6/3/2021
Outline
                                                                                    • Virtual private networks
                                                                                    • Firewall
                                                                                    • Intrusion detection system
                  Network Security
                                                                              1                                                                           2
       Friends and enemies: Alice, Bob, Trudy                                              Network security objectives
• Well-known in network security world
• Bob, Alice want to communicate “securely”                                         • Confidentiality: only sender, intended receiver should
                                                                                      “understand” message contents
• Trudy (intruder) may intercept, delete, add messages
                                                                                       • sender encrypts message
                                                                                       • receiver decrypts message
 Alice                                                                Bob           • Authentication: sender, receiver want to confirm identity of
                       channel    data, control
                                  messages
                                                                                      each other
                                                                                    • Message integrity: sender, receiver want to ensure message is
              secure                              secure
data                                                                   data           not altered (in transit, or afterwards) without detection
              sender                              receiver
                                                                                    • Access and availability: services must be accessible and
                                                                                      available to users
                          Trudy
                                                                              8-3                                                                        8-4
                           Firewalls                                                          Firewall Example: Application gateways
Firewall
Isolates organization’s internal net from larger Internet, allowing                 • Also known as application proxy or application-level proxy
some packets to pass, blocking others.                                              • Application Gateway is a type of firewall that provides
                                                                                      application-level control over network traffic.
                                                                                    • It is an application program that runs on a firewall system
                                                                                      between two networks.
                                                                                    • It filters incoming node traffic to certain specifications which
                                                                                      mean that transmitted network application data can be
                                                                                      allowed or denied.
               administered                 public
               network                      Internet
                               firewall
                                                                            8-5                                                                          8-6
                                                                                                                                                                     1
                                                                                                                                                                             6/3/2021
          Firewall Example: Application gateways                                   Firewall Example: Application gateways                          gateway-to-remote
                                                                                                                                                   host telnet session
                                                                                                                           host-to-gateway
                                                                                                                           telnet session
• Application gateways can be used to deny access to the                           • Filters packets on application
  resources of private networks to distrusted users over the                         data as well as on                              application         router and filter
                                                                                                                                     gateway
  Internet.                                                                          IP/TCP/UDP fields.
• Example network applications include File Transfer Protocol                      • Example: allow select
                                                                                     internal users to telnet
  (FTP), Telnet, Real Time Streaming Protocol (RTSP) and                             outside.
  BitTorrent.
• Application gateways examine incoming packets at the                                1. Require all telnet users to telnet through gateway.
  application level and then use proxies to create secure                             2. For authorized users, gateway sets up telnet connection to
  sessions with remote users.                                                             dest host. Gateway relays data between 2 connections
                                                                                      3. Router filter blocks all telnet connections not originating
                                                                                          from gateway.
                                                                             8-7                                                                                      8-8
          Firewall Example: Application gateways                                              Firewall Example: Application gateways
• When a client program establishes a connection to                                • Once connected, the proxy makes all packet-forwarding
  a destination service, it connects to an application gateway,                      decisions.
  or proxy.                                                                        • Since all communication is conducted through the proxy
• The client then negotiates with the proxy server in order to                       server, computers behind the firewall are protected
  communicate with the destination service.
• In effect, the proxy establishes the connection with the
  destination behind the firewall and acts on behalf of the
  client, hiding and protecting individual computers on the
  network behind the firewall.
• Two connections are created:
   – one between the client and the proxy server
   – And another one between the proxy server and the destination.
                                                                             8-9                                                                                     8-10
       Intrusion detection systems                                                        Intrusion detection systems
• An intrusion detection system (IDS) inspects all inbound                          • Multiple IDSs: different types of checking at different
  and outbound network activity and identifies suspicious                             locations
  patterns that may indicate a network or system attack
  from someone attempting to break into or compromise a
  system.                                                                                               Application    Firewall
• Packet filtering:                                                                                     Gateway
    – Operates on TCP/IP headers only                                                                                                        Internet
    – No correlation check among sessions
                                                                                   Internal
• IDS: intrusion detection system                                                  Network              Web
    – Deep packet inspection: look at packet contents (e.G., Check                            Ids       Server        Dns
      character strings in packet against database of known virus, attack                     Sensors                 Server
                                                                                                             Ftp
      strings)                                                                                               Server      Demilitarized
                                                                                                                         Zone
                                                                            8-11                                                                                     8-12
                                                                                                                                                                                   2
                                                                                                                                                                                 6/3/2021
      Virtual Private Networks (VPN)                                                              Virtual Private Networks (VPN)
• A VPN is a private data network that makes use of the public
  telecommunication infrastructure, such as the Internet, by
  adding security procedures over the unsecure communication
  channels.
• The security procedures that involve encryption are achieved
  through the use of a tunneling protocol.
• There are two types of VPNs:
   – Remote access which lets single users connect to the protected
     company network
   – Site-to-site which supports connections between two protected
     company networks.
• In either mode, VPN technology gives a company the facilities
  of expensive private leased lines at much lower cost by using
  the shared public infrastructure like the Internet.
                                                                                         13                                                                                 14
    Virtual Private Networks (VPN)                                                                Virtual Private Networks (VPN)
• The two components of a VPN are:                                                            • VPN technology must do the following activities:
   – Two terminators:                                                                            – IP encapsulation:
       • Perform encryption, decryption and authentication services.
                                                                                                     • This involves enclosing TCP/IP data packets within another packet
       • They also encapsulate the information
                                                                                                       with an IP-address of either a firewall or a server that acts as a
       • Are either software or hardware.
                                                                                                       VPN end-point.
   – A tunnel:
                                                                                                     • This encapsulation of host IP-address helps in hiding the host.
       • The tunnel is a secure communication link between the end-points and networks
         such as the Internet.                                                                   – Encryption – is done on the data part of the packet.
       • This tunnel is virtually created by the end-points.
                                                                                         15                                                                                 16