 2. Centificate Serial Number : It contains an unique integer number, which is generate by Certification Authority (CA). ‘8. Signature Algorithm ldentifier: Identifies the algorithm used by the CA to sign fhe cerca 4 Issuer Name : Identifies the distinguished name of the CA that crested and signed this corifcate 5. Period of Validity = Consists of —__ time values (not before ane not afer) within which the certifieate fs val 6, Subject Name It specifies the mam! wert whom this cericate issued 7. Subjec’s Public Key Information + It contains public key of the subject and 8:29 J, A & GF ul 33%8 < €S8792-Cryptography&Ne.. G Q :? ig. Att Public hoy cotcats X,509 Format of Certificate ‘+ The current version of the standard is verson 3, called as XSOOVS. The general format of digital certificate X508V3 is shown in Fig. 4112 2 | Cero Senia Number 2 |_Sigatne Alri Menifee] « Suet Name 7 | SbjatPabe Key In [toe Ungue dents 9 | sujet Unigue Ider u Signin Fig. 4112 £809 Digital corieate format version 3 TECHRUGAL PUBLICATIONS? «An wp trina operon an newer Stuy os Messe Autencton an heey 1. Version: Identifies successive versions of certificate format the default is version 2. Cenificate Serial Number + It contains an unique integer number, which is sgnerated by Certification Authority (CA) ‘8. Signature Algorithm Identifier: Identifies the algorithm used by the CA to sign the certificate 4. Issuer Name : Identifies the distinguished name of the CA that created and signed this cortiieate 5. Period of Validity = Consists of two datetime values (not before and not ates) within which the ceriate fs valid 6 Subject Name 1tspecifies the namie ofthe user to whom this corflcae is tau 7. Subject’s Public Key Information : It conlains public key of the subject and algorithms related to that key. 4 Issuer Unique Identifier; It i an optional field which helps to Mdentity a CA. uniquely if two of mone CAs have sell the same Isuer Name 9. Subject Unique Identifier: Iisa optional fick! which helps to identify & subject tunel if too oF mone subjects have used! the same Subject Name 10.Extensions + One or more fies used in version 3. These-extersions convey ‘eddtional information about the subject and issuer keys 411, Signature + It contains hash code of the fields, encrypted with the CA's private key Tinlad the signatire algorithm identifior Standard notations for defining a certifiate (CAccAz> = CAIV, SN, AL, CA, TQA, Al where, (CAceA>> indicates the certificate of ser A isse by cerication authority CA. CALY cA! indicates signing of Vp By CA. Obtaining User's Certificate “+ The characterises of wer certificate are 1 Any set who can access public key of CA can verify user public key 2. Only cetifcation Authority (CA) can modify the certificate. ‘+All user centtientes are placed in a directory for access of other users. The public oy provided by CA ip absolutely secure (wt integrity and authenticity) + I user A has obtained a certificate from CA X; and user B has tained 3 certificate from CA Xp IFA don’t know the public key of Xz, then B's certificate (ised by X;) is useless to A. The user A can road B's certificate but A can not verify the signature. This problem can be resolved by securely exchanging the public keys by two CAs 8:29 ,¢, 8 8 < C€S8792- Cryptography &Ne.. GB Q : ‘© I user A has obtained a certificate fram CA. X; and user B has obtained a certiicate from CA XIE A don’t know the pablle hey of Xs, then B's certificate (sued by X;) is useless to A, The user A can read B's certificate but A can not verify the signature. This problem can be resolved by securely exchanging the public keys by two CAs, TECERUCAL PUBLICATIONS np rime coptaepty and Net Sony ase MesegeAutentenon an tety Revocation of Certificates, The certificate should be revoked before ‘expiry because of following reasons 1. User's private key is compromised. 2 User is not certified by CA 3. CA's confcate is compromised = Bach CA has a ist of all revoked but not ‘expired cericates, The Certificate Revocation List (CRL) is posted in directory signed by issuer and inchudes issuers name, date of creation, date of next CRL Fig. 4113. Cerificate revocation list. Each certificate as unique serial number of ‘lent the certificate Fig. 411.3 Contcate revocation Hit ‘Authentication Procedures ‘X09 supports three types of authenticating using public key signatures, The typos of authentication ae 1. One-way authentication 2, Two-way authentication 3. Three-way authentication 41. One-way authentication ‘© Tt involves single transfer of information from one user 40 other as shown in Fig. 4114 ia 4.114 Ono way authonticaion 2, Two-way authontication ‘= Twoway authentication allows both parties to communicate and verify the entity ofthe user. Fig 411.5 Twoaay authentication TECHNICAL PUBLICATIONS® np tna ar ote parent and Neto Seunty 495 Messe Aenton td erty 3. Three-way authentication ‘ Fig, 4.11.6 Throosway authontcation 8:23 9.4 GF Wl 33%8 < €S8792-Cryptography&Ne.. GB Q ? before passing it on 2. Dirwetion control: + Dirwction contr determines the direction in which particular service requests may be inated and is allowed to ow theough the frvall 3. User control: + User control gives accuss to 2 service according to which user is attempting 10 access it. This feature is usually applied for local user inside the finewall perimeter. 4. Behavior control: + Behavior control allows to control the wse of any portiular service. For example, the fzewall may filter emails to eliminate spam. ‘Types of Firewall ‘= Commonly sed firewalls from threats of security are 1. Packet Bering router 2. Application level gateways 2 Cieuit level gateways TECHOUCAL PUBLICATIONS? «A up tar otecbe 15b crptarep hy and Newer Scunty 5:10 Secu Pate ad Sten Sect ERIRED Pocket Fitering Router 1 Packet filtering firewalls work at the network level of the OS! model, or the IP layer of TCP/IP. They are usually part of a router. A router is a device that receives packets from one network and forwards them to another network ‘+ Ima packet itoring firewall each packet is compared to a set of criteria before it forwarded. Depending on the packet and the criteria, dhe Arewall an deop the packet, forward i ar send a message to the originator. Rules can include source snd destination IP address, source and destination port number and protocol used + The advantage of packet filtering firewalls i thele low cost and low impact on network pertormance, Most routers support packet filtering. Even i other firewall ae used, implementing packet filtering atthe router level affords an initial degree fof security ata le network layer. 4+ This type of firewall only works at the network layer however and does not support sophisticated rule based models ‘+ Network Address ‘Translation (NAT) routers offer the advantages of packet fitering firewalls but can also hide the IP addesses of computers behind the firewall, and offer level of cieuitbased fering, "+ Packet filtering router applies rule to ach incoming and outgoing IP packet, according forward or discards it. Fig 5.1.2 shows packet filtering router Fig. £142 Packet tring router ‘+ Filtering rules are based on information contained in the network packet such as i Source IP address ii. Destination IP adress fi. Source and destination transport level adress fy. TP fle terface TECHOCAL PUBLICA na Anu a oe 8:23 9.4 GF Wl 33%8 <_ CS8792 - Cryptography & Ne. network performance. Most routers support packet fitering Even if ther firewalls ve used, implementing packet filering st the router level affords an initial degree of security at low network layer: 1+ This type of firewall only works at the network Layer however and does not support sophisticated rule based models ‘+ Nework Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer level of crit hosed fering ‘Packet filtering router apples role to each incoming and outgoing 1P packet, according forward or discards it, Fig, 514.2 shows packet filtering router. cht titering router Fig. 5.142 “+ Fitering rules are based on information contained inthe network packet such as 1 Source IP address i. Destination IP address li. Source and destination transport level address. tv. IP Fe we Inertooe TECHCAL PUBLICATIONS? - Anup ttf one Syprowepn and Network Sour on, Saat Paco a Stam Socy ‘+ Attackers can try and break the security of the packet Aller by sing following techniques TP address spoofing, fi, Source routing attacks 1 Tiny fragment attacks ‘Packet filtering provides a useful level of security at low cost. The type of router ted in pocket Mering isa screening router. Screening router ‘+ Each packet las to pasts: The data that is part of the document and a heater. If the packet is an envelope, then the data isthe letter inside the envelope ond the header is the address information on the outside. ‘+ Here packet filer to refer to the lechnology or the process that is taking place and the screening router to refer to the thing thats doing i Screening router can be a commercial router ot @ host-based router with some Kind of packet filtering capobibity. Typical screening routers have the ability to block trafic between networks or specific hosts, onan IP port level, Some firewalls consist of nothing more than a screening router belwoen a. private network and the Internet ‘+ Screening routers operate by comparing the header information with a table of rules sot by the network administrator to determine whether or not ts send the packet on 10 its destination. f there is a rule that does not allow the packet to be Sent on, the router simply discards it Working of packet filters ‘+ Packet Biters work by dropping packets based on their source and destination addresses or ports, Configuring. packet filter i a three step process 1) Firat of course, one must know ould and what should not be permite 2) The allowable types of packet 7 specified, in terms of lfieal expression ‘packet feds. 4) Finally the expression should be rewritten in whatever syntax your vendor 8:23 9.4 GF Wl 34%8 < €S8792-Cryptography&Ne.. G Q :? “+ Here packet filter to seer to the technology or the process that is taking place and the screening ter to rofer to the thing thats doing i ‘Screening router can be a commercial router or a host-based router with soae kind of packet fering capability. Typical screening routers have the ability to block trafic between networks oF specific hosts, on an IP. port level. Some firewalls consist of nothing more than a screening router between a private network and the Interne, ‘Screening routers operate by comparing the header information with a table of res set by the network administrator to determine whether of not ta send the packet on fo its destination. If there is a rule that does not allows the packet to be Sent on, the router simply discards it Working of packet fers "Packet fillers work by dropping packets based on their source and destination addresses or ports, Configuring a packet fier is a three step process 1) First of course, one must know what should and what shoul not be permite. 2) The allowable types of packets must be specified, i terms of lofial expression ‘on pocket feds 2) Finally the expression should be rewsiten in whatever syntnx your vendor supports ‘+ In general, for each packet, the router applies the rules sequentially, starting vith ‘he fest one, until the packet fils or unl it runs out of rules. 4 For examples a router has 3 rules in is table, 1+ Rale 1: Don't llove packets from a particular host, called TROUBLEHOST, ‘© Rule 2: Let in connections into out mail gateway’ (using SMTE), locate at port 25 on out host TECHRUGAL PUBLICATIONS? «An up tr note nptesephy and Neer Sci an Seu Prete te Sto Seciy 4+ Rate 3: Block everything else ‘+ When a packet arrives atthe screening ruler, dhe process ork lke this 1, The packet filler extracts the information t needs from the packet header. In this example, it wses the local and external host Sdentfcation andthe leal and ‘external port numbers 2. The packet fier compares that information with the rues in the table 5. If de packet is feom TROUBLEHOST, no mater what its destination, discard i 4. Ifthe packet males it past the frst rule isnot from TROUBLEHOST, check to see iF t's intended for port 25 on out SMTD-Mail host. Fi, send 8 om 2 otherwise, discard It 5. If nether ofthe fist two rules apply, the packet is rejected by rule three ‘© Every packet has a set of headers containing certain information. The information A) IP source address. 1) IP destination addres Protocol (ehether the packet isa TCP, UDP or ICMP packet) 4) TCP or UDP source port, 6) TCT or UDP destination port TCP ack fag 1. Inspection module ‘+ IF the header information listed above doesn’t give you enough elements for setting up rules, you ean use a packet filter that has an inspection module. An Inspection module looks at more of the header information : some can even look ft the application data ite ‘= For example, by inspecting the application data, the medule can deny packets the contain certain application commands, such as the FTP pat command or the SNMP set command 2. State evaluation ‘+ The header af a TCP packet con! 7% leator called the ACK fag. Wher the ACK flog ic so, it means that te “ang packet is a response to an cali ‘outgoing packet ‘+I the flag ie not st, the packet is not a response to an eater outgoing packet, 8:23 9, B BAF ul 34%8 < €S8792- Cryptography &Ne.. GB Q : selting up rules, you can use a packet filter that has an inspection module. An Inspection module looks at more of the header information ; some can even look at the application data ite + For example, by inspecting the application data, the module can deny packets the ‘contain certain application commands, such as the FIP put command or the [SNMP set command. 2. State evaluation ‘Tho header of a TCP packet contains an indicator called the ACK flag. When the ACK flag is set, It means that the incoming pocket is a rexponse 1D an easier ‘outgoing packet. + I the flag is not set, the packet is not a response to an cartier outgoing packet, and therefore is suspect. + 1s common to seta screen rule to allow incoming packets that have the ACK flag set and reject those that doa’ TEOHCAL PUBUCATIONS® An up mt outage Ccoptoracy and Nate Secty a7 ‘Secuty Pract and Systm Secunty + UDP doesn’t use an ACK flag or any other similar indicator, so there's no way for the screening router to know whether an incoming packet was sent in response to fan ongoing packet. The only safe thing to do in that situation is to reject the packet. That's where state evaluation comes in a screening router that has the state evaluation capability, “remembers” the original outgoing packet for a certain length of time (st by system administrator, Advantages of packet fers 1. Low impact an network performance 2. Packet ites are normally transparent to use 3. Relatively inexpensive price Disadvantages of packet fitoring frowall 1. They ate vulnerable to attacks aimed at protocol higher than the network layer protocol. 2. They cannot hide the network topology 3. Packet filtering Firewall can not support all Internet applications 44. These firewalls have very limited auaiting capabiltis, 5. Sometimes user level authentication do not supported by packet fllering firewall ERIBED Application Level Gateways Application level gateways, also called proxies, are similar to circuit level ‘gateways encept that they are application specific. They can filter packets at the application layer of the OS! model + Incoming or outgoing packets cannot access services for which there is no proxy «In plan terms, an application level gateway that i configured to be a web proxy Will not allow any FTP, gopher, Telnet or other traffic through. “= Because they examine packets at application layer, they can fille application specific commands such as hutppost and get, etc. This cannot be accomplished with either packet filering firewalls or circuit level neither of which know ‘anything about the application level information. + Application level gateways can also be used to log user activity and logins. They fffer a high level of security, but have 2 significant impact on network performance. This is because of contest switches that slow down network access 9 Gramatically, They are not transparent to end users and require manual ‘configuration of each client computer. TENA RI rt nn Corptoorapty and Network Secunty s Secunty Pract System Secunty Fig, 5.14.3 shows application level gateway: Fig. 5.143 Application gateway ‘Advantages 1. Application gateway provides high level of security than packet filters. 2. Fasy to configure, 3. They can hice the private network topology 4K support user level authentication. 5 Capability to examine the al trafic in deta Disadvantages 1. High impact on network pecformance 2. Slower in operation because of procensing overheads, 3. Not transparent to users. rut Level Gateways + Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets to determine whether a requested session is leytimate Information pase to remote compute through a circuit level gateway appears to have originated from the gateway. This {is useful for hiding information about protected networks + Circuit level gateways are relativ inexpensive and have the advantage of hiding {information about the private network they protect. On the other hand, they do not filter individual packets. ‘+ The circuit level gateway does not permit end-to-end TCP connection but two TCP connections are set-up. A typical use of circuit level gateway is in situations when system administrator trusts the internal users. TECHNICAL PUBLICATIONS® «An op tit frknowiege Cryptography and Nemork Securty 5:75 Secu Practice ana Syst Scuty IP Application gateway IP he Sa ga =| 2 |= a weer Inside host See Fig. 6.184 crt gatonay Comparison between Packet Fier an# ies Packet filter A. Works at network layer of OSt and UP layer Works at application layer of OSI, TCP layer 8:20.98. 4 BF Wl 34%8 < €S8792-Cryptography&Ne.. GB Q ? Viruses: ‘+A computer virus is a program that inserts itself into one oF more files and then performs some action, Phases of viruses Dian its cycle, viras goes through these phases 1. Dormant phase 2. Propagation phase 8. Tiggering phase 4. Execution phase ‘Dormant phase : The virus will eventually Be activated by some event, such as a date, the presence of another program or file, othe capacity of the disk excoeding some Kimi ‘+ Propagation phase + The virus places an identical copy of itself into other programs or into certain system arcas on the disk, Each infected. program will nove untain a clone ofthe views, which will self enter a propagation phase. 1+ Triggering phase : The virus is activated to perform the finetion for which it was intended. ‘+ Execution phase : The function i performed. The function may be harmless, such 5.2 mesiage on the seen, ar damaging, such asthe destruction of programs and data files Types of Viruses. arsitic rus: A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect 2, Memory-resident virus + Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes 8. Boot sector virus: Infsts a master boot record or boot record ane! spreads when 3 system is booted from the disk containing the virus. 4. Stealth view antivis software form of virus expicily designed to hide itself from detection by {Polymorphic virus + A virus tht mutates with every infection, making detection by the signature of the virus impossible, 6 Metamorphic virus

You might also like