[SMIT97] lists four general techniques that firewalls use to control access and enforce the sites security

policy. Originally, firewalls focused primarily on service control, but they have since evolved to provide all four: Service control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address, protocol, or port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service. Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology,such as is provided in IPsec (Chapter 8). Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server. Password Protection The front line of defense against intruders is the password system. Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways: The ID determines whether the user is authorized to gain access to a system.In some systems, only those who already have an ID filed on the system are allowed to gain access. The ID determines the privileges accorded to the user. A few users may have supervisory or superuser status that enables them to read files and perform functions that are especially protected by the operating system. Some systems have guest or anonymous accounts, and users of these accounts have more limited privileges than others. The ID is used in what is referred to as discretionary access control. For example,by listing the IDs of the other users, a user may grant permission to them to read files owned by that user. THE VULNERABILITY OF PASSWORDS To understand the nature of the threat to password-based systems, let us consider a scheme that is widely used on UNIX, in which passwords are never stored in the clear. Rather, the following procedure is employed (Figure 9.4a). Each user selects a password of up to eight printable characters in length. This is converted into a 56-bit value (using 7-bit ASCII) that serves as the key input to an encryption routine. The encryption routine, known as crypt(3), is based on DES.The DES algorithm is modified using a 12-bit salt value. Typically, this value is related to the time at which the password is assigned to the user. The modified DES algorithm is exercised with a data input consisting of a 64-bit block of zeros. The output of the algorithm then serves as input for a second encryption.This process is repeated for a total of 25 encryptions.The resulting 64-bit output is then translated into an 11-character sequence. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. This method has been shown to be secure against a variety of cryptanalytic attacks [WAGN00]. The salt serves three purposes: It prevents duplicate passwords from being visible in the password file. Even if two users choose the same password, those passwords will be assigned at different times. Hence, the extended passwords of the two users will differ. It effectively increases the length of the password without requiring the userto remember two additional characters. Hence, the number of possible passwords is increased by a factor of 4096, increasing the difficulty of guessing a password. It prevents the use of a hardware implementation of DES, which would ease the difficulty of a brute-force guessing attack. When a user attempts to log on to a UNIX system, the user provides an ID and a password. The operating system uses the ID to index into the password file and retrieve the plaintext salt and the encrypted password. The salt and user-supplied password are used as input to the encryption routine. If the result matches the stored value, the password is accepted. The encryption routine is designed to discourage guessing attacks. Software implementations of DES are slow compared to hardware versions, and the use of 25 iterations multiplies the time required by 25. However, since the original design of this algorithm, two changes have occurred. First, newer implementations of the algorithm itself have resulted in speedups. For example, the Morris worm described in Chapter 10 was able to do online password guessing of a few hundred passwords.

A SET system includes the following participants: Cardholder Merchant Issuer Acquirer Payment gateway Certification authority

y y y y y y

The sequence of events required for a transaction are as follows: 1. 2. 3. 4. 5. 6. 7. The customer obtains a credit card account with a bank that supports electronic payment and SET The customer receives a X.509v3 digital certificate signed by the bank. Merchants have their own certificates The customer places an order The merchant sends a copy of its certificate so that the customer can verify that it's a valid store The order and payment are sent The merchant requests payment authorization

8. The merchant confirms the order 9. The merchant ships the goods or provides the service to the customer 10. The merchant requests payment A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor. a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. CAs are characteristic of many public key infrastructure (PKI) schemes. Principal services provided by PGP Digital Signature (DSS/SHA or RSA/SHA) 2 Message Encryption (CAST-128, IDEA, 3-DES in conjunction with RSA) 3 Compression (Lempel-Ziv) 4 E-mail compatibility (Radix-64 conversion) 5 Segmentation (to overcome maximum message length of 50,000 bytes for SMTP)

SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. SNMPv1 operates over protocols such as User Datagram Protocol (UDP), Internet Protocol (IP), OSI Connectionless Network Service (CLNS), AppleTalk Datagram-Delivery Protocol (DDP), and Novell Internet Packet Exchange (IPX). SNMPv1 is widely used and is the de facto network-management protocol in the Internet community.[citation needed] The first RFCs for SNMP, now known as SNMPv1, appeared in 1988: RFC 1065 Structure and identification of management information for TCP/IP-based internets RFC 1066 Management information base for network management of TCP/IP-based internets RFC 1067 A simple network management protocol

y y y

These protocols were obsoleted by: RFC 1155 Structure and identification of management information for TCP/IP-based internets RFC 1156 Management information base for network management of TCP/IP-based internets RFC 1157 A simple network management protocol

y y y

After a short time, RFC 1156 (MIB-1) was replaced by more often used:

RFC 1213 Version 2 of management information base (MIB-2) for network management of TCP/IP-based internets

Version 1 has been criticized for its poor security.[3] Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext. The '80s design of SNMP V1 was done by a group of collaborators who viewed the officially sponsored OSI/IETF/NSF (National Science Foundation) effort (HEMS/CMIS/CMIP) as both unimplementable in the computing platforms of the time as well as potentially unworkable. SNMP was approved based on a belief that it was an interim protocol needed for taking steps towards large scale deployment of the Internet and its commercialization. In that time period Internet-standard authentication/security was both a dream and discouraged by focused protocol design groups.