Thursday, September 17, 2020
Tuesday, September 15, 2020
Introduction to IPV6
Limitations of IPv4
- Due to address class allocation practices, public IPv4 addresses are becoming scarce. Because of this, it forces deployment of network address translator to share a public IPv4 address among several private addresses. But, NAT adds complexity and also becomes barrier for applications.
- IPv4 works with flat routing infrastructure in which individual address prefixes were assigned and each prefix became a new route in the routing table.
- IPv4 must be configured either manually or through DHCP.
- It do not have built-in security and rely upon Ipsec for security.
- Due to lack of infrastructure, communication with IPv4 mobile node are inefficient.
IPv6 as replacement of IPv4
- IPv6 addresses are 128 bits long, creating a huge amount of address space.
- It uses hierarchical routing infrastructure. It results in relatively few routing entries in the routing table.
- It is automatically configure with the host’s IPv6 address.
- It supports for Ipsec protocol headers is required. IPv6 packets are not required to be protected with Authentication header (AH) or Encapsulating Security Payload (ESP).
- It is capable of supporting mobility more efficiently.
- IP header contains many fields used by routers to forward the packet from network to network to a final destination.
- Payload represents information to be delivered to the receiver by the sender.
- The basic packet structure is:
| Header | Payload |
Header Structure
The header structure of IPv4 and IPv6 are shown in given figure:
Header Structure Comparison
- IPv6 header is simpler than IPv4 header.
- IPv6 header size is bigger than that of IPv4.
- The source and destination addresses are 32 bit in IPv4 header while 128 bit in IPv6 header.
- IPv4 header is of variable size with minimum of 20 byte in length. IPv6 header is of fixed size with 40 byte in length.
Dual Stack Router:
- A router can be installed with both IPv4 and IPv6 address configured on its interfaces pointing to the network of relevant IP scheme.
- It is capable of communicating with both types of network.
- It provides a medium for the hosts to access a server without changing their respective IP versions.
- IPv6 is not supported on all of the IPv4 devices.
Tunneling:
- Tunneling provides a solution where user data can pass through a non supported IP version.
- Two remote IPv4 networks can communicate via a tunnel where the transit network is on IPv6.
- Two remote IPv6 networks can communicate via a tunnel where the transit network is on IPv4.
NAT Protocol Translation:
- It is the important method of transition to IPv6 by means of a Network Address Translation – Protocol Translation (NAT – PT) enabled device.
- With the help of NAT – PT device, actual translation can take place between IPv4 and IPv6 packets and vice versa.
- When IPv4 host sends a request packet to IPv6 server, NAT – PT device strips down IPv4 packet, removes IPv4 header and adds IPv6 header and passes it through the Internet.
- When a response from IPv6 server comes for the IPv4 host, the router does the reverse action.
Comparisons:
- Dual stack allows IPv4 and Ipv6 to coexist in the same devices and networks.
- Tunneling allows transport of IPv6 traffic over the existing IPv4 infrastructure.
- Translation allows IPv6 only nodes to communicate with IPv4 only nodes.
Transport Layer
- Transport layer is layer 4 of OSI model which is responsible for peer-to-peer connection between two processes on remote hosts.
Functions of Transport Layer
- The functions of transport layer are:
a) It breaks the data obtained from application layer into smaller segments.
b) It ensures that data must be received in same sequence in which it was sent.
c) It provides end-to-end delivery of data between hosts.
Services provided by Transport Layer
- The services provided to upper layers are:
a) Addressing (handles addressing of the processes on the node.)
b) Connection management (establish and release connections.)
c) Flow control and buffering
d) Multiplexing
- UDP uses minimum amount of communication mechanism.
- The receiver does not generate an ack of packet received.
Requirements of UDP
- UDP is deployed where ack packets share significant amount of bandwidth along with actual data.
- Even if some packets are lost, it can be ignored easily.
- Eg: in video streaming
Features of UDP
- It is used if ack of data does not have significance.
- It flows data in one direction.
- It is suitable for query based communication.
- It is connectionless.
- It does not provide congestion control mechanism.
- It does not guarantee data delivery in order.
- It is stateless.
UDP Header
- Source port identifies the port of application process of sender.
- Destination port identifies the port of application process of receiver.
- Length specify the entire length of UDP packet with header.
- Checksum stores checksum value generated by the sender before sending.
Features of TCP
- TCP is reliable protocol as the receiver always send positive or negative ack about data packet to the sender such that it knows whether data packet reach destination or it needs to resend it.
- It ensures that data reaches intended destination in proper order.
- It requires connection between two remote ends to be established before sending actual data.
- It provides error checking and recovery mechanisms.
- It provides flow control and quality of service.
- It operates in client-server point-to-point mode.
- It provides full duplex server (it can perform roles of both receiver and sender).
TCP Header
- The length of TCP header is minimum of 20 bytes and maximum of 60bytes.
- Source port identifies port of application process of sender.
- Destination port identifies port of application process of receiver.
- Sequence number of data bytes of segment.
- Acknowledge no contains next sequence number of data byte expected when ACK flag is set.
- Data offset implies size of TCP header and offset of data in current packet.
- Reserved is for future use and all are set zero by default.
- Flags
a) None Sum (NS) = Explicit congestion notification signaling process.
b) Congestion Window Reduced (CWR) = It is set when a host receives packet with ECE bit set to acknowledge that ECE is received.
c) ECE = If SYN bit is 0, IP packet has CE bit set. If SYN bit is 1, the device is ECT capable.
d) URG = Urgent pointer field has significant data and should be processed if URG is set.
e) ACK = Acknowledgement field has significance if set.
f) PSH = When set, it is a request to receiving node to push data to application without buffering.
g) RST = It is used to refuse incoming connection, reject a segment and restart a connection.
h) SYN = It is used to setup connection between hosts.
i) FIN = It is used to release connection.
- Window size is used to control flow and indicates amount of buffer in bytes the receiver has allocated for a segment.
- Checksum contains checksum of header (data and pseudo header).
- Urgent pointer points to urgent data byte if URG flag is set.
- Options provide additional options.
Addressing in TCP
- TCP communication between two remote hosts is done by means of port numbers known as Transport Service Access Points.
- Port numbers ranges from 0 to 65535.
0 – 1023 = System port
1024 – 49151 = User port
49152 – 65535 = Private port
TCP Connection Management
- 3 way handshake is used for TCP connection management.
- Client initiates the connection and sends the segment with a sequence number.
- Server acknowledges it back with its own sequence number and ACK of client’s segment.
- Client after receiving ACK of its segment sends an ACK of server’s response.
- Either server or client send TCP segment with FIN flag set to 1.
- The receiving end responds it by acknowledging FIN.
- The TCP communication is closed and connection is released.
Q) For client server application over TCP, server program must be executed before the client program. Why?
- For TCP applications, as soon as the client is executed, it attempts to initiate a TCP connection with the server. If the TCP server is not running, then the connection can not be established.
- Port is an endpoint of communication.
- A port is associated with IP address of host and protocol used.
- A port is identified by a 16-bit number known as port number.
Eg: 1.2.3.4:80
IP of host = 1.2.3.4
Port no = 80
Protocol used = TCP
- Socket is one endpoint in a communication flow between two programs running over network.
- It is created and used with a set of programming requests.
- It is also used for communication between processes within the same computer.
Q) Why port number is used?
- Port number provides a way to identify a specific process to which the message is to be forwarded when it arrives at a server.
- Congestion is the reduction of quality of service that occurs when a network node is carrying more data than it can handle.
Token Bucket Algorithm:
- It is an algorithm used in packet switched networks. For congestion control mechanism.
- A bucket is of fixed capacity.
- A token is added to the bucket every 1/r seconds.
- The bucket can hold at most b tokens.
- If a token arrives when the bucket is full, it is discarded.
- When the packet of n bytes arrives, n tokens are removed from the bucket, and the pocket is sent to the network.
- If fewer than n tokens are available, no tokens are removed from the bucket and the packet is considered to be non-conformant.
Leaky Bucket Algorithm:
- It is used to determine whether same sequence of events conforms to defined limits.
- A fixed capacity bucket associated with each user, leaks at a fixed rate.
- If bucket is empty, it stops leaking.
- For a packet to conform, it has to be possible to add a specific amount of water to the bucket.
- If the amount of water could cause the bucket to exceed its capacity, the packet does not conform and the water in the bucket is left unchanged.
Network Layer
Network Layer
- Network layer is the layer 3 of OSI model which manages options pertaining to host and network addressing, managing sub networks and inter-networking.
- It is responsible for routing packets from source to destination within or outside a subnet.
Functions
- Addressing devices and networks.
- Populating routing tables.
- Queuing incoming and outgoing data.
- Inter-networking between two different subnets.
- Delivering packets to destination.
Inter-networking
- Routing between two networks of same kind or different kinds is called inter-networking.
- Tunneling is a mechanism by which two or more same networks communicate with each other passing through intermediate networking complexities.
- When data enters from one end of tunnel, it is tagged.
- The tagged data is routed inside transit network.
- When data exits the tunnel, the tag is removed and delivered to the other part of the network.
Networking Devices
Repeater
- Repeater is an electronic device that receives a signal and retransmits it.
- It helps to regenerate or replicate weak or distorted signals.
- It operates at physical layer.
- It only repeats the signal without understanding the packets.
- It does not have physical address on the network.
Hub
- Hub is a network component that acts as a common connection point for nodes in a network.
- It contains multiple ports.
- When a packet arrives at one port, it is copied to all other ports so that all segments of LAN can see all packets.
Switch
- When a packet arrives at one port, it is copied to only the port that leads to destination node.
Bridge
- A network bridge is a network component that creates a single aggregate network from multiple networks.
- It operates in physical and data link layer.
- It operates using physical address of machines.
- The bridge creates function table with machine’s address and the segment they belong to.
Router
- Router is a network device that forwards data packets between networks.
- A router is connected to two or more data lines from different networks.
- When a data packet comes in on one of the lines, it reads the address information in the packet to determine the ultimate destination.
- The information in routing table helps to direct packet to next network.
Gateway
- Gateway is an inter-networking system capable of joining together two networks that use different base protocols.
Internet Addressing
- Network address is logical address given by the software which can be changed by appropriate configurations.
- A network address always points to host/node/server.
- It is configured on network interface card.
- It is mapped by system with MAC address of machine.
- Eg: IP addresses
- IP address provides mechanism to differentiate between hosts and network.
- As IP address is assigned in hierarchial manner, a host always resides under a specific network.
- A host in different subnet need a mechanism to locate each other, which is done by DNS.
- DNS is a server which provides layer 3 address of remote host mapped with its domain name.
- When a host acquires layer 3 address of remote host, it forwards packets to its gateway.
Classful Addressing
- The IP address is 32 bits in size.
- There are five classes:
Class First Octet
A 0-127
B 128-191
C 192-223
D 224-239
E 240-255
- Class D and E are not used generally.
- The class for a new network is assigned based on the size of the network.
- Subnetting is the process of breaking the class of network into smaller network/subnet.
- It is necessary because a large single network of a class without subnet will not be efficient.
- It splits the host field into subnet creating a three part address.
- The network field remains unchanged which is determined by classful addressing.
- A subnet mask is assigned to determine between subnet and host fields.
Class Subnet Mask
A 255.0.0.0 or /8
B 255.255.0.0 or /16
C 255.255.255.0 or /24
- In subnet mask, 1 represents network bit and 0 represents host bit.
Q) Allocate 30, 24, 25 and 12 IP addresses to four department with minimum wastage. Specify range of IP address, broadcast address, network address and subnet mask for each department from address pool 202.77.19.0/24.
The starting IP address is : 202.77.19.0/24
The network is of class C.
The subnet mask is 255.255.255.0 (i.e. /24)Since there are four departments, the network design requires 4 subnets.
Using Variable Length Subnet Mask (VLSM),
For Department A;
To support 30 hosts, it will require 32 IP address such that:
2^y = 32 => y = 5
So, we need 5 bits for host field. Hence it requires /27 mask.For Department B;
To support 24 hosts, it will require at least 26 IP address such that:
2^y = 32 => y = 5
So, we need 5 bits for host field. Hence it requires /27 mask.For Department C;
To support 25 hosts, it will require at least 27 IP address such that:
2^y = 32 => y = 5
So, we need 5 bits for host field. Hence it requires /27 mask.For Department D;
To support 12 hosts, it will require at least 14 IP address such that:
2^y = 16 => y = 4
So, we need 4 bits for host field. Hence it requires /28 mask.Dpt IP Address Network Address Range of IP for host Broadcast Address Subnet Mask
A 202.77.19.0 202.77.19.0 202.77.19.1-202.77.19.30 202.77.19.31 255.255.255.224
B 202.77.19.32 202.77.19.32 202.77.19.33-202.77.19.62 202.77.19.63 255.255.255.224
C 202.77.19.64 202.77.19.64 202.77.19.65-202.77.19.94 202.77.19.95 255.255.255.224
D 202.77.19.96 202.77.19.96 202.77.19.97-202.77.19.111 202.77.19.112 255.255.255.240
Routing
- Whenever a device has multiple paths to reach the destination, it always selects one path. This process is called routing.
- It is done by router.
- A router is configured with some default route.
- The default route forwards a packet if no route is found for specific destination.
- If multiple paths exists to reach same destination, decision is based on : hop count, bandwidth, metric, prefix length and delay.
Static and Dynamic Routing
- Static routing is when you statically configure a router to send traffic to particular destinations in predetermined directions.
- It provides default route.
- Dynamic routing is when you use a routing protocol to figure out the best possible route for the traffic.
- It can provide the best route.
Routing Table
- Routing table is a set of rules in a table format which is used to determine where data packets traveling over an IP network will be directed.
- It contains all the information necessary to forward a packet along the best path toward its destination.
- A basic routing table includes following informations:
a) Destination IP address
b) Next hop IP address
c) Outgoing network interface used
d) Cost metric to each available route
e) Routes
- Routing table can be maintained manually or dynamically.
- Dynamic routing tables allow devices to respond to device failures and network congestion.
Routing Information Protocol (RIP)
- RIP is a protocol that defines a way for routers, which connect networks using IP, to share information about how to route traffic among networks.
- Each router maintains a routing table which consist of a list of all destinations it knows how to reach and the distance to that destination.
- It uses distance vector algorithm to decide the route of packet to its destination.
- If it receives update on a route with shorter path, it will update its routing table with length and next hop address of the shorter path.
- If new route has longer path, it waits through a hold-down period and only update the table if the new route is stable.
- It follows a state of convergence. Each router sends its entire routing table to its closest neighbors every 30 seconds until all RIP hosts within the network have same knowledge of routing paths.
- It can know about router crash and if router stops sending update for six successive cycle, it will be dropped from the route.
- It uses modified hop count to determine network distance.
Open Shortest Path First (OSPF)
- It is a protocol for routers connecting networks using IP, used to find the best path for packets as they pass through a set of connected networks.
- A router which detects a change to a routing table immediately multicasts the information to all other OSPF hosts.
- It only sends the part that has changed. This helps to minimize convergence time.
- It accounts router hop as well as other network information like cost metric to determine best path.
- It has RIP support built in for compatibility with older networks using RIP.
Border Gateway Protocol (BGP)
- It is a protocol that manages how packets are routed across the Internet through the exchange of routing and reachability information between edge routers.
- It makes routing decision based on path, rules or network policies configured by a network administrator.
- Each BGP router maintains a standard routing table used to direct packets in transit.
- The table is used in conjunction with separate routing table called routing information base (RIB).
- It is based on TCP/IP and uses client-server topology.
Unicast Routing
- Unicast routing is the process of routing unicast data (data sent with specified destination) over the Internet.
- The destination is already known.
- The router just has to look up the routing table and forward packet to next hop towards destination.
- Eg: Distance vector routing protocol and link state routing protocol.
Multicast Routing
- Multicast routing is a type of broadcast routing in which the data is sent to only nodes which wants to receive the packets.
- It uses spanning tree protocol to avoid looping.
- It also uses reverse path forwarding technique.
- Eg: Multicast OSPF, Core based tree, etc.
Shortest Path Algorithm
- Shortest path can be calculated only for weighted graphs.
- The edge connecting two vertices can be assigned a non-negative real number called weight of edge.
- The algorithm is:
a) Initialize array smallestWeight so that
smallestWeight[u] = weights[vertex, u]
b) Set smallestWeight[vertex] = 0.
c) Find vertex v, that is closed to vertex for which shortest path has not been determined.
d) Mark v as next vertex for which smallest weight is found.
e) For each vertex w in G, such that shortest path from vertex to w has not been determined and edge (v, w) exists, if weight[u, w] < current weight, update weight of w to weight of v + weight of edge (v, w).
Example:
B
/ \
1 2
/ \
Source(A) -- ---- 5 --- (D)Destination
\ /
2 1
\ /
CEdge Cost Path
-------------------------------------------
B 1 A-B
C 2 A-C
D 5 A-D
(Choose path A-B)Edge Cost Path
-------------------------------------------
B 1 A-B
C 2 A-C
D 3 A-B-D
(A-B-D < A-D, So, A-B-D path is selected.)
Flooding Algorithm
- It is the static routing algorithm.
- Every incoming packet is sent on all outgoing lines except the line on which it has arrived.
- It generates a large number of duplicate packets on the network.
Distance Vector Routing
- Each node constructs a one dimensional array containing distances to all other nodes and distributes that vector to its immediate neighbors.
- The starting assumption is each node knows the cost of the link to directly connected neighbors only.
- A link that is down is assigned an infinite cost.
- Every node sends a message to its direct neighbors containing its personal list of distance.
- If any recipient finds the sender has path shorter than the one they know, they update the new path length.
- It should know which node tell them about the path they use.
- Each node maintains forwarding table.
All path cost is 1.
A --------- B
/ | \ /
/ | \ /
/ | \ /
E F C
| |
| |
G----DInfo stored at Node Distance to reach Node
A B C D E F G
-----------------------------------------------------------------------------------------------
A 0 1 1 ? 1 1 ?
B 1 0 1 ? ? ? ?
C 1 1 0 1 ? ? ?
D ? ? 1 0 ? ? 1
E 1 ? ? ? 0 ? ?
F 1 ? ? ? ? 0 1
G ? ? ? 1 ? 1 0Now, On update:
Info stored at Node Distance to reach Node
A B C D E F G
-----------------------------------------------------------------------------------------------
A 0 1 1 2 1 1 2
B 1 0 1 2 2 2 3
C 1 1 0 1 2 2 2
D 2 2 1 0 3 2 1
E 1 2 2 3 0 2 3
F 1 2 2 2 2 0 1
G 2 3 2 1 3 1 0Forwarding table for node B:
Destination Cost Next Hop
------------------------------------------------------
A 1 A
C 1 C
D 2 C
E 2 A
F 2 A
G 3 A
Link State Routing
- Each router knows about its direct neighbors.
- Each router constructs a link state packet (LSP), which consists of:
a) ID of node that create LSP.
b) A list of direct neighbors and cost of link to each one.
c) Sequence number
d) A time to line (TTL) for the packet.
- Link state flooding is done.
- Each router stores most recently generated LSP from each other router.
- Shortest path route to each destination is computed.
Q) Compare distance vector routing and link state routing.
- Distance vector routing sends the entire routing table to the directly connected neighbors.
- It has slow convergence.
- It is susceptible to routing loops.
- The updates are sometimes sent using broadcast.
- It does not know the network topology.
- It is simple to configure.
- Eg: RIP
- Link state routing only sends the link state information to the directly connected neighbors.
- It has fast convergence.
- It is less susceptible to routing loops.
- The updates are always sent using multicast.
- It knows the entire network topology.
- It is difficult to configure.
- Eg: OSPF
Address Resolution Protocol (ARP)
- ARP is a protocol used by IPv4 to map IP addresses to the hardware addresses used by a data link protocol.
- It operates below network layer.
- It is a part of interface between network layer and data link layer.
- An ARP cache table is used to maintain each MAC address and its corresponding IP address.
- When an incoming packet destined for a host on a LAN arrives at a gateway, the gateway asks ARP program to find MAC address that matches the IP address.
- ARP program looks in ARP cache and if it finds the address, it provides address to gateway. If not found in cache, ARP program broadcasts a request packet in a special format to all hosts on the LAN. A machine that owns the IP address returns a reply.
- The gateway then convert the incoming packet to the right format and length; then sent to the machine.
Reverse ARP (RARP)
- It is a protocol used by a physical machine in a LAN to request to learn its IP address from the ARP cache.
- When a new machine is set up, its RARP client requests RARP server on router to send its IP address.
Internet Control Message Protocol (ICMP)
- It is an error reporting protocol used by network devices to generate error messages to the source IP address when error prevents packet delivery.
- All the IP network device is capable to send, receive and process ICMP messages.
- ICMP messages are transmitted as datagrams which consists of IP header encapsulating ICMP data.
Internet Protocol (IP)
- IP is a protocol by which data is sent from one computer to another on the Internet.
- Each computer on the Internet has at least one IP address that uniquely identifies it from all other computers.
- IP is responsible for delivery of data packets without any consideration of its order.
- The order of packets are managed by TCP.
- IP is connectionless protocol.
Q) What is routed and routing protocol?
- A routed protocol is a protocol by which data can be routed.
- It should have addressing scheme and subnetting.
- It is used by all the hosts of inter-network.
- Eg: IP, AppleTalk, IPX
- A routing protocol is a protocol that makes the router able to build and maintain routing tables.
- It is used by routers only.
- Eg: Distance vector and link state protocols.
Network Security
Vulnerabilities and Attacks
Physical Layer:
- The vulnerability in wired and wireless networks is an unauthorized access to a network through insecure hub/switch port.
- The vulnerability may be exploited to launch attacks like:
a) Sniffing packet data to steal valuable information.
b) Denial of service to legitimate users.
c) Spoofing MAC of legitimate hosts and launch man in the middle attack.
Network Layer
- The vulnerability of TCP/IP is:
a) The plain text data packets exchanged between server and client can be easily read which uses HTTP.
b) HTTP has weak authentication for session initialization which may lead to session hijacking.
c) 3 way handshake for connection establishment is another vulnerability which is exploited by SYN flooding.
d) IP protocol header modification may lead to IP spoofing attack.
Network Security
- It aims to make the entire network secure.
- It protects usability, reliability, integrity and safety of network and data.
- The primary goal of network security are:
a) Confidentiality
b) Integrity
c) Availability
Principles of Cryptography
- Cryptography is the method of storing and transmitting data in a format that can be rad and processed by the intended users only.
- It includes methods to hide information in storage or in transit.
- It is often associated with encryption and decryption.
- Encryption is the process of scrambling plain text into cipher text.
- Decryption is the process of regaining the plain text from the cipher text.
Symmetric vs Asymmetric Key Encryption
- Symmetric key encryption uses a single private key.
- Encryption and decryption both utilizes the same key.
- It does not ensure confidentiality.
- It is generally used for bulk data encryption.
- It is more efficient.
- The algorithms used are AES, DES, Blowfish.
- Asymmetric key encryption uses a pair of keys: private key and public key.
- Encryption is done with public key and the holder of private key can only decrypt it.
- It ensures confidentiality.
- It is generally used to secure key exchanges.
- It is less efficient.
- The algorithm used is RSA.
- RSA is an algorithm used for public key encryption.
- It is believed to be secure if its keys have a length of at least 1024 bits.
Key Generation Algorithm
1. Choose two very large random prime integers. (p and q)
2. Compute n and Ǿ(n) such that:
n = p * q
Ǿ(n) = (p-1) * (q-1)
3. Choose an integer e, 1 < e < Ǿ(n), such that:
gcd(e, Ǿ(n)) = 1
4. Compute d, 1 < d < Ǿ(n), such that:
e * d = 1 (mod Ǿ(n))
We get, public key = (n, e)
private key = (n, d)
p, q and Ǿ(n) are private
e is public exponent.
d is private exponent.
Encryption and Decryption:
- Cipher ( C ) = M^e mod n
- Message ( M ) = C^d mod n
Example:
Key Generation:
1. p = 11 and q = 3
2. n = p * q = 33
Ǿ(n) = (p-1) * (q-1) = 20
3. Choose e = 3 such that 1 < e < Ǿ(n) and gcd(e, Ǿ(n)) = 1
4. (3) * d = 1 (mod 20)
d = 7
Public key = (33, 3)
Private key = (33, 7)Let message M = 7.
Encryption:
C = M^e mod n = 7^3 mod 33 = 13Decryption:
M = C^d mod n = 13^7 mod 33 = 7
- Digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.
- It is intended to solve the problem of tampering and impersonation in digital communication.
- It is based on public key cryptograhy.
- Using RSA, public and private keys are generated.
- The signing software is used to create a one-way hash of the electronic data to be signed.
- The private key is used to encrypt the hash.
- The encrypted hash along with hashing algorithm is the digital signature.
Pretty Good Privacy (PGP)
- It is a program used to encrypt and decrypt email over the Internet as well as authenticate messages with digital signatures.
- Each user has encryption key and private key.
- Message is encrypted and send to someone using their encryption key.
- It uses faster encryption algorithm to encrypt message.
- The receiver private key is used to decrypt to short key; which is the key used to decrypt the message.
- SSL is a standard security technology for establishing encrypted link between a server and a client.
- It allows sensitive informations like credit card no, social security no, etc to be transmitted securely.
- Generally, the data between browser and web server is sent in plain text, which is vulnerable if the intruder intercept the data.
- It provides variables of the encryption for both the link and the data being transmitted.
- SSL secured websites begin with https.
- SSL certificates have public and private key, which work together to establish an encrypted connection.
- When a browser attempts to access a SSL secured websites, the browser and the web server establish an SSL connection using SSL handshake.
- Public key, private key and session key are used to set up SSL connection.
- After secure connection is made, session key is used to encrypt all transmitted data.
Internet Protocol Security ( IPSec )
- IPSec is a framework for a set of protocols for security at the network or packet processing layer of network communication.
- It is useful for implementing VPN and for remote user access through dial up connection to private networks.
- The advantage is that, security arrangements can be handled without requiring changes to individual user computers.
- It provides two security service:
a) Authentication header (AH) = allow authentication of data sender.
b) Encapsulating Security Payload (ESP) = allow sender authentication as well as data encryption.
Virtual Private Network (VPN)
- It is a technology that creates safe and encrypted connection over a less secure network.
- It allows remote users to securely access applications and other resources.
- Data travels through secure tunnel.
- VPN users must use authentication method to gain VPN access.
- It ensures appropriate level of security to connected system.
- Speed of Internet connection of user effects VPN performance.
- It is a security protocol specified by IEEE WiFi standard, which provides a wireless LAN with a level of security and privacy comparable to what is expected on a wired LAN.
- Data encryption protects vulnerable wireless link between clients and access points.
- After this measure, password protection, end to end encryption and VPN can be placed to ensure privacy.
- It is vulnerable to wireless equivalent privacy attacks.
- Firewall is a network security that analyzes and controls the incoming and outgoing network traffics based on the predetermined security rules.
- It analyzes the network and allows the network traffics in and out only if they are trusted.
Types of Firewall
1) Packet Filtering Firewall
- It protects users from the external network threat
- Packet filtering is the process of passing or blocking packets based on source and destination address, port or protocols at a network interface.
- The header of the packet is analyzed and based on predefined rules, it allows packet to pass or prevents packet from passing.
Methods
1) The filter accepts only those packets that it is certain are safe, dropping all others.
2) The filter drops only the packets that is certain are unsafe, accepting all others.
3) The filter when encounters a packet for which no rule is provided, it query the user for performing what should be done.
2) Application Gateway
- The gateway operates at the application layer.
- Application gateway for specific applications can be installed.
- It filters incoming node traffic to certain rules which mean that only transmitted network application data is filtered.
- Eg: A mail gateway can be set up to examine each message going in or coming out. For each message, gateway decides whether to transmit of discard the messages.
