Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1. Chapter 10 Network Security.

Published byElmer Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1. Chapter 10 Network Security."— Presentation transcript:

1

2 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1. Chapter 10 Network Security

3 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.2 Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS

4 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.3 Chapter 10: Objective  We introduce network security. We discuss security goals, types of attacks, and services provided by network security.  We introduce the first goal of security, confidentiality. We discuss symmetric-key ciphers and asymmetric-key ciphers.  We discuss other aspects of security: message integrity, message authentication, digital signature, entity authentication, and key management.  We apply what we have learned in the first three sections to the top three layers of the TCP/IP suite.  Finally, we discuss firewalls: packet-filter and proxy.

5 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.4 10-1 INTRODUCTION Information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), and available to an authorized entity when it is needed (availability).

6 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.5 10.1.1 Security Goals Let us first discuss three security goals:  Confidentiality  Integrity  Availability

7 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.6 10.1.2 Attacks Our three goals of security, confidentiality, integrity, and availability, can be threatened by security attacks. Although the literature uses different approaches to categorizing the attacks, we divide them into three groups related to the security goals. Figure 10.1 shows the taxonomy.

8 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.7 10.1.2 (continued)  Attacks Threatening Confidentiality  Attacks Threatening Integrity  Modification  Masquerading  Replaying  Repudiation  Attacks Threatening Availability  Denial of Service  Snooping  Traffic Analysis

9 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.8 Figure 10.1: Taxonomy of attacks with relation to security goals

10 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.9 10.1.3 Services and Techniques ITU-T defines some security services to achieve security goals and prevent attacks. Each of these services is designed to prevent one or more attacks while maintaining security goals. The actual implementation of security goals needs some techniques. Two techniques are prevalent today:  Cryptography  Steganography

11 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.10 10-2 CONFIDENTIALITY We now look at the first goal of security, confidentiality. Confidentiality can be achieved using ciphers. Ciphers can be divided into two broad categories: symmetric-key and asymmetric-key.

12 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.11 10.2.1 Symmetric-Key Ciphers A symmetric-key cipher uses the same key for both encryption and decryption, and the key can be used for bidirectional communication, which is why it is called symmetric. Figure 10.2 shows the general idea behind a symmetric-key cipher.

13 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.12 10.2.1 (continued)  Traditional Symmetric-Key Ciphers  Substitution Ciphers  Transposition Ciphers  Stream and Block Ciphers  Modern Symmetric-Key Ciphers  Modern Block Ciphers  Data Encryption Standard (DES)  Modern Stream Ciphers

14 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.13 Figure 10.2: General idea of a symmetric-key cipher

15 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.14 Figure 10.3: Symmetric-key encipherment as locking and unlocking with the same key

16 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.15 Figure 10.4: Representation of plaintext and ciphertext characters in modulo 26

17 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.16 Use the additive cipher with key = 15 to encrypt the message “hello”. Example 10.1

18 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.17 Use the additive cipher with key = 15 to decrypt the message “WTAAD”. Example 10.2

19 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.18 Figure 10.5: An example key for a monoalphabetic substitution cipher

20 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.19 We can use the key in Figure 10.5 to encrypt the message Example 10.3

21 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.20 Assume that Alice and Bob agreed to use an autokey cipher with initial key value k 1 = 12. Now Alice wants to send Bob the message “Attack is today”. The three occurrences of “t” are encrypted differently. Example 10.4

22 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.21 Figure 10.6: Transposition cipher

23 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.22 Figure 10.7: A modern block cipher

24 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.23 Figure 10.8: Components of a modern block cipher

25 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.24 Figure 10.9: General structure of DES

26 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.25 Figure 10.10: DES function

27 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.26 Figure 10.11: Key generation

28 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.27 We choose a random plaintext block and a random key, and determine (using a program) what the ciphertext block would be (all in hexadecimal) as shown below. Example 10.5

29 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.28 To check the effectiveness of DES when a single bit is changed in the input, we use two different plaintexts with only a single bit difference (in a program). The two ciphertexts are completely different without even changing the key. Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits. Example 10.6

30 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.29 Figure 10.12: One-time pad

31 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.30 10.2.2 Asymmetric-Key Ciphers In previous sections we discussed symmetric-key ciphers. In this section, we start the discussion of asymmetric-key ciphers. Symmetric- and asymmetric-key ciphers will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other.

32 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.31 10.2.2 (continued)  General Idea  Plaintext/Ciphertext  Encryption/Decryption  Need for Both  RSA Cryptosystem  Procedure  Applications

33 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.32 Figure 10.13: Locking and unlocking in asymmetric-key cryptosystem

34 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.33 Figure 10.14: General idea of asymmetric-key cryptosystem

35 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.34 Figure 10.15: Encryption, decryption, and key generation in RSA

36 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.35 For the sake of demonstration, let Bob choose 7 and 11 as p and q and calculate n = 7 × 11 = 77, φ(n) = (7 − 1)(11 − 1), or 60. If he chooses e to be 13, then d is 37. Note that e × d mod 60 = 1. Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5. This system is not safe because p and q are small. Example 10.7

37 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.36 Here is a more realistic example calculated using a computer program in Java. We choose a 512-bit p and q, calculate n and φ(n). We then choose e and calculate d. Finally, we show the results of encryption and decryption. The integer p is a 159-digit number. Example 10.8

38 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.37 Example 10.8 (continued)

39 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.38 Example 10.8 (continued)

40 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.39 Example 10.8 (continued)

41 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.40 10-3 OTHER ASPECTS OF SECURITY The cryptography systems that we have studied so far provide confidentiality. However, in modern communication, we need to take care of other aspects of security, such as integrity, message and entity authentication, non-repudiation, and key management. We briefly discuss these issues in this section.

42 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.41 10.3.1 Message Integrity There are occasions where we may not even need secrecy but instead must have integrity: the message should remain unchanged. For example, Alice may write a will to distribute her estate upon her death. The will does not need to be encrypted. After her death, anyone can examine the will. The integrity of the will, however, needs to be preserved.  Message and Message Digest  Hash Functions

43 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.42 Figure 10.16: Message and digest

44 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.43 10.3.2 Message Authentication A digest can be used to check the integrity of a message—that the message has not been changed. To ensure the integrity of the message and the data origin authentication—that Alice is the originator of the message, not somebody else—we need to include a secret shared by Alice and Bob (that Eve does not possess) in the process; we need to create a message authentication code (MAC).  HMAC

45 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.44 Figure 10.17: Message authentication code

46 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.45 10.3.3 Digital Signature Another way to provide message integrity and message authentication (and some more security services, as we will see shortly) is a digital signature. A MAC uses a secret key to protect the digest; a digital signature uses a pair of private- public keys.

47 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.46 10.3.3 (continued)  Comparison  Inclusion  Verification Method  Relationship  Duplicity  Process  Signing the Digest  Services  Message Authentication  Message Integrity  Non-repudiation

48 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.47 10.3.3 (continued)  RSA Digital Signature Scheme  Digital Signature Standard (DSS)

49 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.48 Figure 10.18: Digital signature process

50 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.49 Figure 10.19: Signing the digest

51 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.50 Figure 10.20: Using a trusted center for non-repudiation

52 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.51 Figure 10.21: The RSA signature on the message digest

53 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.52 10.3.4 Entity Authentication Entity authentication is a technique designed to let one party verify the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proven is called the claimant; the party that tries to verify the identity of the claimant is called the verifier.

54 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.53 10.3.4 (continued)  Entity versus Message Authentication  Verification Categories  Passwords  Challenge-Response  Using a Symmetric-Key Cipher  Using an Asymmetric-Key Cipher  Using Digital Signatures

55 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.54 Figure 10.22: Unidirectional, symmetric-key authentication

56 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.55 Figure 10.23: Unidirectional, asymmetric-key authentication

57 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.56 Figure 10.24: Digital signature, unidirectional authentication

58 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.57 10.3.5 Key Management We discussed symmetric-key and asymmetric-key cryptography in the previous sections. However, we have not yet discussed how secret keys in symmetric-key cryptography, and public keys in asymmetric-key cryptography, are distributed and maintained. This section touches on these two issues.

59 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.58 10.3.5 (continued)  Symmetric-Key Distribution  Symmetric-Key Agreement  Diffie-Hellman Key Agreement  Public-Key Distribution  Public Announcement  Certification Authority  X.509  Key Distribution Center (KDC)

60 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.59 Figure 10.25: Multiple KDCs

61 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.60 Figure 10.26: Creating a session key using KDC

62 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.61 Figure 10.27: Diffie-Hellman method

63 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.62 Example 10.9 Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R 1 = 7 3 mod 23 = 21. Bob chooses y = 6 and calculates R 2 = 7 6 mod 23 = 4. 2. Alice sends the number 21 to Bob.

64 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.63 Example 10.9 (continued) 3. Bob sends the number 4 to Alice. 4. Alice calculates the symmetric key K = 4 3 mod 23 = 18. Bob calculates the symmetric key K = 21 6 mod 23 = 18. Conclusion: The value of K is the same for both Alice and Bob; g xy mod p = 7 18 mod 23 = 18.

65 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.64 Figure 10.28: Certification authority

66 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.65 10-4 INTERNET SECURITY In this section, we discuss how the principles of cryptography are applied to the Internet. We discuss security in the application layer, transport layer, and network layer. Security at the data-link layer is normally a proprietary issue and is implemented by the designers of LANs and WANs.

67 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.66 10.4.1 Application-Layer Security This section discusses two protocols providing security services for e-mails: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).

68 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.67 10.4.1 (continued)  E-mail Security  Cryptographic Algorithms  Cryptographic Secrets  Certificates  Pretty Good Privacy (PGP)  Scenarios  Segmentation  Key Rings  PGP Algorithms  PGP Certificates and Trusted Model  PGP Packets  Applications of PGP

69 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.68 10.4.1 (continued)  S/MIME  Cryptographic Message Syntax (CMS)  Key Management  Cryptographic Algorithms  Applications of S/MIME

70 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.69 Figure 10.29: A plaintext message

71 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.70 Figure 10.30: An authenticated message

72 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.71 Figure 10.31: A compressed message

73 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.72 Figure 10.32: A confidential message

74 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.73 Figure 10.33: Key rings in PGP

75 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.74 Figure 10.34: Trust model

76 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.75 Figure 10.35: Signed-data content type

77 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.76 Figure 10.36: Enveloped-data content type

78 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.77 Figure 10.37: Digested-data content type

79 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.78 Figure 10.38: Authenticated-data content type

80 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.79 Example 10.10 The following shows an example of an enveloped-data in which a small message is encrypted using triple DES..

81 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.80 10.4.2 Transport-Layer Security Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol. The latter is actually an IETF version of the former. We discuss SSL in this section; TLS is very similar. Figure 10.39 shows the position of SSL and TLS in the Internet model.

82 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.81 10.4.2 (continued)  SSL Architecture  Services  Key Exchange Algorithms  Encryption/Decryption Algorithms  Hash Algorithms  Cipher Suite  Compression Algorithms  Cryptographic Parameter Generation  Sessions and Connections

83 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.82 10.4.2 (continued)  Four Protocols  Handshake Protocol  ChangeCipherSpec Protocol  Alert Protocol  Record Protocol

84 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.83 Figure 10.39: Location of SSL and TLS in the Internet model

85 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.84 Figure 10.40: Calculation of master secret from pre-master secret

86 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.85 Figure 10.41: Calculation of key material from master secret

87 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.86 Figure 10.42: Extractions of cryptographic secrets from key material

88 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.87 Figure 10.43: Four SSL protocols

89 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.88 Figure 10.44: Handshake Protocol

90 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.89 Figure 10.45: Processing done by the Record Protocol

91 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.90 10.4.3 Network-Layer Security We need security at the network layer for three reasons. First, not all client/server programs are protected at the application layer. Second, not all client/server programs at the application layer use the services of TCP to be protected by the transport-layer security. Third, many applications, such as routing protocols, directly use the service of IP; they need security services at the IP layer. IP Security is a collection of protocols designed by the Internet Engineering

92 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.91 10.4.3 (continued)  Two Modes  Transport Mode  Tunnel Mode  Comparison  Two Security Protocols  Authentication Header (AH)  Encapsulating Security Payload (ESP)  IPv4 and IPv6  AH versus ESP

93 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.92 10.4.3 (continued)  Services Provided by IPSec  Access Control  Message Integrity  Entity Authentication  Confidentiality  Replay Attack Protection  Security Association  Idea of Security Association  Security Association Database (SAD)  Security Policy  Security Policy Database

94 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.93 10.4.3 (continued)  Internet Key Exchange (IKE)  Virtual Private Network (VPN)

95 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.94 Figure 10.46: IPSec in transport mode

96 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.95 Figure 10.47: Transport mode in action

97 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.96 Figure 10.48: IPSec in tunnel mode

98 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.97 Figure 10.49: Tunnel mode in action

99 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.98 Figure 10.50: Transport mode versus tunnel mode

100 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.99 Figure 10.51: Authentication Header (AH) protocol

101 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.100 Figure 10.52: Encapsulating Security Payload (ESP)

102 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.101 Table 10.1 : IPSec services

103 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.102 Figure 10.53: Simple SA

104 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.103 Figure 10.54: SAD

105 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.104 Figure 10.55: Security Policy Database

106 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.105 Figure 10.56: Outbound processing

107 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.106 Figure 10.57: Inbound processing

108 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.107 Figure 10.58: IKE components

109 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.108 Figure 10.59: Virtual private network

110 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.109 10-5 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.

111 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.110 Figure 10.60: Firewall

112 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.111 10.5.1 Packet-Filter Firewalls A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure 10.61 shows an example of a filtering table for this kind of a firewall.

113 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.112 Figure 10.61: Packet-filter firewall

114 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.113 10.5.2 Proxy Firewalls The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). One solution is to install a proxy computer to filter the messages.

115 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.114 Figure 10.62: Proxy firewall

116 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.115 Chapter 10: Summary  The three goals of security can be threatened by security attacks. Two techniques have been devised to protect information against attacks: cryptography and steganography.  In a symmetric-key cipher the same key is used for encryption and decryption, and the key can be used for bidirectional communication. We can divide traditional symmetric-key ciphers into two broad categories: substitution ciphers and transposition ciphers.  In an asymmetric key cryptography there are two separate keys: one private and one public. Asymmetric-key cryptography means that Bob and Alice cannot use the same set of keys for two-way communication.

117 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.116 Chapter 10: Summary (continued)  Other aspects of security include integrity, message authentication, entity authentication, and key management.  The Pretty Good Privacy (PGP), invented by Phil Zimmermann, provides e-mail with privacy, integrity, and authentication. Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME).  A transport-layer security protocol provides end-to-end security services for applications that use the services of a reliable transport-layer protocol such as TCP. Two protocols are dominant today for providing security at the transport layer: Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

118 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.117 Chapter 10: Summary (continued)  IP Security (IPSec) is a collection of protocols designed by the IETF to provide security for a packet at the network level. IPSec operates in transport or tunnel mode. IPSec defines two protocols: Authentication Header (AH) Protocol and Encapsulating Security Payload (ESP) Protocol.  A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter others. A firewall is usually classified as a packet-filter firewall or a proxy firewall.

Download ppt "Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1. Chapter 10 Network Security."

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 29 Internet Security

Chapter 29 Internet Security
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 8 Network Security 4/17/2017 www.noteshit.com.

Chapter 8 Network Security 4/17/2017
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.
The OSI Model and the TCP/IP Protocol Suite

The OSI Model and the TCP/IP Protocol Suite
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

Similar presentations

Ads by Google