Networking and security

fullgorgedcutΔίκτυα και Επικοινωνίες

24 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

161 εμφανίσεις







Teaching material accompanying chapter 2.1, 2.2 and 2.3
of Enterprise Knowledge Infrastructures

Networking and security

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Classification of networks


physical


according to the medium used (fiber, copper, radio, light)


structural
-

according to the topology (ring, bus, star)


geographic
-

according to the reach (PAN, LAN, MAN, WAN)


organizational
-

according to the network owner: public vs. private (Internet,
company networks, value added networks)


user driven
-

according to the user group: Intranet, Extranet, Internet


conceptual
-

according to the transmission algorithms (ATM, Token Ring,
Ethernet)


functional
-

according to the function/target group: end
-
user
-

front
-
end, server
-

back
-
end, network


backbone


performance


according to bandwidth: low (e.g., up to 1 MBit/s), medium
(e.g., up to 1 GBit/s), high speed (e.g., > 1 GBit/s)

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 84

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Network topologies I


Peer
-
to
-
peer networks: there are separate transmission ways
between data stations; single network nodes receive messages and
forward them in case that they are not the final recipient


star network


loop network


tree network


mesh network

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 87

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Network topologies II


Broadcast networks: all nodes are connected to the same physical
transmission medium. Each node has access to every message


bus network


ring network

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 86

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Network classes

interprocessor
distance

location examples,
network for

1m

work place

10 m

conference room

100 m

company building

1 km

university campus

10 km

city

100 km

country

1.000 km

continent

10.000 km

planet

personal area network (PAN)

local area network (LAN)

metropolitan area network (MAN)

wide area network (WAN)

the Internet

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 87

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

ISO OSI layered architecture

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 89

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Overview of network standards

cable
-
bound

wireless

PAN

USB, Firewire

IrDA, Bluetooth

LAN

Ethernet, Token Ring

WLAN, DECT

WAN

ATM, FDDI, X25

FrameRelay, Sonet/SDH

GSM, GPRS, EDGE,
HSCSD, UMTS

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 91

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Classification of transmission protocols

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 99

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Concrete network protocols and the OSI model

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 120

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Network packets


A Packet consists of payload and header


Every layer adds an additional header


A packet on a higher layer becomes the payload on the next lower layer

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 104

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg


IP protocol (IPv4)


IP address = world
-
wide unique address to identify a network participant (at least
unique for public IP addresses)


Length: 32 Bit (4 octets)





Network classes







finer partition with a subnet mask possible since 1985


reserved addresses for private use:


0.0.0.0
-

10.255.255.255

(10 class A network ranges)


172.16.0.0
-

172.31.255.255

(16 class B network ranges)


192.168.0.0
-

192.168.255.255

(256 class C network ranges)


localhost 127.0.0.1

137

Internet layer

01000101

00011000

00000011

00010001

141

48

3

17

63

48

3

17

48

140

19

223

150

7

170

Class A

Class B

Class C

network address

host address

network mask

255.0.0.0

255.255.0.0

255.255.255.0

possible hosts

16,7 million

65.536

256

binary

decimal

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Address translation


logical address (DNS): e.g., www.wiwi.uni
-
halle.de



Internet address (IP): e.g., 141.48.204.242



physical address (MAC): e.g., 00
-
00
-
39
-
4C
-
46
-
C9

ARP

DNS

MAC = Media Access Control, unique identification of a network card


consists of 24 Bit manufacturer number and 24 Bit serial number


e.g., 08
-
00
-
20
-
AE
-
FD
-
7E (or 080020AEFD7E)

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Demarcation between Internet, Intranet and Extranet

DMZ = DeMilitarized Zone

PSTN = Public Switched Telephone Network

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 120

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Requirements for secure communication


confidentiality

Message is not accessible for third persons


authenticity

Sender of a message is uniquely identifiable


integrity

Message has not been changed on its way to the receiver


liability

Sender cannot deny authorship of the message,

receiver cannot deny receipt of the message

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Potential security threats


Data loss
: important data was intentionally deleted or lost by accident


Data manipulation
: intentionally falsifying documents, e.g., balance
sheets or software code


Unauthorized access
: business secrets get into the hands of third
parties


Abuse of ressources
: hard
-

or software of a company gets used for
improper purposes, e.g., using the company Internet access to
download private music files


Downtime
: infrastructural services that are needed permanently are
not available so that financial (e.g., by loosing productive work time) or
image damage occurs (e.g., through unavailability of the Web site)


Concrete attacks
: e.g., denial
-
of
-
service, viruses, spam

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 127ff

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Conceptual comparison of PPTP and IP Sec

source: Maier, Hädrich, Peinl: Enterprise Knowledge Infrastructures, p. 133ff

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Example of asymmetric encryption

message

public key

Bob

private key

Alice

private key

Bob

public key

Alice

encryption

message

signature

transmission

insecure

transmission channel

0&
§
(1
§
/=1

0&
§
(1
§
/=1

message

comparison

message

decryption

Alice

(sender)

Bob

(receiver)

message is
unchanged and
sent by Alice

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

5 send message

HP

Example: tasks of a certification authority (CA)

Alice

(sender)

Bob

(receiver)

1 apply for a certificate

2 issue certificate

4 write and sign


the message

7 verify signature

8 verify certificate

6 download certificate

revocation

list

-

………….

-

………….

3b put public key


on home page

3a put private key

into a safe place

(key store)

certification authority

message is
unchanged and
sent by Alice

certificate is valid
and not revoked

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Message
-

and channel
-
encryption


To guarantee secure transmission of a message either the message
itself or the transmission channel can be encrypted


Message encryption with PGP:


Pretty Good Privacy (PGP) is a software program used to encrypt emails


Since emails are transmitted over several relay stations without
establishing an end
-
to
-
end connection from sender to receiver only
message encryption is applicable


An asymmetric encryption algorithm is used


Channel encryption with SSL:


Secure Sockets Layer (SSL) is used to encrypt e.g., HTTP connections
(HTTP + SSL = HTTPS)


HTTPS is used widely in the Internet to secure transaction for online
banking and online shopping

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Abbreviations A
-
H


AES:


Advanced Encryption Standard


ARP:


Address Resolution Protocol


ATM:


Asynchronous Transfer Mode


BAN:


Body Area Network


DES:


Data Encryption Standard


DHCP:

Dynamic Host Configuration Protocol


DNS:


Domain Name System


DSL:


Digital Subscriber Line



(
s
ymmetric SDSL or
a
symmetric ADSL)


FDDI:

Fiber Distributed Data Interface


FTP:


File Transport Protocol


HTML:

Hypertext Markup Language


HTTP:

Hypertext Transport Protocol


Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Abbreviations I
-
N


IMAP:

Interactive Mail Access Protocol


IP:


Internet Protocol


IPX:


Internetwork Packet Exchange


IrDA:

Infrared Data Association


ISDN:

Integrated Service Digital Network


ISO:


International Standardization Organization


LDAP:

Lightweight Directory Access Protocol


LPD:


Line Printer Demon (UNIX)


MAC:

Media Access Control (
-
Address)


NAT:


Network Address Translation


NetBEUI:

NetBIOS Extended User Interface


NetBIOS:

Network Basic Input/Output System


NIC:


Network Interface Card


NLSP:

NetWare Link Services Protocol (NW Link)


NNTP:

Network News Transfer Protocol

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Abbreviations O
-
S


OSI:


Open Systems Interconnection


OSPF:

Open Shortest Path First Protocol


PAN:


Personal Area Network


POP3:

Post Office Protocol version 3


PPP:

Point
-
to
-
Point Protocol


PPTP:

Point
-
to
-
Point Tunneling Protocol


RIP:


Routing Information Protocol


RSA:


Encryption developed by Rivest, Shamir and Adleman


SGML:

Standard Generalized Markup Language


(s)sh:

(secure) shell


SMB:

Server Message Blocks


SMTP:

Simple Mail Transport Protocol


SNMP:

Simple Network Management Protocol


SPX:

Sequenced Packet Exchange


SSL:


Secure Socket Layer

Ronald Maier, Thomas Hädrich, René Peinl

Martin
-
Luther
-
University Halle
-
Wittenberg

Abbreviations T
-
Z


TCP:

Transport Control Protocol


UDP:

User Datagram Protocol


USB:


Universal Serial Bus


URL:

Uniform Resource Locator


WEP:

Wireless Encryption Protocol (for WLAN)


WPA:

Wi
-
Fi Protected Access


WLAN:

Wireless LAN


WML:

Wireless Markup Language


XML:

eXtensible Markup Language