Network Security
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Network Security as PDF for free.
More details
- Words: 2,890
- Pages: 49
By : Aziz Ur Rehman
What is Security? Protection of network from different type of
security threats is known as network security Network security measures are needed to protect data during transmission and to guarantee that the data transmissions are authentic
Why Network Security is Important? Computer Systems store large amounts of
information, some of which are highly sensitive and valuable to their users Various Resources and information of a computer system should be protected against destruction and unauthorized access Security requirements are different for different users and different environments Transmission of important and secrete data over network
Security in Wired Network Security in Wired network is much easy as
compared to wireless network In wired there is a physical medium between two connecting devices, and it is difficult for hackers to get access in a wired network
Topics in Wired Security Cryptography Public Key Cryptography
RSA
Secret Key Cryptography
DES 3DES AES
Firewall
Cryptography Is a science of secrete writing Different type of algorithms or keys are used
to encrypt data at sender end On receiver end it is again decrypt with the related key or algorithm
Types of Cryptography Secrete Key Cryptography (Symmetric Key) In Secrete Key Cryptography, Sender encrypt the data (called Cipher Text) before sending it on network It decrypt on receiver end with the key that is shared between sender and receiver
Types of Secrete Key Cryptography Traditional Ciphers
It is a character oriented, and have two categories… Substitution Ciphers
In Substitution Cipher we replace one character with another, for example we can replace A with F and 1 with 6. However we may use One-to-One relationship (Monoalphabetic) One-to-Many relationship (Polyalphabetic) between Plain Text and Cipher Text Shift Cipher is also a type of Substitution Cipher in which Shift Up and Shift Down procedure is used.
Cont… Transposition Ciphers In Transposition Cipher substitution process is not used but here we reorder the characters in a block of symbols. First we divide the characters into blocks then define key and after this we replace characters according to the defined key.
Simple Modern Ciphers
These are bit-oriented cipher. Following are some ciphers used in Modern Ciphers XOR Cipher Use the process of Exclusive-Or operation Plain text performs XOR with Key and both should be of the same length
Cont… Rotation Cipher
Uses the idea of rotating bits in left or right direction It can be Keyed or Keyless In keyed we define the number of rotations In keyless the number of rotations are fixed If there are N notations then we always perform N-1 rotations, decryption is also same like encryption but in opposite direction (if encrypt with Right then decrypt with Left)
S-Box (Substitution Box) P-Box (Permutation Box)
Modern Round Ciphers (DES) It uses multiple rounds or blocks and each round has a different round key or block key.
Types of Modern Round Ciphers Data Encryption Standard (DES) takes a fixed-length (64 bits) string of plaintext and transforms them in Cipher text by applying a series of complicated operations (64 bits keys) The key ostensibly consists of 64 bits however, only 56 of these are actually used by the algorithm. 8 bits are used for the purpose of checking parity There are 16 identical rounds or stages including IP (Initial Permutation) and FP (Final Permutation) Plain text of 64 bits divided into two blocks of 32 bits and each block is processed alternatively
DES (Cont…)
The F-function scrambles block with some of the key. The output from the F-function is then combined with the other block, and then these blocks are swapped before the next round. After the final round, the blocks are not swapped.
Operations of F-Function(Feistel) Expansion receives one block of 32 bits and expands it to 48 bits by using expansion permutation Key Mixing XOR the received block of 48 bits with the key of 48 bits, and each round use a different key Substitution Box received 48 bits data is then divided into 8 blocks of 6 bits, and then S-Box convert these 6 input bits into 4 output bits, resulting total number of bits to 32 Permutation it rearrange the received 32 bits in another form of 32 bits
Complete Diagram
DES (Cont…)
Feistel Function
DES (Cont…)
Key Scheduling 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-1) the remaining eight bits are either discarded or used as parity check Then 56 bits are divided into two blocks of 28 bits Each block is treated separately In successive rounds, either blocks are rotated left by one or two bits (specified for each round), and then 48 bits subkey is selected by Permuted Choice 2 (PC-2) by selecting 24 bits from the left block, and 24 from the right
3DES (Triple Data Encryption Standard) Triple Data Encryption Standard (3DES)
Designed to overcome the problems in simple DES It uses three times greater key for encryption and decryption In 3DES we have a choice to choose1 key or 2 keys or 3 keys, means three types of keys can be used 1 key is just like DES, so that’s why it is not recommended In 2 keys, key1 = key3, and the key size will be of 112 bits, means Key1 and Key3 are same In 3 keys all keys are different from each other and have key size of 168 bits There will be 48 rounds for encryption and 48 for decryption
AES (Advanced Encryption Standard)
For example if encryption block uses a DecryptionEncryption-Decryption combination then in receiver end decryption block will use Decryption-EncryptionDecryption combination to get actual data
Advanced Encryption Standard (AES)
AES was develop to overcome the problems, that are currently present in the existing system, e. g; Short length Security key in DES and 3DES It uses three different key sizes 128 bits have 10 rounds 192 bits have 12 rounds 256 bits have 14 rounds
AES (Cont…) Fixed length data block of 128 bits, that is called State It is based on the design principle of Substitution Permutation Network AES encryption and decryption process have several steps Convert to State Array convert 16 byte data block to 4x4 byte state array SubBytes each byte in the state array is replaced with another byte from lookup table (16x16) which has all permutation values of 16 bytes ShiftRows first row left unchanged and last three rows are shifted cyclically
AES (Cont…) Each
byte of the second row is shifted one to the left The third and fourth rows are shifted by values of two and three respectively
MixColumns The four bytes of each column of the state are combined using an invertible linear transformation This function takes four bytes as input and outputs four bytes AddRoundKey The subkey is combined with the state For each round, a subkey is derived from the main key using Rijndael's key schedule and each subkey is the same size as the state The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR
Convert to State Array Input block:
0
0
4
8 12
1
5
3
7 11 15
9 13 1 2 3 4 5 2 6 10 14
= 6
7
8
S0,0 S0,1 S0,2 S0,3 S1,0 S1,1 S1,2 S1,3 9 10 11 12 13 14 15 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3
AddRoundKey XOR each byte of the round key with its
corresponding byte in the state array XOR S0,0 S1,0
S0,1 S0,1 S0,2 S0,3 S S11,1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3 S2,1 S3,0 S3,1 S3,2 S3,3 S3,1
R0,0 R1,0
R0,1 R0,1 R0,2 R0,3 R1,1 R R R 1,1 1,2 1,3
R2,0 R2,1 R2,2 R2,3 R2,1 R3,0 R3,1 R3,2 R3,3 R3,1
S’0,1 S’0,0 S’0,1 S’0,2 S’0,3 S’1,0 S’ S’1,11,1 S’1,2 S’1,3 S’2,0 S’2,1 S’2,2 S’2,3 S’2,1 S’3,0 S’3,1 S’3,2 S’3,3 S’3,1
SubBytes Replace each byte in the state array with its
corresponding value from the S-Box
00 44 88 CC 11 55 55 99 DD 22 66 AA EE 33 77 BB FF
ShiftRows Last three rows are cyclically shifted
S3,0
S0,0
S0,1
S0,2
S0,3
S1,0
S1,0
S1,1
S1,2
S1,3
S2,0
S2,1
S2,0
S2,1
S2,2
S2,3
S3,1
S3,2
S3,0
S3,1
S3,2
S3,3
MixColumns Apply MixColumn transformation to each
column
S0,0 S1,0 S2,0 S3,0
S’0,c = ({02} • S0,c ) ⊕ ({03} • S1,c ) ⊕ S2,c ⊕ S3,c MixColumns() S0,1 S’0,1 S’ = S ⊕ ({02} • S ) ⊕ ({03} • S )⊕ S 1,c S0,11,c S0,2 S0,c0,3 S’0,02,c S ’0,1 S’3,c0,2 S S S’1,0 S’ S’1•,11,1SS’1),2 1,2 SS 1 ,3 S’11,1,12,c S= ⊕ S ⊕ ({02} • S ) ⊕ ({03} 0,c 1,c 2,c 3,c S S S S’2,0 S’2,1 S’2,2 S22,1,1 2,2 2,3 S’ S’3,c = ({03} • S0,c ) ⊕ S1,c ⊕ S2,c ⊕ ({02} 2,1• S3,c S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S3,1 S’3,1
S’0,3 S’1,3 S’2,3 S’3,3
Public Key Cryptography Asymmetric Key In Public Key Cryptography,
two keys are used for encryption and decryption If sender encrypt the message with its private key then receiver should decrypt the message with the sender public key and vice versa
RSA (Rivest Shamir Adleman) The letters RSA are the initials of the
surnames of inventors, Ron Rivest, Adi Shamir, and Leonard Adleman RSA algorithm operates in three steps Key Generation Generate two large random (and distinct)
primes p and q each roughly the same size Compute n = pq Compute φ = (p − 1) (q − 1) Select a random integer e, 1 < e < φ
RSA (Cont…) compute the unique integer d, 1 < d < φ “A”’s public key is (n; e) “A”’s private key is d The integers e in RSA key generation are called the
encryption exponent the d is called decryption exponent n is called the modulus
Encryption “B” should obtain “A”’s authentic public key (n, e) Compute c = me mod n Send the ciphertext c to “A”
RSA (Cont…) Decryption To recover plaintext m from c, “A” Use the
private key d To recover m = cd mod n
Firewall Is a set of programs resides on a hardware
device or on a software tool that is placed between two networks All the data and traffic will pass through it For better security purpose it should be packets properlyUnauthorized configured Aren’t allowed in Intern Intern et et
Safe Packets are allowed through
Firewall
User
Packets containing confidential Data aren’t allowed out
Firewall (Cont…) Web Server
FTP/TFTP Server
Telnet Server
NNTP Server
Firewall
Terminal Server
Citrix Server
DNS Server
Inter Inter net net
Clients Firewall in a Simple Network
Types of Firewall Packet Filtering Firewall It checks the source and destination addresses of the incoming data packet on gathered information it will either block the packet or pass the packet to its destination network the firewall can deny access to specific applications or services based on access control lists (ACLs), port numbers, or service numbers The packet filtering firewall uses the information of the source and destination addresses of the incoming packet, Communication Protocol and Port Number A packet filtering router sits between the private trusted network and the untrusted network
Types of Firewall (Cont…) Application Level Firewall commonly implemented as a proxy server The firewall transfers a copy of each authorized data packet from one network to another This controls which services are allowed to be used by the workstation Helps to protect the network from outsiders who may try to get information about the network Stateful Inspection Firewall data packets are captured by an inspection engine
operating at the faster network layer
Types of Firewall (Cont…) These packets are then queued and analyzed at
higher OSI layers It maintains records of all connections passing through the firewall Due to this it can determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet This type of firewall is commonly faster than an application level firewall
Security in Wireless Network Security in wireless network is difficult than wired As in wireless network communication occurred
air, due to this it is easy for hackers to gain access in wireless network Once someone gain access in wireless network, it will also gain access to main wired network Many procedures and techniques are present to make network secure, but only some of them will discuss here
Topics in Wireless Security WEP (Wired Equivalent Privacy) WPA (Wi-Fi Protected Access) SSID MAC Address Filtering
WEP (Wired Equivalent Privacy) WEP is a protocol in 802.11 to protect the link
data transmitted in WLAN introduced in 1999 WEP depends on the key shared by the communication parties (Access Point and Client) to protect the transmitted data It is a static encryption algorithm with 64bits, 128bits or 256bits WEP key consists of Shared Key and IV (Initialization Vector) IV vector is of 24bits
WEP (Cont…) Shared Key can be of 40bits, 104bits or
232bits depending upon the version we are using encrypted packet is generated with bit wise XOR of the original packet & RC4 stream The IV is chosen by sender & can be changed periodically, So every packet will not be encrypted with same cipher stream IV is sent with each packet and an additional 4-bit integrity check value ICV
WEP (Cont…) ICV is computed on original packet &
appended to the end Steps for Encryption and Decryption WEP Encryption Process Compute Integrity Check Value using CRC32
over message and concatenate to the message Choose a random IV and concatenate Shared Key to this IV Use IV and Secrete Key to generate WEP Pseudo Random Number Generator (PRNG)
WEP (Cont…) WEP Decryption Process Use transmitted IV and Secrete Key to generate Key Sequence (RC4) XOR RC4 with cipher text to generate ICV (Plain Text) check the ICV that it is correct or not?
WEP (Cont…)
WPA (Wi-Fi Protected Access) Is a protocol that was proposed by the Wi-Fi
alliance as a replacement for WEP will be part of the future 802.11i specification When 802.11i is finally released, the security protocol specification will be called WPA2 WPA2 will be slightly different than the current WPA in use In WPA, a new key scheduling algorithm called TKIP is used It is basically a wrapper around the currently used algorithms in WEP
WPA (Cont…) The WPA2 specification will replace TKIP with a
new CCMP protocol that uses the much stronger AES cipher In WEP an ICV was used to protect the integrity of the payload or data in the wireless frame This didn't prove the integrity of the header on the frame itself so it couldn't protect against the frame itself being modified WPA includes another integrity filed call Message Integrity Check or MIC
WPA (Cont…) The MIC is similar to ICV, but instead of using the CRC32
checksum algorithm, it uses an algorithm called Michael While the ICV is 4bytes in size, the MIC is 8bytes placed just before the ICV in the encrypted payload It also includes a frame counter to help protect against a replay attack uses RC4 to produce a stream of pseudo random bits that is XOR with the data packet to encrypt the frame It also increase the size of the IV from the current 24bits to a much larger 48 bits, that reduce the occurrence of duplicate IV
WPA (Cont…) To solve the problem of Common shared
secret key, the keys need to be different for each user This will be obtain from the TKIP (each frame and user have different unique key from other)
MAC Address Filtering Some 802.11 devices have the ability to restrict
access to only those devices that have a specific identification value, such as a MAC address Some access point devices also contain a table of MAC addresses, which can be modified time to time this table enables a device administrator to specify the exact remote devices that are authorized to make use of the wireless service Client computers are viewed by a unique MAC address of its IEEE 802.11 network card
MAC Address Filtering (Cont…) each access point must have a list of
authorized client MAC address in its access control list client MAC address must be entered manually into each access point also MAC address list must be kept up to date For these reasons this method is better suited for use in a smaller network
MAC Address Filtering
SSID (Service Set ID) Solution Wireless equipment manufacturers use a default SSID to
identify the network to wireless clients All access points often broadcast the SSID in order to provide clients with a list of accessible networks To protect against unauthorized access to a network, these settings should be changed from their defaults Default SSID should be changed that does not reflect any sort of information to the hackers Broadcast SSID should also be Disabled, by doing these SSID setting we can make a network secure
SSID (Cont…)
What is Security? Protection of network from different type of
security threats is known as network security Network security measures are needed to protect data during transmission and to guarantee that the data transmissions are authentic
Why Network Security is Important? Computer Systems store large amounts of
information, some of which are highly sensitive and valuable to their users Various Resources and information of a computer system should be protected against destruction and unauthorized access Security requirements are different for different users and different environments Transmission of important and secrete data over network
Security in Wired Network Security in Wired network is much easy as
compared to wireless network In wired there is a physical medium between two connecting devices, and it is difficult for hackers to get access in a wired network
Topics in Wired Security Cryptography Public Key Cryptography
RSA
Secret Key Cryptography
DES 3DES AES
Firewall
Cryptography Is a science of secrete writing Different type of algorithms or keys are used
to encrypt data at sender end On receiver end it is again decrypt with the related key or algorithm
Types of Cryptography Secrete Key Cryptography (Symmetric Key) In Secrete Key Cryptography, Sender encrypt the data (called Cipher Text) before sending it on network It decrypt on receiver end with the key that is shared between sender and receiver
Types of Secrete Key Cryptography Traditional Ciphers
It is a character oriented, and have two categories… Substitution Ciphers
In Substitution Cipher we replace one character with another, for example we can replace A with F and 1 with 6. However we may use One-to-One relationship (Monoalphabetic) One-to-Many relationship (Polyalphabetic) between Plain Text and Cipher Text Shift Cipher is also a type of Substitution Cipher in which Shift Up and Shift Down procedure is used.
Cont… Transposition Ciphers In Transposition Cipher substitution process is not used but here we reorder the characters in a block of symbols. First we divide the characters into blocks then define key and after this we replace characters according to the defined key.
Simple Modern Ciphers
These are bit-oriented cipher. Following are some ciphers used in Modern Ciphers XOR Cipher Use the process of Exclusive-Or operation Plain text performs XOR with Key and both should be of the same length
Cont… Rotation Cipher
Uses the idea of rotating bits in left or right direction It can be Keyed or Keyless In keyed we define the number of rotations In keyless the number of rotations are fixed If there are N notations then we always perform N-1 rotations, decryption is also same like encryption but in opposite direction (if encrypt with Right then decrypt with Left)
S-Box (Substitution Box) P-Box (Permutation Box)
Modern Round Ciphers (DES) It uses multiple rounds or blocks and each round has a different round key or block key.
Types of Modern Round Ciphers Data Encryption Standard (DES) takes a fixed-length (64 bits) string of plaintext and transforms them in Cipher text by applying a series of complicated operations (64 bits keys) The key ostensibly consists of 64 bits however, only 56 of these are actually used by the algorithm. 8 bits are used for the purpose of checking parity There are 16 identical rounds or stages including IP (Initial Permutation) and FP (Final Permutation) Plain text of 64 bits divided into two blocks of 32 bits and each block is processed alternatively
DES (Cont…)
The F-function scrambles block with some of the key. The output from the F-function is then combined with the other block, and then these blocks are swapped before the next round. After the final round, the blocks are not swapped.
Operations of F-Function(Feistel) Expansion receives one block of 32 bits and expands it to 48 bits by using expansion permutation Key Mixing XOR the received block of 48 bits with the key of 48 bits, and each round use a different key Substitution Box received 48 bits data is then divided into 8 blocks of 6 bits, and then S-Box convert these 6 input bits into 4 output bits, resulting total number of bits to 32 Permutation it rearrange the received 32 bits in another form of 32 bits
Complete Diagram
DES (Cont…)
Feistel Function
DES (Cont…)
Key Scheduling 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-1) the remaining eight bits are either discarded or used as parity check Then 56 bits are divided into two blocks of 28 bits Each block is treated separately In successive rounds, either blocks are rotated left by one or two bits (specified for each round), and then 48 bits subkey is selected by Permuted Choice 2 (PC-2) by selecting 24 bits from the left block, and 24 from the right
3DES (Triple Data Encryption Standard) Triple Data Encryption Standard (3DES)
Designed to overcome the problems in simple DES It uses three times greater key for encryption and decryption In 3DES we have a choice to choose1 key or 2 keys or 3 keys, means three types of keys can be used 1 key is just like DES, so that’s why it is not recommended In 2 keys, key1 = key3, and the key size will be of 112 bits, means Key1 and Key3 are same In 3 keys all keys are different from each other and have key size of 168 bits There will be 48 rounds for encryption and 48 for decryption
AES (Advanced Encryption Standard)
For example if encryption block uses a DecryptionEncryption-Decryption combination then in receiver end decryption block will use Decryption-EncryptionDecryption combination to get actual data
Advanced Encryption Standard (AES)
AES was develop to overcome the problems, that are currently present in the existing system, e. g; Short length Security key in DES and 3DES It uses three different key sizes 128 bits have 10 rounds 192 bits have 12 rounds 256 bits have 14 rounds
AES (Cont…) Fixed length data block of 128 bits, that is called State It is based on the design principle of Substitution Permutation Network AES encryption and decryption process have several steps Convert to State Array convert 16 byte data block to 4x4 byte state array SubBytes each byte in the state array is replaced with another byte from lookup table (16x16) which has all permutation values of 16 bytes ShiftRows first row left unchanged and last three rows are shifted cyclically
AES (Cont…) Each
byte of the second row is shifted one to the left The third and fourth rows are shifted by values of two and three respectively
MixColumns The four bytes of each column of the state are combined using an invertible linear transformation This function takes four bytes as input and outputs four bytes AddRoundKey The subkey is combined with the state For each round, a subkey is derived from the main key using Rijndael's key schedule and each subkey is the same size as the state The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR
Convert to State Array Input block:
0
0
4
8 12
1
5
3
7 11 15
9 13 1 2 3 4 5 2 6 10 14
= 6
7
8
S0,0 S0,1 S0,2 S0,3 S1,0 S1,1 S1,2 S1,3 9 10 11 12 13 14 15 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3
AddRoundKey XOR each byte of the round key with its
corresponding byte in the state array XOR S0,0 S1,0
S0,1 S0,1 S0,2 S0,3 S S11,1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3 S2,1 S3,0 S3,1 S3,2 S3,3 S3,1
R0,0 R1,0
R0,1 R0,1 R0,2 R0,3 R1,1 R R R 1,1 1,2 1,3
R2,0 R2,1 R2,2 R2,3 R2,1 R3,0 R3,1 R3,2 R3,3 R3,1
S’0,1 S’0,0 S’0,1 S’0,2 S’0,3 S’1,0 S’ S’1,11,1 S’1,2 S’1,3 S’2,0 S’2,1 S’2,2 S’2,3 S’2,1 S’3,0 S’3,1 S’3,2 S’3,3 S’3,1
SubBytes Replace each byte in the state array with its
corresponding value from the S-Box
00 44 88 CC 11 55 55 99 DD 22 66 AA EE 33 77 BB FF
ShiftRows Last three rows are cyclically shifted
S3,0
S0,0
S0,1
S0,2
S0,3
S1,0
S1,0
S1,1
S1,2
S1,3
S2,0
S2,1
S2,0
S2,1
S2,2
S2,3
S3,1
S3,2
S3,0
S3,1
S3,2
S3,3
MixColumns Apply MixColumn transformation to each
column
S0,0 S1,0 S2,0 S3,0
S’0,c = ({02} • S0,c ) ⊕ ({03} • S1,c ) ⊕ S2,c ⊕ S3,c MixColumns() S0,1 S’0,1 S’ = S ⊕ ({02} • S ) ⊕ ({03} • S )⊕ S 1,c S0,11,c S0,2 S0,c0,3 S’0,02,c S ’0,1 S’3,c0,2 S S S’1,0 S’ S’1•,11,1SS’1),2 1,2 SS 1 ,3 S’11,1,12,c S= ⊕ S ⊕ ({02} • S ) ⊕ ({03} 0,c 1,c 2,c 3,c S S S S’2,0 S’2,1 S’2,2 S22,1,1 2,2 2,3 S’ S’3,c = ({03} • S0,c ) ⊕ S1,c ⊕ S2,c ⊕ ({02} 2,1• S3,c S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S3,1 S’3,1
S’0,3 S’1,3 S’2,3 S’3,3
Public Key Cryptography Asymmetric Key In Public Key Cryptography,
two keys are used for encryption and decryption If sender encrypt the message with its private key then receiver should decrypt the message with the sender public key and vice versa
RSA (Rivest Shamir Adleman) The letters RSA are the initials of the
surnames of inventors, Ron Rivest, Adi Shamir, and Leonard Adleman RSA algorithm operates in three steps Key Generation Generate two large random (and distinct)
primes p and q each roughly the same size Compute n = pq Compute φ = (p − 1) (q − 1) Select a random integer e, 1 < e < φ
RSA (Cont…) compute the unique integer d, 1 < d < φ “A”’s public key is (n; e) “A”’s private key is d The integers e in RSA key generation are called the
encryption exponent the d is called decryption exponent n is called the modulus
Encryption “B” should obtain “A”’s authentic public key (n, e) Compute c = me mod n Send the ciphertext c to “A”
RSA (Cont…) Decryption To recover plaintext m from c, “A” Use the
private key d To recover m = cd mod n
Firewall Is a set of programs resides on a hardware
device or on a software tool that is placed between two networks All the data and traffic will pass through it For better security purpose it should be packets properlyUnauthorized configured Aren’t allowed in Intern Intern et et
Safe Packets are allowed through
Firewall
User
Packets containing confidential Data aren’t allowed out
Firewall (Cont…) Web Server
FTP/TFTP Server
Telnet Server
NNTP Server
Firewall
Terminal Server
Citrix Server
DNS Server
Inter Inter net net
Clients Firewall in a Simple Network
Types of Firewall Packet Filtering Firewall It checks the source and destination addresses of the incoming data packet on gathered information it will either block the packet or pass the packet to its destination network the firewall can deny access to specific applications or services based on access control lists (ACLs), port numbers, or service numbers The packet filtering firewall uses the information of the source and destination addresses of the incoming packet, Communication Protocol and Port Number A packet filtering router sits between the private trusted network and the untrusted network
Types of Firewall (Cont…) Application Level Firewall commonly implemented as a proxy server The firewall transfers a copy of each authorized data packet from one network to another This controls which services are allowed to be used by the workstation Helps to protect the network from outsiders who may try to get information about the network Stateful Inspection Firewall data packets are captured by an inspection engine
operating at the faster network layer
Types of Firewall (Cont…) These packets are then queued and analyzed at
higher OSI layers It maintains records of all connections passing through the firewall Due to this it can determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet This type of firewall is commonly faster than an application level firewall
Security in Wireless Network Security in wireless network is difficult than wired As in wireless network communication occurred
air, due to this it is easy for hackers to gain access in wireless network Once someone gain access in wireless network, it will also gain access to main wired network Many procedures and techniques are present to make network secure, but only some of them will discuss here
Topics in Wireless Security WEP (Wired Equivalent Privacy) WPA (Wi-Fi Protected Access) SSID MAC Address Filtering
WEP (Wired Equivalent Privacy) WEP is a protocol in 802.11 to protect the link
data transmitted in WLAN introduced in 1999 WEP depends on the key shared by the communication parties (Access Point and Client) to protect the transmitted data It is a static encryption algorithm with 64bits, 128bits or 256bits WEP key consists of Shared Key and IV (Initialization Vector) IV vector is of 24bits
WEP (Cont…) Shared Key can be of 40bits, 104bits or
232bits depending upon the version we are using encrypted packet is generated with bit wise XOR of the original packet & RC4 stream The IV is chosen by sender & can be changed periodically, So every packet will not be encrypted with same cipher stream IV is sent with each packet and an additional 4-bit integrity check value ICV
WEP (Cont…) ICV is computed on original packet &
appended to the end Steps for Encryption and Decryption WEP Encryption Process Compute Integrity Check Value using CRC32
over message and concatenate to the message Choose a random IV and concatenate Shared Key to this IV Use IV and Secrete Key to generate WEP Pseudo Random Number Generator (PRNG)
WEP (Cont…) WEP Decryption Process Use transmitted IV and Secrete Key to generate Key Sequence (RC4) XOR RC4 with cipher text to generate ICV (Plain Text) check the ICV that it is correct or not?
WEP (Cont…)
WPA (Wi-Fi Protected Access) Is a protocol that was proposed by the Wi-Fi
alliance as a replacement for WEP will be part of the future 802.11i specification When 802.11i is finally released, the security protocol specification will be called WPA2 WPA2 will be slightly different than the current WPA in use In WPA, a new key scheduling algorithm called TKIP is used It is basically a wrapper around the currently used algorithms in WEP
WPA (Cont…) The WPA2 specification will replace TKIP with a
new CCMP protocol that uses the much stronger AES cipher In WEP an ICV was used to protect the integrity of the payload or data in the wireless frame This didn't prove the integrity of the header on the frame itself so it couldn't protect against the frame itself being modified WPA includes another integrity filed call Message Integrity Check or MIC
WPA (Cont…) The MIC is similar to ICV, but instead of using the CRC32
checksum algorithm, it uses an algorithm called Michael While the ICV is 4bytes in size, the MIC is 8bytes placed just before the ICV in the encrypted payload It also includes a frame counter to help protect against a replay attack uses RC4 to produce a stream of pseudo random bits that is XOR with the data packet to encrypt the frame It also increase the size of the IV from the current 24bits to a much larger 48 bits, that reduce the occurrence of duplicate IV
WPA (Cont…) To solve the problem of Common shared
secret key, the keys need to be different for each user This will be obtain from the TKIP (each frame and user have different unique key from other)
MAC Address Filtering Some 802.11 devices have the ability to restrict
access to only those devices that have a specific identification value, such as a MAC address Some access point devices also contain a table of MAC addresses, which can be modified time to time this table enables a device administrator to specify the exact remote devices that are authorized to make use of the wireless service Client computers are viewed by a unique MAC address of its IEEE 802.11 network card
MAC Address Filtering (Cont…) each access point must have a list of
authorized client MAC address in its access control list client MAC address must be entered manually into each access point also MAC address list must be kept up to date For these reasons this method is better suited for use in a smaller network
MAC Address Filtering
SSID (Service Set ID) Solution Wireless equipment manufacturers use a default SSID to
identify the network to wireless clients All access points often broadcast the SSID in order to provide clients with a list of accessible networks To protect against unauthorized access to a network, these settings should be changed from their defaults Default SSID should be changed that does not reflect any sort of information to the hackers Broadcast SSID should also be Disabled, by doing these SSID setting we can make a network secure
SSID (Cont…)
Related Documents
Network Security
June 2020 12
Network Security
June 2020 15
Network Security
June 2020 24
Network Security
July 2020 12
Network Security
April 2020 12