Introduction to Network Security FOR Bim - CSCL

What is Network Security Is any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Network Security Overview

Principal Method of Protecting Network Methods that are used in cryptography can be effectively used in network security. Encryption-decryption can be used to maintain data confidentiality Hashing and message digest can to used to maintain integrity Digital Signature can be used for authenciation There are certain methods like intrusion prevention system and hardware firewall to prevent Denial-of-Service attack which maintain network security.

Encryption at Network

Network Organization Firewall and Proxies are major hardware that separated internal network from external.

DMZ Zone Literal Meaning: Demilitarized Zone, an area between nation states in which military operation is not permitted In computer networks: DMZ is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet The DMZ functions as a small, isolated network positioned between the Internet and the private network Any service that is being provided to users on the Internet should be placed in the DMZ. The most common of these services are: Web, Mail, DNS, FTP, and VoIP.

Architecture of DMZ Two Common Architecture: Single Firewall and Dual firewall

Single Firewall A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network.

Dual Firewall The most secure approach, is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic from the DMZ to the internal network. This setup is considered to be more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities.

Firewall A firewall is a host that mediates access to a network, allowing and disallowing certain types of access on the basis of a configured security policy. This firewall accepts or rejects messages on the basis of external information, such as destination addresses or ports, rather than on the basis of the contents of the message. It may also analyzes the packets that enter. Firewalls can then base actions on this analysis, leading to traffic shaping (in which percentages of bandwidth are reserved for specific types of traffic), intrusion response, and other controls.

Proxies Different Type of firewall that previous Is an intermediate agent or server that acts on behalf of an endpoint without allowing a direct connection between the two endpoints. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity.

Types of Firewall Firewall is a single device used to enforce security policies within a network or between networks by controlling traffic flows. By methods it works it can be divided into four types Packet-Filtering Firewalls Stateful inspection firewall Application level gateway Circuit level gateway

Packet-Filtering Firewalls (1) Packet-filtering firewalls validate packets based on Protocol Source and/or destination IP addresses Source and/or destination port numbers Time range, type of service (ToS) Various other parameters within the IP header. Packet filtering is generally accomplished using Access Control Lists (ACL) on routers or switches and are normally very fast As traffic enters or exits an interface, ACLs are used to match selected criteria and either permit or deny individual packets.

Packet-Filtering Firewalls (2) The primary advantage of packet-filtering firewalls is that they are located in just about every device on the network Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and so on may all have the capability of being a packet-filtering firewall Routers from the very smallest home office to the largest service- provider devices inherently have the capability to control the flow of packets through the use of ACLs.

Packet-Filtering Firewalls (3)

Stateful Inspection Firewall AKA dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. Stateful inspection has largely replaced an older technology, static packet filtering. In static packet filtering, only the headers of packets are checked -- which means that an attacker can inject the harmful data inside the rest of the packet making system vulrenable. Stateful inspection, on the other hand, analyzes packets down to the application layer. Stateful inspection monitors communications packets over a period of time and examines both incoming and outgoing packets. Outgoing packets that request specific types of incoming packets are tracked and only those incoming packets constituting a proper response are allowed through the firewall.

Application level firewall An application-level gateway, also called an application proxy, acts as a relay of application- level traffic. The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application.

Application Level Firewall

Circuit-level Firewall Circuit level gateways work at the session layer of the OSI model. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to a remote computer through a circuit-level gateway appears to have originated from the gateway.

Different Firewall in OSI layer

IPSec (1) Internet Protocol SECurity Protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session Includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session Can be used in protecting data flows between a pair of hosts (host- to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

IPSec(2) Uses cryptographic security services to protect communications over IP networks Supports network-level peer authentication, data origin authentication, data integrity, data confidentiality and replay protection. IPsec has two modes. Transport mode encapsulates the IP packet data area (which is the upper layer packet) in an IPsec envelope, and then uses IP to send the IPsec-wrapped packet. The IP header is not protected. Tunnel mode encapsulates an entire IP packet in an IPsec envelope and then forwards it using IP. Transport mode is used when both endpoints support IPsec. Tunnel mode is used when either or both endpoints do not support IPsec but two intermediate hosts do.

Virtual Private Network VPN extends a private network across a public network or internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPN constructed by using public network — usually the Internet — to connect to a private network, such as a company's internal network. Use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Trusted system Left for you…