1. Discuss the applications of IP security.

• IPsec provides the capability to secure communications across a LAN, across private and public
WANs, and across the Internet. Examples of its use include:
• Secure branch office connectivity over the Internet: A company can build a secure virtual private
network over the Internet or over a public WAN. This enables a business to rely heavily on the
Internet and reduce its need for private networks, saving costs and network management overhead.
• Secure remote access over the Internet: An end user whose system is equipped with IP security
protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a
company network. This reduces the cost of toll charges for traveling employees and telecommuters.
• Establishing extranet and intranet connectivity with partners: IPsec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and providing
a key exchange mechanism.
• Enhancing electronic commerce security: IPsec guarantees that all traffic designated by the
network administrator is both encrypted and authenticated, adding an additional layer of security to
whatever is provided at the application layer
• The principal feature of IPsec that enables it to support these varied applications is that it can encrypt
and/or authenticate all traffic at the IP level. Thus, all distributed applications (including remote
logon, client/server, e-mail, file transfer, Web access, and so on) can be secured.

2. Explain IP security architecture with security association parameters.

Security Associations:

A key concept that appears in both the authentication and confidentiality

mechanisms for IP is the security association (SA). An association is a one-way
logical connection between a sender and a receiver that affords security services to
the traffic carried on it.
 The concept of a security policy is applied to each IP packet that transits from a source to a
destination. IPsec policy is determined primarily by the interaction of two databases, the
security association database (SAD) and the security policy database (SPD)

A security association is uniquely identified by three parameters:

• Security Parameters Index (SPI): A bit string assigned to this SA and having local
significance only. The SPI is carried in AH and ESP headers to enable the receiving system
to select the SA under which a received packet will be processed.
• IP Destination Address: This is the address of the destination endpoint of the SA,
which may be an end-user system or a network system such as a firewall or router.
• Security Protocol Identifier: This field from the outer IP header indicates whether the
association is an AH or ESP security association.

3. With a neat diagram, illustrate Authentication header format.

The Authentication Header (AH) Protocol is designed to authenticate the source

host and to ensure the integrity of the payload carried in the IP packet.

The protocol uses:

A hash functions
A symmetric (secret) key to create a message digest.
The digest is inserted in the authentication header.
The AH is then placed in the appropriate location, based on the mode (transport or
tunnel)
 The authentication header consists of the following fields:
✓ Next header: The 8-bit next header field defines the type of payload carried by
the IP datagram(such as TCP, UDP). It copies the value of the protocol field in the
IP datagram to this field.
✓ Payload length: The length of authentication header in 4-byte multiples.
✓ Security parameter index: The 32-bit security parameter index(SPI) field plays the
role of a virtual circuit identifier and is same for all packets sent during a connection
called Security Association. 32-bit number fixed for a session.
✓ Sequence Number: A 32-bit sequence number provides ordering information for a
sequence of datagrams. The sequence number prevent a playback.
✓ Authentication data: The authentication data field is the result of applying a hash
function to the entire IP datagram

4. Discuss IP security services.

IPsec Services
IPsec provides security services at the IP layer by enabling a system to select
required security protocols, determine the algorithm(s) to use for the service(s),
and put in place any cryptographic keys required to provide the requested services.
Two protocols are used to provide security: an authentication protocol designated
by the header of the protocol, Authentication Header (AH); and a combined
encryption/authentication protocol designated by the format of the packet for that
protocol, Encapsulating Security Payload (ESP). IPSec services are listed below:
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
5. Draw the flow chart of processing model for outbound and inbound packets.
OUTBOUND PACKETS

Fig 3.4 Processing model for outbound packets

Fig 3.5 Processing model for inbound packets

6. Illustrate the purpose of padding and anti replay service in ESP

➢ Padding
The Padding field serves several purposes:
• If an encryption algorithm requires the plaintext to be a multiple of some number of
bytes (e.g., the multiple of a single block for a block cipher), the Padding field is used to
expand the plaintext (consisting of the Payload Data, Padding, Pad Length, and Next Header
fields) to the required length.
• The ESP format requires that the Pad Length and Next Header fields be right aligned
within a 32-bit word. Equivalently, the ciphertext must be an integer multiple of 32 bits.
The Padding field is used to assure this alignment.
• Additional padding may be added to provide partial traffic-flow confidentiality by
concealing the actual length of the payload.
➢ Anti-Replay Service
• A replay attack is one in which an attacker obtains a copy of an authenticated packet
and later transmits it to the intended destination. The receipt of duplicate,
authenticated IP packets may disrupt service in some way or may have some other
undesired consequence. The Sequence Number field is designed to thwart such
attacks.
• First, we discuss sequence number generation by the sender, and then we look at how
it is processed by the recipient.
• When a new SA is established, the sender initializes a sequence number counter to
0. Each time that a packet is sent on this SA, the sender increments the counter and
places the value in the Sequence Number field. Thus, the first value to be used is 1.
• If anti-replay is enabled (the default), the sender must not allow the sequence

number to cycle past 232 – 1 back to zero. Otherwise, there would be multiple valid

packets with the same sequence number. If the limit of 232 – 1 is reached, the sender
should terminate this SA and negotiate a new SA with a new key.
• Because IP is a connectionless, unreliable service, the protocol does not guarantee
that
packets will be delivered in order and does not guarantee that all packets will be
delivered. Therefore, the IPsec authentication document dictates that the
receiver should implement a window of size , with a default of .
• The right edge of the window represents the highest sequence number N-W+1 to N,
, so far received for a valid packet. For any packet with a sequence number in the
range from to that has been correctly received (i.e., properly authenticated), the
corresponding slot in the window is marked (Figure 3.8).
 Fig 3.8 Anti-Replay Mechanism

7. Discuss the capabilities that are within the scope of a firewall

The following capabilities are within the scope of a firewall:
1. A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing attacks. The use of a single
choke point simplifies security management because security capabilities are consolidated on a
single system or set of systems.
2. A firewall provides a location for monitoring security-related events. Audits and alarms can be
implemented on the firewall system.
3. A firewall is a convenient platform for several Internet functions that are not security related.
These include a network address translator, which maps local addresses to Internet addresses,
and a network management function that audits or logs Internet usage.
4. A firewall can serve as the platform for IPsec. Using the tunnel mode capability, the firewall can
be used to implement virtual private networks.

8. Explain application level gateway with a neat diagram

Application-Level Gateway

➢ An application-level gateway, also called an application proxy, acts as a relay of application-level

traffic (Figure 5.1d). The user contacts the gateway using a TCP/IP application, such as Telnet or
FTP, and the gateway asks the user for the name of the remote host to be accessed.

➢ When the user responds and provides a valid user ID and authentication information, the
gateway contacts the application on the remote host and relays TCP segments containing the
application data between the two endpoints. If the gateway does not implement the proxy code
for a specific application, the service is not supported and cannot be forwarded across the firewall.

➢ The gateway can be configured to support only specific features of an application that the
network administrator considers acceptable while denying all other features.

➢ Application-level gateways tend to be more secure than packet filters. Rather than trying to deal
with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP
 level, the application-level gateway need only scrutinize a few allowable applications. In addition,
it is easy to log and audit all incoming traffic at the application level.

➢ A prime disadvantage of this type of gateway is the additional processing overhead on each
connection. In effect, there are two spliced connections between the end users, with the gateway
at the splice point, and the gateway must examine and forward all traffic in both directions.

9. Distinguish between host based firewalls and personal firewalls.

Host-Based Firewalls
A host-based firewall is a software module used to secure an individual host. Such modules are
available in many operating systems or can be provided as an add-on package.
Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets.
A common location for such firewalls is a server.
There are several advantages to the use of a server-based or work station-based firewall:
• Filtering rules can be tailored to the host environment. Specific corporate security policies for
servers can be implemented, with different filters for servers used for different application.
• Protection is provided independent of topology. Thus both internal and external attacks must pass
through the firewall.
• Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer
of protection. A new type of server can be added to the network, with its own firewall, without the
necessity of altering the network firewall configuration.
Personal Firewall
• A personal firewall controls the traffic between a personal computer or workstation on one side and
the Internet or enterprise network on the other side. Personal firewall functionality can be used in
the home environment and on corporate intranets.
• Typically, the personal firewall is a software module on the personal computer. In a home
environment with multiple computers connected to the Internet, firewall functionality can also be
housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet
interface.
• Personal firewalls are typically much less complex than either server-based firewalls or stand-alone
firewalls. The primary role of the personal firewall is to deny unauthorized remote access to the
computer. The firewall can also monitor outgoing activity in an attempt to detect and block worms
and other malware.
• An example of a personal firewall is the capability built in to the Mac OS X operating system. When
the user enables the personal firewall in Mac OS X, all inbound connections are denied except for
those the user explicitly permits.
 10. There is a need for a firewall in every network.Justify
Information systems in corporations, government agencies, and other organizations have undergone a
steady evolution. The following are notable developments:
✓ Centralized data processing system, with a central mainframe supporting a number of directly
connected terminals.
✓ Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe.
✓ Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a
mainframe or two.
✓ Enterprise-wide network, consisting of multiple, geographically distributed premises networks
interconnected by a private wide area network (WAN).
• Internet connectivity is no longer optional for organizations. The information and services
available are essential to the organization.
• Individual users within the organization want and need Internet access, and if this is not
provided via their LAN, they will use dial-up capability from their PC to an Internet service
provider (ISP).
• While the Internet access provides benefits to the organization, it enables the outside world to
reach and interact with local network assets. This creates a threat to the organization.
• The firewall may be a single computer system or a set of two or more systems that cooperate
to perform the firewall function.
• The firewall, then, provides an additional layer of defense, insulating the internal systems from
external networks.
11. What are VPN’s? Explain with diagram.
Virtual Private Networks
• In today’s distributed computing environment, the virtual private network (VPN) offers an attractive
solution to network managers. In essence, a VPN consists of a set of computers that interconnect by
means of a relatively unsecure network and that make use of encryption and special protocols to
provide security. At each corporate site, workstations, servers, and databases are linked by one or more
local area networks (LANs).
• The Internet or some other public network can be used to interconnect sites, providing a cost savings
over the use of a private network and offloading the wide area network management task to the public
network provider. That same public network provides an access path for telecommuters and other
mobile employees to log on to corporate systems from remote sites.
• But the manager faces a fundamental requirement: security. Use of a public network exposes
corporate traffic to eavesdropping and provides an entry point for unauthorized users.
• To counter this problem, a VPN is needed. In essence, a VPN uses encryption and authentication in
the lower protocol layers to provide a secure connection through an insecure network, typically the
Internet.
• VPNs are generally cheaper than real private networks using private lines but rely on having the same
encryption and authentication system at both ends. The encryption may be performed by firewall
software or possibly by routers. The most common protocol mechanism used for this purpose is at the
IP level and is known as IPsec.

12. Illustrate stateful inspection firewalls with table

Stateful Inspection Firewalls

➢ A traditional packet filter makes filtering decisions on an individual packet basis

and does not take into consideration any higher layer context.
➢ Most standardized applications that run on top of TCP follow a client/server model.
For example, for the Simple Mail Transfer Protocol (SMTP), e-mail is transmitted from
a client system to a server system. The client system generates new e-mail messages,
typically from user input.
➢ The server system accepts incoming e-mail messages and places them in the appropriate
user mailboxes. SMTP operates by setting up a TCP connection between client and
server, in which the TCP server port number, which identifies the SMTP server
application, is 25.
➢ The TCP port number for the SMTP client is a number between 1024 and 65535 that
is generated by the SMTP client. In general, when an application that uses TCP creates
a session with a remote host, it creates a TCP connection in which the TCP port
 number for the remote (server) application is a number less than 1024 and the TCP
port number for the local (client) application is a number between 1024 and 65535.
➢ The numbers less than 1024 are the “well-known” port numbers and are assigned
permanently to particular applications (e.g., 25 for server SMTP). The numbers between
1024 and 65535 are generated dynamically and have temporary significance only for the
lifetime of a TCP connection.
➢ A simple packet filtering firewall must permit inbound network traffic on all
these high-numbered ports for TCP-based traffic to occur. This creates a vulnerability
that can be exploited by unauthorized users.
➢ A stateful inspection packet firewall tightens up the rules for TCP traffic by
creating a directory of outbound TCP connections. There
is an entry for each currently established connection. The packet filter will now allow
incoming traffic to high-numbered ports only for those packets that fit the profile
of one of the entries in this directory.
➢ A stateful packet inspection firewall reviews the same packet information as a
packet filtering firewall, but also records information about TCP connections
(Figure 5.1c).
➢ Some stateful firewalls also keep track of TCP sequence numbers to
prevent attacks that depend on the sequence number, such as session hijacking.
Some even inspect limited amounts of application data for some well-known
protocols like FTP, IM and SIPS commands, in order to identify and track related
connections.