Computer Network

Security
 Introduction
We are living in the information age.
We need to keep information about every aspect of our lives.
In other words, information is an asset that has a value like any other
asset. As an asset, information needs to be secured from attacks.
To be secured, information needs to be hidden from
unauthorized access (confidentiality), protected from
unauthorized change (integrity), and available to an authorized
entity when it is needed (availability). This is called network
security.

TCP/IP Protocol Suite 2

Computer and Network Security
Requirements
• Confidentiality
• Requires information in a computer system only be accessible for
reading by authorized parties
• Message confidentiality or privacy means that the sender and the
receiver expect confidentiality.
• The transmitted message must make sense to only the intended
receiver.
• Integrity
• Assets can be modified by authorized parties only
• Availability
• Assets be available to authorized parties
• Authenticity
• Requires that a computer system be able to verify the identity of a
user
Threat, attacker and hacker
 Threat: is also called a malicious activity and any potential danger
that can harm your system data .
 Hacker: in computing, a hacker is any skilled computer expert that uses
their technical knowledge to overcome a technical problem. While “hacker”
can refer to any computer programmer,
 Attacker: According to Wikipedia, “In computer and computer
networks an attack is any attempt to destroy, expose, alter, disable, steal or
gain unauthorized access to or make unauthorized use of an asset
Comparison of threats on web
 Types of Threats
• Interruption:
• An asset of the system is destroyed or becomes unavailable or unusable
• Attack on availability
• Destruction of hardware
• Cutting of a communication line
• Disabling the file management system
Types of Threats
• Interception:
• An unauthorized party gains access to an asset
• Attack on confidentiality
• capture data in a network
• Potentially altering communication pathway
Types of Threats
• Modification:
• An unauthorized party not only gains access but
tampers with an asset
• Attack on integrity
• Changing values in a data file
• Altering a program so that it performs differently
• Modifying the content of messages.
Types of Threats
• Fabrication:
• An unauthorized party inserts counterfeit objects into the system
• Attack on authenticity
• Insertion of fake messages in a network
• Addition of records to a file
 Ancient Ciphers and Modern
Cryptosystems

Cryptography:- it a word with Greek origins, means "secret writing."

However, we use the term to refer to the science and art of
transforming messages to make them secure and immune to attacks
Ancient Ciphers to Modern Cryptosystems
Some terminologies in cryptosystem
• plaintext - original message
• Cipher text - coded message
• Cipher - algorithm for transforming plaintext to cipher text
• key – is set of numbers or information used in cipher known only to
sender/receiver
• encipher (encrypt) - converting plaintext to cipher text
• decipher (decrypt) - recovering cipher text from plaintext
• cryptanalysis (code breaking) - study of principles/ methods of
deciphering cipher text without knowing key.
 The language of cryptography

Alice’s Bob’s
KA encryption K B decryption
key key

plaintext encryption ciphertext decryption plaintext

algorithm algorithm
m
KA(m) m = KB(KA(m))

m = plaintext message
KA(m) = ciphertext which is encrypted with key KA

m = KB(KA(m))  the plain text message which decrypt with kB key

which encrypted with KA key
Network Security
 Encryption

1. substitution cipher: substituting one thing for another

• Mono alphabetic cipher: substitute one letter for another
• If key is a=m
plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

e.g.: Plaintext: bob. i love you. alice

ciphertext: nkn. s gktc wky. mgsbc

Encryption key: mapping from set of 26 letters

to set of 26 letters
Network Security
Example: Substitution scheme
Encrypt the following sentence which Let us talk one to one with second
row of the following table is cipher key

Solution
Plain text : talk one by one
Ciphertext : n1fe ih5 ni ih5

Network Security
 Encryption schemes
2. Additive cipher, the plaintext, cipher text, and key are integers in
modulo 26.

TCP/IP Protocol Suite 15

 Example encrypt the message “hello” using additive scheme
 with key = 15 and a = 00 to encrypt the plain text message “hello”.
Solution: so if a=00 then b =01, c=02, d=03, e=04, … and z=25
 We apply the encryption algorithm to the plaintext, character by
character by adding key: 15 to character value such 07 for h,
07+15%26 =22 %26=22
 Result information: wtaad

TCP/IP Protocol Suite 16

 Example decrypt using additive scheme
Use the additive cipher with key = 15 and a= 00 to decrypt the message
“wtaad”.
Solution
Decrypt by subtracting 15 from ciphertext value and we need to add 26
to a negative result when subtracting (for example -15+26 =11). The
module the result with 26 example 11 %26 = 11

Ciphertext: wtaad
Plain text: hello

TCP/IP Protocol Suite 17

 Transposition cipher reorder symbols
Columns

Downward

upward
Plaintext Plaintext
e n emy a t t a c k s t o n i g h t z e n emy a t t a c k s t o n i g h t z

Write row by row Read row by row

e n e m y e n e m y
a t t a c a t t a c
k s t o n k s t o n
i g h t z i g h t z

E E M Y N E E M Y N
T A A C T T A A C T
T K O N S T K O N S
H I T Z G H I T Z G
Read column by column Write column by column

E T T H E AK I MAO T Y C N Z N T S G E T T H E AK I MAO T Y C N Z N T S G
Ciphertext Ciphertext
Transmission
TCP/IP Protocol Suite 18
 Categories of Cryptography

 Symmetric-key cryptography
 is based on sharing secret;
 Asymmetric-key cryptography.
 Asymmetric-key ciphers are two different key used .
 Public key for encryption ( sherd with every one ) and privet key
for decryption (kept secret )

TCP/IP Protocol Suite 19

 Categories of Cryptography

 Symmetric-key cryptography
 Symmetric key algorithms are generally much faster to
execute than asymmetric key algorithms.
 The secret key must be exchanged between parties or use
the same key to encryption and decryption

TCP/IP Protocol Suite 20

 Categories of Cryptography
Types of Symmetric-key cryptography
1. Data Encryption Standard (DES):
 is a symmetric encryption algorithm with a fixed key length of 56
bits.
 It is susceptible or weak to brute-force attacks
 encrypts data in 64-bit blocks.
 It can be easily implemented and accelerated in hardware
2. Triple Data Encryptions Standard (3DES)
 The technique of applying DES three times in a row to a plain
text block is called Triple DES (3DES).
 Brute-force attacks on 3DES are considered unfeasible here.
 When a message is to be encrypted with 3DES, a method
called EDE (encrypt-decrypt-encrypt) is used.

TCP/IP Protocol Suite 21

 Categories of Cryptography
Types of Symmetric-key cryptography
2. Triple Data Encryption Standard (DES): steps
 Step 1: The message is encrypted with the first 56-bit key, K1.
 Step 2: The data is decrypted with a second 56-bit key, K2.
 Step 3: The data is again encrypted with the third 56-bit key, K3.
 Totally 3DES uses 168 bits key which more secure than DES
3. Advance Encryption Standard (AES)
 trusted encryption algorithm secured by converting in to
unreadable data format .use various key : 128,192..256
AES is more efficient and much faster than both DES and
TCP/IP Protocol Suite 22
3DES. Because it more secure with key length
Public Key Cryptography

Generally public key crypto

 radically different approach

 sender, receiver do not share secret key

 public encryption key known to all

 private decryption key known only to receiver

Network Security
 Two IPsec protocols in network layer

• Authentication Header (AH) protocol

• provides source authentication & data integrity but not confidentiality
• Encapsulation Security Protocol (ESP)
• provides source authentication, data integrity, and confidentiality
• more widely used than AH

Network Security
 Operational Network security:
1. Firewalls and
2. IDS (Intrusion Detection System)
 Firewalls
firewall
 A firewall is a network security device designed to monitor, filter, and
control incoming and outgoing network traffic based on predetermined
security rules.
 isolates organization’s internal net from larger Internet, allowing some
packets to pass, blocking others

administered public
network Internet
trusted “good guys” untrusted “bad guys”
firewall
Network Security
 Why need Firewalls: ?
 Because:
 To prevent denial of service attacks:
 prevent illegal modification/access of internal data
 allow only authorized access to inside network

 Generally there are three types of firewalls:

 stateless packet filters
 stateful packet filters
 application gateways

Network Security
 Stateless packet filtering

• internal network connected to Internet via router firewall

• router filters packet-by-packet, decision to forward/drop
packet based on:
• source IP address, destination IP address
• TCP/UDP source and destination port numbers

Network Security
 Stateless packet filtering: example
• example 1: block incoming and outgoing datagrams with
IP protocol field = 17 and with either source or dest port
= 23
• result: all incoming, outgoing UDP flows and telnet
connections are blocked

Network Security
 Stateless packet filtering: more examples
Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any
IP address, port 80
No incoming TCP Drop all incoming TCP SYN
connections, except those for packets to any IP except
institution’s public Web [Link], port 80
server only.
Prevent Web-radios from Drop all incoming UDP packets -
eating up the available except DNS and router
bandwidth. broadcasts.

Prevent your network from Drop all ICMP packets going to a

being used for a DoS attack. “broadcast” address (e.g.
[Link]).
Prevent your network from Drop all outgoing ICMP expired
being tracerouted traffic
Network Security
 Stateful packet filtering

 stateful packet filter: track status of every TCP connection

 track connection setup (SYN), : determine whether
incoming, outgoing packets “makes sense”
 timeout inactive connections at firewall.

Network Security
 Stateful packet filtering…
 ACL(Access Control List) augmented to indicate need
to check connection state table before admitting packet

source dest source dest flag check

action proto
address address port port bit conxion
outside of any
allow 222.22/16 TCP > 1023 80
222.22/16

allow outside of 222.22/16

TCP 80 > 1023 ACK x
222.22/16

outside of
allow 222.22/16 UDP > 1023 53 ---
222.22/16

allow outside of 222.22/16 x

UDP 53 > 1023 ----
222.22/16

deny all all all all all all

Network Security
 Application gateways
gateway-to-remote
host telnet session
host-to-gateway
telnet session

Filters packets on application

application
data as well as on IP/TCP/UDP gateway
router and filter

fields.
example: allow select internal
users to telnet outside.

1. require all telnet users to telnet through gateway.

2. for authorized users, gateway sets up telnet connection to dest
host.
3. Gateway relays data between 2 connections
4. router filter blocks all telnet connections not originating from
gateway.
Network Security
 Intrusion detection systems
Intrusion: An illegitimate user gains access to someone else’s
computer systems.
Intrusion detection is a technology for detecting intrusion
incidents.
Closing TCP and UDP ports that may be exploited by intruders can
also help reduce intrusions
IDS: intrusion detection system
deep packet inspection: look at packet contents (e.g., check character
strings in packet against database of known virus, attack strings)
examine correlation among multiple packets
port scanning
network mapping
DoS: Denial of Service

Network Security
 Intrusion detection systems
Multiple IDSs: different types of checking at different
locations
demilitarized zone: is physical logical network subnetwork that
separate an internal LAN from other untrusted networks usually
internet
firewall

internal
network
Internet

IDS Web DNS

server FTP server
sensors server
demilitarized
zone
Network Security
Methods of Defence
Encryption

Software Controls (access limitations in a data base, in

operating system protect each user from other users)

Hardware Controls (smartcard)

Policies (frequent changes of passwords)

Physical Controls

Henric Johnson 36
Thank you!!!