UNIT-3 - Kanpur Institute Of Technology, Kanpur

elbowshelmetΔίκτυα και Επικοινωνίες

30 Οκτ 2013 (πριν από 4 χρόνια και 8 μήνες)

127 εμφανίσεις



is a word from Greek ‘
, means “hidden or secret"; and

means “writing", or "study". Cryptography is the practice and study of hiding information.

is probably the most
important aspect of communications security and is becoming
increasingly important

as a basic building block for computer security.

The first known use of the modern cipher was by Julius Caesar, who did not trust his messengers
and for

this reason, he crea
ted a system in which each character in this message was replaced by
a character three

position ahead of it in Roman alphabet.

Basically cryptography is the science and art of creating secret codes, it include techniques such

microdots, merging words wi
th images and other way to hide information in storage and

Modern cryptography follows a strongly scientific approach, and it concern itself with the
following four

objectives i.e., confidentiality, integrity, non
repudiation and authentication.


ensure data is read only by authorized parties,

Data integrity

ensure data wasn't altered between sender and recipient,


ensure data originated from a particular party.


prevents either sender or

receiver from denying a transmitted message.

when a message is sent, the receiver can prove that the alleged sender in fact sent the message.

Similarly, when a message is received, the sender can prove that the alleged receiver in fact

received the

Cryptographic systems are characterized along three independent dimensions:

The type of operations used for transforming plaintext to cipher text.
All encryption

algorithms are based on two general principles: substitution, in which each elemen
t in the

plaintext (bit, letter, group of bits or letters) is mapped into another element, and transposition, in

which elements in the plaintext are rearranged. The fundamental requirement is that no

information be lost (that is, that all operations are re
versible). Most systems, referred to as

product systems, involve multiple stages of substitutions and transpositions.

The number of keys used.
If both sender and receiver use the same key, the system is
referred to

as symmetric, single
key, secret
or conventional encryption. If the sender and
receiver use

different keys, the system is referred to as asymmetric, two
key, or public

The way in which the plaintext is processed.
block cipher
processes the input one block

elements at a time, producing an output block for each input block. A
stream cipher

input elements continuously, producing output one element at a time, as it goes along.


Cryptography referred only
to the encryption and decryption of messages using secret keys. It

three distinct mechanisms:

1. Symmetric key Encipherment

2. Asymmetric key Encipherment


Symmetric cryptography uses a single private key to both enc
rypt and decrypt data. Any party
that has the

key can use it to encrypt and decrypt data. They are also referred to as block ciphers.

A symmetric encryption scheme has five ingredients (Figure 2.1):

• Plaintext: This is the original intelligible message or

data that is fed into the algorithm as input.

• Encryption algorithm: The encryption algorithm performs various substitutions and

transformations on the plaintext.

• Secret key: The secret key is also input to the encryption algorithm. The key is a value

independent of the plaintext and of the algorithm. The algorithm will produce a different output

depending on the specific key being used at the time. The exact substitutions and transformations

performed by the algorithm depend on the key.

• Cipher text:
This is the scrambled message produced as output. It depends on the plaintext and

the secret key. For a given message, two different keys will produce two different cipher texts.

The cipher text is an apparently random stream of data and, as it stands, is

• Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the

cipher text and the secret key and produces the original plaintext.


Advantages of Symmetric cryptography

algorithms are typically fast and are suitable for
processing large

streams of data.

The disadvantage of symmetric cryptography is that it presumes two parties have agreed on a
key and

been able to exchange that key in a secure manner prior to communicati
on. This is a
significant challenge.


key cryptography is also called asymmetric. It uses a secret key that must be kept from


users and a public key that can be made public to anyone. Both the public key and

private key are mathematically linked; data encrypted with the public key can be decrypted
only by the

private key, and data signed with the private key can only be veri
fied with the public

The public key can be published to anyone. Both keys are unique to the communication session.

key cryptographic algorithms use a fixed buffer size. Private
key cryptographic
algorithms use a

variable length buffer. Public
ey algorithms cannot be used to chain data
together into streams like

key algorithms can. With private
key algorithms only a small
block size can be processed,

typically 8 or 16 bytes.


Hash algorithms are one
way mathematical alg
orithms that take an arbitrary length input and
produce a

fixed length output string. A hash value is a unique and extremely compact numerical
representation of a

piece of data.

Hashing algorithm store or transmit the arbitrary length data without using an
y secret key or
public key, it

using the message digest technique for securing the message by any cryptanalyst.
MD5 (message digest

technique) produces 128 bits for instance. It is computationally
improbable to find two distinct inputs that

hash to the sam
e value (or ``collide''). Hash functions
have some very useful applications. They allow a

party to prove they know something without revealing what it is, and hence are seeing
widespread use in

password schemes. They can also be used in digital signatures
and integrity protection.

There are two requirements for secure use of cryptographic system:

1. We need a strong encryption algorithm. At a minimum, we would like the algorithm to be

that an opponent who knows the algorithm and has access to one or
more cipher texts
would be

unable to decipher the cipher text or figure out the key. This requirement is usually
stated in a

stronger form: The opponent should be unable to decrypt cipher text or discover the
key even if

he or she is in possession of a num
ber of cipher texts together with the plaintext that

each cipher text.

2. Sender and receiver must have obtained copies of the secret key in a secure fashion and must

keep the key secure. If someone can discover the key and knows the algorithm, al

communication using this key is readable.


There are two general approaches to attacking a conventional encryption scheme:


Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the

characteristics of the plaintext or even some sample plaintext
cipher text pairs. In other
words it is

explained as, “cryptography is the science and art of creating secret codes, while c
Cryptanalysis is the

science and art of breaking these secret cod

This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific
plaintext or

to deduce the key being used.


The attacker tries every possible key on a piece of cipher text until an intelligible t
ranslation into

is obtained. On average, half of all possible keys must be tried to achieve success.

The various types of cryptanalytic attacks, based on the amount of information known to the

Type of


Known to Cryptanalyst

Cipher text


• Encryption algorithm

• Cipher text



• Encryption algorithm

• Cipher text

• One or more plaintext
cipher text pairs formed with the secret key



• Encryption algorithm

• Cipher text

• Plaintext message chosen

by cryptanalyst, together with its corresponding

cipher text generated with the secret key


cipher text

• Encryption algorithm

• Cipher text

• Purported cipher text chosen by cryptanalyst, together with its

corresponding decrypted plaintext generate
d with the secret key

Chosen text • Encryption algorithm

• Cipher text

• Plaintext message chosen by cryptanalyst, together with its corresponding

cipher text generated with the secret key

• Purported cipher text chosen by cryptanalyst, together with its

corresponding decrypted plaintext generated with the secret key


virtual private network
) is a computer network that is constructed by using public
networks or

wires such as Internet to provide remote offices or individual u
sers to get secure
access to their

organization's network. (Or)

“A VPN is a way of creating a secure connection to and from a network or computer”. (Or)

“A virtual private network (VPN) is a network that uses a public telecommunication
infrastructure, such

as the Internet, to provide remote offices or individual users with secure
access to their organization's


This network uses encryption and other security mechanisms to ensure that only authorized users
are able

to participate in the communicatio
ns and that the data cannot be intercepted. It aims to
avoid an expensive

system of privately owned or leased lines that can be used by only one organization. The goal of
a VPN is

to provide the organization with the same capabilities, but at a much lower

The use of a public network, usually the Internet, to connect securely to a private network, is the
basis of

a VPN. Companies and organizations will use a VPN to communicate confidentiality
over a public

network; the VPN can be used to send voice, vi
deo or data. It is an excellent option
for remote workers

and organizations with global offices and partners to share data in private

VPNs have been used for years, but they have become more robust only in recent years. They are

affordable and

also much faster.

Virtual Private Networks (VPNs) provide secure and advanced connections through a non

by providing data privacy. Private data is secure in a public environment. Remote access
VPNs provides a

common environment where many d
ifferent sources such as intermediaries,
clients and off
site employees

can access information via web browsers or email. Many
companies supply their own VPN connections

via the Internet. Through their ISPs, remote users
running VPN client software are ass
ured private access

in a publicly shared environment. By
using analog, ISDN, DSL, cable technology, dial and mobile IP;

VPNs are implemented over extensive shared infrastructures. Email, database and office
applications use

these secure remote VPN connecti

A few of the main components needed to create VPN connections are listed below:

• VPN services need to be enabled on the server.

• VPN client software has to be installed on the VPN client. A VPN client utilizes the Internet,

tunneling and TCP/IP prot
ocols to establish a connection to the network

• The server and client have to be on the same network.

• A Public Key Infrastructure (PKI)

• The server and client have to use the same:

o " Tunneling protocols

o " Authentication methods

o “Encryption method

• Centralized accounting



There are many different types of VPNs available. Let’s take look at most common types.

up VPN):

This is the most common and widely used VPN protocol. They enable a
uthorized remote users to

to the VPN network using their existing Internet connection and then log on to the VPN
using password

authentication. They don’t need extra hardware and the features are often
available as inexpensive add

software. PPTP stands for
Point Tunneling Protocol
The disadvantage of PPTP is that it does

not provide encryption and it relies on the PPP (Point
Point Protocol) to implement security measures.

There is little to no cost to setup this type of

VPN, and you can often use your existing
equipment and

software. It is sometimes referred to as "dial
up VPN" because when the client
software connects it looks

like its dialing up. See the diagram below:

Figure: PPTP VPN
up VPN)

2. Site
Site VPN

site is much the same thing as PPTP except there is no “dedicated” line in use. It allows

sites of the same organization, each with its own real network, to connect together to
form a VPN. Unlike

PPTP, the routing, encryption and
decryption is done by the routers on both
ends, which could be

based or software

site VPNs can work with hardware or software
based firewall devices. On the software
side, you

can use something like Clark connects. On the hardware s
ide, you can have many
different devices to

choose from. Personally, I use the Juniper SSG firewalls. The technology
commonly used with this type

of setup is IPsec or GRE.

Figure: Site
Site VPN

3. L2TP VPN:

L2TP or Layer to Tunneling Protocol is simil
ar to PPTP, since it also doesn’t provide encryption
and it

relies on PPP protocol to do this. The difference between PPTP and L2TP is that the latter
provides not

only data confidentiality but also data integrity. L2TP was developed by Microsoft

4. IPsec:

Tried and trusted protocol which sets up a tunnel from the remote site into your central site. As
the name

suggests, it’s designed for IP traffic. IPsec requires expensive, time consuming client
installations and this

can be considered an
important disadvantage. The two IPsec protocols are:

• Authentication Header (AH); provides data authentication, data integrity and replay protection


• Encapsulating Security Payload (ESP); provides data authentication, data confidentiality and

ntegrity, and replay protection.

5. SSL:

SSL or Secure Socket Layer is a VPN accessible via https over web browser. SSL creates a
secure session

from your PC browser to the application server you’re accessing. The major advantage of SSL is
that it

need any software installed because it uses the web browser as the client application.


MPLS (Multi
Protocol Label Switching) was originally designed to improve the store
forward speed

of routers. MPLS was created as a team effort on the p
art of Ipsilon, Cisco, IBM,
and Toshiba. These

companies worked together as part of the IETF (Internet Engineering Task
Force) and MPLS was born.

Figure: MPLS VPN

MPLS are no good for remote access for individual users, but for site
site connectivity,
hey’re the

most flexible and scalable option. These systems are essentially ISP
tuned VPNs,
where two or more sites

are connected to form a VPN using the same ISP. An MPLS network
isn’t as easy to set up or add to as

the others, and hence bound to be more
expensive. MPLS does
perform better than a site
site VPN

because there is less overhead and the routing between
sites is optimized by static routes from your ISP.

Larger ISPs can even bring your data center (if you have one) into your MPLS network. A re

network should provide ping times between sites in under 10 ms. Traditional site
VPNs can range

anywhere from 30 ms (at best) to over 100 ms.

Hybrid VPN:

A few companies have managed to combine features of SSL and IPSec & also other typ
es of
VPN types.

Hybrid VPN servers are able to accept connections from multiple types of VPN clients. They
offer higher

flexibility at both clients and server levels and bound to be expensive.


VPN connections that use PPTP, L2TP and IPsec have the following properties:

• Encapsulation

• Authentication

• Data encryption


With VPN technology, private data is encapsulated with a header that contains routing
information that

allows the

data to traverse the transit network. For examples of encapsulation,
see VPN Tunneling



Authentication for VPN connections takes three different forms:

level authentication by using PPP authentication:

To establish the
VPN connection, the VPN server authenticates the VPN client that is attempting

the connection by using a Point
Point Protocol (PPP) user
level authentication method and

verifies that the VPN client has the appropriate authorization. If mutual authentica
tion is used,

VPN client also authenticates the VPN server, which provides protection against computers

are masquerading as VPN servers.

level authentication by using Internet Key Exchange (IKE):

To establish an Internet Protocol secur
ity (IPsec) security association, the VPN client and the

VPN server use the IKE protocol to exchange either computer certificates or a preshared key. In

either case, the VPN client and server authenticate each other at the computer level. Computer

ate authentication is highly recommended because it is a much stronger authentication

method. Computer
level authentication is only performed for L2TP/IPsec connections.

Data origin authentication and data integrity:

To verify that the data sent on the

VPN connection originated at the other end of the connection

and was not modified in transit, the data contains a cryptographic checksum based on an

encryption key known only to the sender and the receiver. Data origin authentication and data

integrity ar
e only available for L2TP/IPsec connections.


To ensure confidentiality of the data as it traverses the shared or public transit network, the data

encrypted by the sender and decrypted by the receiver. The encryption and decryption
sses depend

on both the sender and the receiver using a common encryption key.

Intercepted packets sent along the VPN connection in the transit network are unintelligible to
anyone who

does not have the common encryption key. The length of the encryption
key is an
important security

parameter. You can use computational techniques to determine the encryption
key. However, such

techniques require more computing power and computational time as the
encryption keys get larger.

Therefore, it is important to use
the largest possible key size to ensure data confidentiality.


• A well designed VPN can greatly benefit a company. It provides many benefits such as:

• A VPN can extend geographic connectivity.

• A VPN can improve the network as well as or
ganizational security.

• A VPN can reduce operational cost as compared to traditional WAN.

• A VPN can improve the overall productivity of the organization.

• A VPN can simplify the n/w topology and provide telecommuter support.

Remote access VPNs offer a
number of advantages, including:

• Third parties oversee the dial up to the network.

• New users can be added with hardly any additional costs and with no extra expense to the


• Wan circuit and modem costs are eliminated.

• Remote access VP
Ns call to local ISP numbers. VPNs can be established from anywhere via


• Cable modems enable fast connectivity and are relatively cost efficient.

• Information is easily and speedily accessible to off
site users in public places via Internet

availability and connectivity.


A tunnel is a means of forwarding data across a network from one node to another, as if the two

were directly connected. Tunneling is used to describe a method of using a
n internetwork
infrastructure to

transfer a payload. Tunneling is also known as the encapsulation and
transmission of VPN data, or

packets. IPSec tunnel mode enables IP payloads to be encrypted
and encapsulated in an IP header so that

it can be sent over t
he corporate IP internetwork or Internet.

The tunnel is the logical path or connection that encapsulated packets travel through the transit

internetwork. The tunneling protocol encrypts the original frame so that its content cannot be

The enca
psulation of VPN data traffic is known as tunneling. The Transport Control

Protocol (TCP/IP) protocol provides the underlying transport mechanism for VPN connectivity.

The two different types of tunneling are:

: With

voluntary tunneling, the client starts the process of

initiating a connection with the VPN server. One of the requirements of voluntary tunneling is an

existing connection between the server and client. This is the connection that the VPN client

to create a tunneled connection with the VPN server.

: With Compulsory tunneling, a connection is created

o Two VPN servers

o Two VPN access devices

VPN routers

In this case, the client dials
in to the remote access server,

by using whichever of the following


o Through the local LAN.

o Through an Internet connection.

The remote access server produces a tunnel, or VPN server to tunnel the data, thereby

the client to use a VPN tunnel to connect to the remot
e resources.

VPN tunnels can be created at the following layers of the Open Systems Interconnection (OSI)


• Data
Link Layer

layer 2: VPN protocols that operate this layer are Point
Point Tunneling

Protocol (PPTP) and Layer 2 Tunneling

Protocol (L2TP).

• Network Layer

layer 3: IPSec can operate as a VPN protocol at the Network layer of the OSI

reference model.

Tunneling Protocols Overview

The tunneling protocols are responsible for the following functions:

• Tunnel maintenance: This
involves both the creation and management of the tunnel.

• VPN data transfer: This relates to the actual sending of encapsulated VPN data through the


The tunneling protocols provided by Windows Server 2003 are:

• Point
Point Tunneling Protocol (

• Layer 2 Tunneling Protocol (L2TP)

Point Tunneling Protocol (PPTP):

Point Tunneling Protocol (PPTP), an extension of Point
Point Protocol (PPP),

PPP frames into IP datagram’s to transmit data over an IP
internetwork. Windows Server 2003

PPTP version 2. To create and manage the tunnel, PPTP utilizes a TCP connection. A modified
version of

Generic Route Encapsulation (GRE) deals with data transfer by encapsulating PPP
frames for tunneled

data. The
encapsulated tunnel data can be encrypted and/or compressed.
However, PPTP encryption can

only be utilized when the authentication protocol is EAP
TLS or
CHAP. This is due to PPTP using

MPPE to encrypt VPN data in a PPTP VPN, and MPPE
needing EAP
TLS or

CHAP generated

encryption keys. With the Windows Server 2003
implementation of PPTP, both 40
bit encryption and

bit encryption is supported.

The authentication methods supported by PPTP are the same authentication mechanisms
supported by




• MS


Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP) is a combination of the benefits and features of PPTP and

Layer 2 Forwarding (L2F) protocol. L2TP encapsulates PPP frames, and sends encapsulated data


frame relay, ATM and X.25 networks. With L2TP, the PPP and layer two end
can exist on

different devices. L2TP can also operate as a tunneling protocol over the Internet.
L2TP uses UDP

packets and a number of L2TP messages for tunnel maintenance
. UDP is used to send L2TP

PPP frames as tunneled data.

While L2TP can provide encryption and compression for encapsulated PPP frames, you have to

Microsoft's implementation of L2TP with the IPSec security protocol. When L2TP is used
IPSec, the

highest level of security is assured. This includes data confidentiality and
integrity, data authentication, as

well as replay protection. IPSec protects the packets of data and
therefore provides security on insecure

networks such as the Intern
et. This is due to IPSec
securing the actual packets of data, and not the

connection used to convey the data. IPSec utilizes
encryption, digital sign
atures and hashing algorithms to
secure data.


A digital signature is an electronic ana
logue of a written signature; the digital signature can be

used to provide assurance that the claimed signatory signed the information. In addition, a digital

signature may be used to detect whether or not the information was modified after it was signed

i.e., direct integrity of signed data). These assurances may be obtained whether the data was

received in a transmission or retrieved from storage. A properly implemented digital signature

algorithm that meets the requirements of this standard can provide
these services. For example

RSA, DSA, Rabin signature algorithm, Undeniable signatures
etc based signature schemes


digital signature
digital signature scheme
is a mathematical scheme for demonstrating the


of a digital message or document. A valid digital signature gives a recipient reason

to believe that the message was created by a known sender, and that it was not altered in transit.

Digital signatures are commonly used for software distribution, financi
al transactions, and in

other cases where it is important to detect forgery or tampering.

Digital signatures employ a type of asymmetric cryptography. For messages sent through a

channel, a properly implemented digital signature gives the receive
r reason to believe

message was sent by the claimed sender. Digital signatures are equivalent to traditional

handwritten signatures in many respects; properly implemented digital signatures are more

difficult to forge than the handwritten type. Digital

signature schemes in the sense used here are

cryptographically based, and must be implemented properly to be effective. Digital signatures

can also provide non
repudiation, meaning that the signer cannot successfully claim they did not

sign a message, whi
le also claiming their private key remains secret; further, some

schemes offer a time stamp for the digital signature, so that even if the private
key is

exposed, the signature is valid nonetheless. Digitally signed messages may be anything

able as a bit string: examples include electronic mail, contracts, or a message sent via

some other cryptographic protocol.

A digital signature scheme typically consists of three algorithms:

• A
key generation algorithm
that selects a
private key

uniformly at random from a set of

possible private keys. The algorithm outputs the private key and a corresponding


• A
that, given a message and a private key, produces a signature.

• A
signature verifying
given a message, public key and a signature, either

accepts or rejects the message's claim to authenticity.

Figure: Digital signature generation and verification

Two main properties are required. First, a signature generated from a fixed message and fixe

private key should verify the authenticity of that message by using the corresponding public key.

Secondly, it should be computationally infeasible to generate a valid signature for a party who

does not possess the private key.


As organizations move away from paper documents with ink signatures or authenticity stamps,

digital signatures can provide added assurances of the evidence to provenance, identity, and

status of an electronic document as well as acknowledging informed con
sent and approval by a

signatory. The United States Government Printing Office (GPO) publishes electronic versions of

the budget, public and private laws, and congressional bills with digital signatures. Universities

including Penn State, University of Chi
cago, and Stanford are publishing electronic student

transcripts with digital signatures.

Below are some common reasons for applying a digital signature to communications:


Although messages may often include information about the entity send
ing a message, that

information may not be accurate. Digital signatures can be used to authenticate the source of

messages. When ownership of a digital signature secret key is bound to a specific user, a valid

signature shows that the message was sent by t
hat user. The importance of high confidence in

sender authenticity is especially obvious in a financial context. For example, suppose a bank's

branch office sends instructions to the central office requesting a change in the balance of an

account. If the c
entral office is not convinced that such a message is truly sent from an

authorized source, acting on such a request could be a grave mistake.


In many scenarios, the sender and receiver of a message may have a need for confidence that the


has not been altered during transmission. Although encryption hides the contents of a

message, it may be possible to
an encrypted message without understanding it. (Some

encryption algorithms, known as nonmalleable ones, prevent this, but others do

not.) However, if

a message is digitally signed, any change in the message after signature will invalidate the

signature. Furthermore, there is no efficient way to modify a message and its signature to

produce a new message with a valid signature, because

this is still considered to be

computationally infeasible by most cryptographic hash functions.


repudiation, or more specifically
repudiation of origin
, is an important aspect of digital

signatures. By this property an entity that
has signed some information cannot at a later time

deny having signed it. Similarly, access to the public key only does not enable a fraudulent party

to fake a valid signature.


The Internet has made large amount of information ava
ilable to the average computer user at
home, in

business and education. For many people, having access to this information is no longer
just an

advantage, it is essential. By connecting a private network to the Internet can expose
critical or

data to malicious attack from anywhere in the world. The intruders could gain
access to your

sites private information or interfere with your use of your own systems. Users
who connect their

computers to the Internet must be aware of these dangers, their i
and how to protect their data

and their critical systems.

Therefore, security of network is the main criteria here and firewalls provide this security. The

firewalls keep the flames of Internet hell out of your network or, to keep the
members of
your LAN pure

by denying them access the all the evil Internet temptations.

Figure: Firewall

A firewall is a hardware device or a software program running on the secure host computer that

between the two entities and controls access between

them. Here the two entities are nothing
but a private

network and the public network like Internet.

A firewall is a secure and trusted machine that sits between a private network and a public

network. The firewall machine is configured with a set of rules

that determine which network

traffic will be allowed to pass and which will be blocked or refused. In some large organizations,

you may even find a firewall located inside their corporate network to segregate sensitive areas

of the organization from other

employees. Many cases of computer crime occur from within an

organization, not just from outside. Firewalls can be implemented in both hardware and software,
or a

combination of both. Firewalls are frequently used to prevent unauthorized Internet users
om accessing

private networks connected to the Internet, especially intranets. All messages
entering or leaving the

intranet pass through the firewall, which examines each message and
blocks those that do not meet the

specified security criteria.


can be constructed in quite a variety of ways. The most sophisticated arrangement

involves a number of separate machines and is known as a
perimeter network
. Two machines act

as "filters" called chokes to allow only certain types of network traffic to pas
s, and between these

chokes reside network servers such as a mail gateway or a World Wide Web proxy server. This

configuration can be very safe and easily allows quite a great range of control over who can

connect both from the inside to the outside, and f
rom the outside to the inside. This sort of

configuration might be used by large organizations.

Typically though, firewalls are single machines that serve all of these functions. These are a little

less secure, because if there is some weakness in the fire
wall machine itself that allows people to

gain access to it, the whole network security has been breached. Nevertheless, these types of

firewalls are cheaper and easier to manage than the more sophisticated arrangement just


Firewalls are mainly
used for two purposes.

1. To keep people (worms/crackers) out.

2. To keep people (employees/children) in.


The general reasoning behind firewall usage is that without a firewall, a subnet's systems expose

themselves to inherently insecu
re services such as NFS or NIS and to probes and attacks from

elsewhere on the network. In a firewall
less environment, network security relies totally on
host security

and all hosts must, in a sense, cooperate to achieve a uniformly high level of
curity. The larger the

subnet, the less manageable it is to maintain all hosts at the same level of
security. As mistakes and

lapses in security become more common, break
ins occur not as the
result of complex attacks, but

because of simple errors in confi
guration and inadequate

A firewall approach provides numerous advantages to sites by helping to increase overall host

The following sections summarize the primary benefits of using a firewall.

• Protection from Vulnerable Services

• Co
ntrolled Access to Site Systems

• Concentrated Security

• Enhanced Privacy

• Logging and Statistics on Network Use, Misuse

• Policy Enforcement


A firewall can greatly improve network security and reduce risks to hos
ts on the subnet by

inherently insecure services. As a result, the subnet network environment is exposed to
fewer risks, since

only selected protocols will be able to pass through the firewall. For example,
a firewall could prohibit

certain vulne
rable services such as NFS from entering or leaving a
protected subnet. This provides the

benefit of preventing the services from being exploited by
outside attackers, but at the same time permits

the use of these services with greatly reduced risk
to expl
oitation. Services such as NIS or NFS that are

particularly useful on a local area network
basis can thus be enjoyed and used to reduce the host

management burden.

Firewalls can also provide protection from routing
based attacks, such as source routing and

attempts to

redirect routing paths to compromised sites via ICMP redirects. A firewall could
reject all source

packets and ICMP redirects and then inform administrators of the


A firewall also
provides the ability to control access to site systems. For example, some hosts can

made reachable from outside networks, whereas others can be effectively sealed off from

access. A site could prevent outside access to its hosts except for spec
ial cases such as mail
servers or

information servers. This brings to the fore an access policy that firewalls are
particularly adept at

enforcing: do not provide access to hosts or services that do not require
access. Put differently, why

provide access t
o hosts and services that could be exploited by
attackers when the access is not used or

required? If, for example, a user requires little or no
network access to her desktop workstation, then a

firewall can enforce this policy.



firewall can actually be less expensive for an organization in that all or most modified
software and

additional security software could be located on the firewall systems as opposed to
being distributed on

many hosts. In particular, one
time password sys
tems and other add
authentication software could be

located at the firewall as opposed to each system that needed to
be accessed from the Internet.

Other solutions to network security such as Kerberos involve modifications at each host system.

beros and other techniques should be considered for their advantages and may be more

than firewalls in certain situations, firewalls tend to be simpler to implement in that
only the firewall need

run specialized software.


Privacy is of great concern to certain sites, since what would normally be considered innocuous

information might actually contain clues that would be useful to an attacker. Using a firewall,
some sites

wish to block services such as finger and Domain Name

Service. Finger displays
information about users

such as their last login time, whether they've read mail, and other items.
But, finger could leak

information to attackers about how often a system is used, whether the
system has active users connected,

d whether the system could be attacked without drawing
attention. Firewalls can also be used to block

DNS information about site systems, thus the names and IP addresses of site systems would not

available to Internet hosts. Some sites feel that by bloc
king this information, they are hiding

that would otherwise be useful to attackers.


If all access to and from the Internet passes through a firewall, the firewall can log accesses and

aluable statistics about network usage. A firewall, with appropriate alarms that sound
when suspicious

activity occurs can also provide details on whether the firewall and network are
being probed or attacked.

It is important to collect network usage stati
stics and evidence of probing for a number of
reasons. Of

primary importance is knowing whether the firewall is withstanding probes and
attacks, and determining

whether the controls on the firewall are adequate. Network usage
statistics are also important
as input into

network requirements studies and risk analysis


Lastly, but perhaps most importantly, a firewall provides the means for implementing and
enforcing a

network access policy. In effect, a firewall provides acces
s control to users and
services. Thus, a network

access policy can be enforced by a firewall, whereas without a
firewall, such a policy depends entirely on

the cooperation of users. A site may be able to depend
on its own users for their cooperation;
however it

cannot nor should not depend on Internet users
in general.


Firewalls fall into different categories. They are mainly,

1. Packet filtering firewalls,

2. Circuit level gateways,

3. Application gateways,

4. State
full multilay
er inspection firewall.

1. Packet Filtering Firewalls:

These firewalls work at the network layer of OSI model, or IP layer of TCP/IP. They are usually
part of a

router. A router is a device that receives packets from one network and forwards them
to anoth
er network.

In a packet filtering firewall, each packet is compared to a set of criteria before it is forwarded.
Dependingon the packet and the criteria, the firewall can drop the packet, forward it or send a
message to the

originator. Rules can include so
urce and destination IP addresses, source and
destination port number and

type of the protocol embedded in that packet. These firewalls often
contain an ACL (Access Control List)

to restrict who gains access to which computers and

Advantages of p
acket filtering:

1. Because not a lot of data is analyzed or logged, they use very little CPU resources and create

latency in a network. They tend to be more transparent in that the rules are configured by the

administrator for the whole netwo
rk so the individual user doesn’t have to face the
rather complica
task of firewall rule sets.

2. It is cost effective to simply configure routers that are already a part of the network to do

duty as firewalls.

3. Network layer firewalls tend
to be very fast and tend to be very transparent to users.

4. Cost: Virtually all high
speed Internet connections require a router. Therefore, organizations
with high

Speed Internet connections already have the capability to perform basic Packet filtering
at the

level without purchasing additional hardware or software.

Drawbacks of packet filtering:

• They don’t provide for password controls.

• Users can’t identify themselves.

• The person who configures the firewall protocol for the router needs a

• Knowledge of IP packet structure.

• There is no user authentication.

• Remains vulnerable to attacks such as spoofing source address.

2. Circuit
level Gateways:

These firewalls work at the session layer of the OSI model, or TCP/IP layer of the
TCP/IP. They

TCP handshaking between packets to determine whether a requested session is
legitimate. Traffic is

filtered based on the specified session rules, such as when a session is
initiated by the recognized

computer. Information passed to rem
ote computer through a circuit
level gateway appears to have

originated from the gateway. This is useful for hiding information
about protected networks. Circuit level

gateways are relatively inexpensive and have the
advantage of hiding information about t
he private

network they protect. On the other hand, they
do not filter individual packets. Unknown traffic is allowed

up to level 4 of network stack. These
are hardware firewalls and apply security mechanisms when a TCP

or UDP connection is

. Application Gateways:

These are the software firewalls. These are often used by companies specifically to monitor and

employee activity and by private citizens to protect a home computer from hackers, spy ware
to set

parental controls for children.

pplication gateways also called proxies are similar to circuit level gateways expect that they are

application specific. They can filter packets at the application layer of OSI or TCP/IP model.
Incoming or

outgoing packets can’t access services for which t
here is no proxy. In plain terms,
an application level

gateway is configured to be a web proxy will not allow all ftp, gopher, telnet
or other traffic through.

Because they examine packets at the application layer, they can filter application specific
commands such

as http: post, get etc;

It works like a proxy. A proxy is a process that sits between a client and a server. For a client
proxy looks

like a server and for a server, the proxy looks like a client. Example Application
layer firewall: In

3, an application layer firewall called a ``dual homed gateway'' is represented. A dual

gateway is a highly secured host that runs proxy software. It has two network interfaces,
one on each

network, and blocks all traffic passing through it.

es of application gateways:

1. Since application proxies examine packets at the application program level, a very fine level
of security

and access control may be achieved.

2. These reject all inbound packets contain common EXE and COM files.

3. The greate
st advantage is that no direct connections are allowed through the firewall under any

circumstances. Proxies provide a high level of protection against denial of service attacks.

Disadvantages of application gateways:

1. Proxies require large amount of co
mputing resources in the host system, which can load to

bottlenecks or slow downs the network.

2. Proxies must be written for specific application programs and not all applications have proxies


4. State
full Multilayer Inspection

They combine the aspects of other three types of firewalls. This firewall keeps track of all

associated with a specific communication session. A typical communication session
between two

computers will consists a several thousand packets,

each of which is identified by a
unique source and

destination address and a sequence number that allows all of the packets to be
reassembled into the

correct data file at destination computer. Each packet of data is checked to
ensure that it belongs to p

session. Any packets that are not. Parts of an existing session are
rejected. In addition to checking and

validating the communication session ensuring that all
packets belong to the proper session, these are

further screens the packets at the applic
ation layer
also. Filtering at the s/w application port level provides

an additional layer of control for the
network administrator to ensure that only authorized transactions are

allowed through the
firewall. These firewalls close off ports until connecti
on to the specified port is


Advantages of state
full inspection:

1. These will typically offer much higher performance than proxies.

2. These ensure that all packets must be a port of an authorized communication session.
Therefore, a

higher lev
el of protection is provided to users communicating with systems external
to the trusted


3. State
full Inspection provides a greater level of security control by enforcing security policies
at the

"Application socket" or port layer as well as the
protocol and address level.

Disadvantages of state
full inspection:

1. State
full inspection functionality currently requires the purchase of additional hardware

software and is not typically "bundled" with another existing network device.


• Concentration of security, all modified software and logging is located on the firewall system

opposed to being distributed on many hosts;

• Protocol filtering, where the firewall filters protocols and services that are either not n

that cannot be adequately secured from exploitation; information hiding , in which a firewall

``hide'' names of internal systems or electronic mail addresses, thereby revealing less information

to outside hosts;

• Application gateways,
where the firewall requires inside or outside users to connect first to the

firewall before connecting further, thereby filtering the protocol;

• Extended logging, in which a firewall can concentrate extended logging of network traffic on


• Cen
tralized and simplified network services management, in which services such as ftp,

electronic mail, gopher, and other similar services are located on the firewall system(s) as

opposed to being maintained on many systems.


these advantages, there are some disadvantages to using firewalls.

o The most obvious being that certain types of network access may be hampered or even blocked

some hosts, including telnet, ftp, X Windows, NFS, NIS, etc. However, these disadvantages
are not

unique to firewalls; network access could be restricted at the host level as well,
depending on a

site's security policy.

o A second disadvantage with a firewall system is that it concentrates security in one spot as

to distributing it amon
g systems, thus a compromise of the firewall could be disastrous
to other

protected systems on the subnet. This weakness can be countered; however, with the

that lapses and weaknesses in security are more likely to be found as the number of
ystems in a

subnet increase, thereby multiplying the ways in which subnets can be exploited.

o Another disadvantage is that relatively few vendors have offered firewall systems until very

recently. Most firewalls have been somewhat ``hand
built'' by site a
dministrators, however the

and effort that could go into constructing a firewall may outweigh the cost of a vendor

There is also no firm definition of what constitutes a firewall; the term ``firewall'' can mean

things to many people.