![Page 1: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/1.jpg)
Chapter 37
Network Security
(Access Control, Encryption, Firewalls)
![Page 2: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/2.jpg)
2
Secure NetworksSecure Networks
Secure network is not an absolute termNeed to define security policy for
organizationNetwork security policy cannot be separated
from security policy for attached computersCosts and benefits of security policies must
be assessed
![Page 3: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/3.jpg)
3
Network Security PolicyNetwork Security Policy
Devising a network security policy can be complex because a rational policy requires an organization to assess the value of information. The policy must apply to information stored in computers as well as to information traversing a network.
![Page 4: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/4.jpg)
4
Aspects of SecurityAspects of Security
Data integrityData availabilityData confidentialityPrivacy
![Page 5: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/5.jpg)
5
Responsibility and ControlResponsibility and Control
Accountability: how an audit trail is keptAuthorization: who is responsible for each
item and how is responsibility delegated to others
![Page 6: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/6.jpg)
6
Integrity MechanismsIntegrity Mechanisms
Techniques to ensure integrityParity bitsChecksumsCRCs
These cannot guarantee data integrity (e.g., against intentional change
Use of message authentication code (MAC) that cannot be broken or forged
![Page 7: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/7.jpg)
7
Access Control and Passwords
Access Control and Passwords
Passwords used to control accessOver a network, passwords susceptible to
snooping
![Page 8: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/8.jpg)
8
Encryption and ConfidentialityEncryption and Confidentiality
To ensure confidentiality of a transmitted message, use encryption
Secret key or public key schemes
encryption decryptionmessage m message m
Secret key S
Secret key S
![Page 9: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/9.jpg)
9
Public Key Cryptosystem Public Key Cryptosystem Each processor has private key S and public key P S is kept secret, and cannot be deduced from P P is made available to all processors Encryption and decryption with S and P are inverse
functions: P(S(m)) = m and S(P(m)) = m
encryption
private key S public key P
message m message mdecryption
encryption
private key Spublic key P
message m message mdecryption
![Page 10: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/10.jpg)
10
Message Digest Message DigestDigest function maps arbitrary length message m to
fixed length digest d(m)One-way function: given d(m), can't find mCollision-free: infeasible to generate m and m' such
that d(m) = d(m')
message
digest
![Page 11: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/11.jpg)
11
Digital Signature Digital Signature
To sign message m, sender computes digest d(m)
Sender computes S(d(m)) and sends along with m
Receiver computes P(S(d(m))) = d(m) Receiver computes digest of m and
compares with result above; if match, signature is verified
![Page 12: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/12.jpg)
12
Digital Signature Digital Signature
signature
Sender: Alice
Alice's Private Key Alice's Public Key
verifysignature
computesignature
computedigest
computedigest
Receiver: Bob
![Page 13: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/13.jpg)
13
Internet FirewallInternet Firewall
Protect an organization’s computers from internet problems (firewall between two structures to prevent spread of fire)
![Page 14: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/14.jpg)
14
Internet FirewallInternet Firewall
All traffic entering the organization passes through the firewall
All traffic leaving the organization passes through the firewall
The firewall implements the security policy and rejects any traffic that doesn’t adhere
The firewall must be immune to security attacks
![Page 15: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/15.jpg)
15
Packet FilteringPacket Filtering
Packet filter is embedded in routerSpecify which packets can pass through and
which should be blocked
![Page 16: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/16.jpg)
16
Using Packet Filters to Create a Firewall
Using Packet Filters to Create a Firewall
Three components in a firewallPacket filter for incoming packetsPacket filter for outgoing packetsSecure computer system to run application-layer
gateways or proxies
![Page 17: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/17.jpg)
17
Virtual Private NetworksVirtual Private NetworksTwo approaches to building corporate intranet
for an organization with multiple sites:Private network connections (confidential)Public internet connections (low cost)
Virtual Private NetworkAchieve both confidentiality and low costImplemented in software
![Page 18: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/18.jpg)
18
Virtual Private NetworkVirtual Private Network
VPN software in router at each site gives appearance of a private network
![Page 19: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/19.jpg)
19
Virtual Private NetworkVirtual Private Network
Obtain internet connection for each siteChoose router at each site to run VPN softwareConfigure VPN software in each router to know
about the VPN routers at other sitesVPN software acts as a packet filter; next hop
for outgoing datagram is another VPN routerEach outgoing datagram is encrypted
![Page 20: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/20.jpg)
20
TunnelingTunneling
Desire to encrypt entire datagram so source and destination addresses are not visible on Internet
How can internet routers do proper forwarding?Solution: VPN software encrypts entire
datagram and places inside another for transmission
Called IP-in-IP tunneling (encapsulation)
![Page 21: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/21.jpg)
21
TunnelingTunneling
Datagram from computer x at site 1 to computer y at site 2Router R1 on site 1 encrypts, encapsulates in new datagram
for transmission to router R2 on site 2
![Page 22: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/22.jpg)
22
SummarySummary
Security is desirable but must be defined by an organization
Assess value of information and define a security policy
Aspects to consider include privacy and data integrity, availability, and confidentiality
![Page 23: Chapter 37 Network Security (Access Control, Encryption, Firewalls)](https://reader035.vdocument.in/reader035/viewer/2022062216/56649db55503460f94aa7426/html5/thumbnails/23.jpg)
23
Summary (continued)Summary (continued)Mechanisms to provide aspects of security
Encryption: secret and public key cryptosystemsFirewalls: packet filtering
Virtual private networks Use Internet to transfer data among
organization’s sites but ensure that data cannot be read by others