Srinivas University BCA V Semester

UNIT-IV
NETWORK AND IP SECURITY
4.1 Network Security
Network Security is vital in protecting client data and information, keeping shared data secure
and ensuring reliable access and network performance as well as protection from cyber threats. A
well designed network security solution reduces overhead expenses and safeguards organizations
from costly losses that occur from a data breach or other security incident. Ensuring legitimate
access to systems, applications and data enables business operations and delivery of services and
products to customers.
Types of Network Security Protections
Firewall: Firewalls control incoming and outgoing traffic on networks, with predetermined
security rules. Firewall keep out unfriendly traffic and is a necessary part of daily computing.
Network Security relies heavily on Firewalls, and especially Next Generation Firewalls, which
focus on blocking malware and application-layer attacks.
Network Segmentation
Network segmentation defines boundaries between network segments where assets within the
group have a common function, risk or role within an organization. For instance, the perimeter
gateway segments a company network from the Internet. Potential threats outside the network
are prevented, ensuring that an organization‘s sensitive data remains inside. Organizations can go
further by defining additional internal boundaries within their network, which can provide
improved security and access control.

What is Access Control?

Access control defines the people or groups and the devices that have access to network
applications and systems thereby denying unsanctioned access, and maybe threats. Integrations
with Identity and Access Management (IAM) products can strongly identify the user and Role-
based Access Control (RBAC) policies ensure the person and device are authorized access to the
asset.
Remote Access VPN: Remote access VPN provides remote and secure access to a company
network to individual hosts or clients, such as telecommuters, mobile users, and extranet
consumers. Each host typically has VPN client software loaded or uses a web-based client.
Privacy and integrity of sensitive information is ensured through multi-factor authentication,
endpoint compliance scanning, and encryption of all transmitted data.

Zero Trust Network Access (ZTNA)

The zero trust security model states that a user should only have the access and permissions that
they require to fulfill their role. This is a very different approach from that provided by
traditional security solutions, like VPNs, that grant a user full access to the target network. Zero
trust network access (ZTNA) also known as software-defined perimeter (SDP) solutions permits
granular access to an organization‘s applications from users who require that access to perform
their duties.

Email Security: Email security refers to any processes, products, and services designed to
protect your email accounts and email content safe from external threats. Most email service
providers have built-in email security features designed to keep you secure, but these may not be
enough to stop cybercriminals from accessing your information.

Cryptography and Network Security Page 1

Srinivas University BCA V Semester

Data Loss Prevention (DLP): Data loss prevention (DLP) is a cybersecurity methodology that
combines technology and best practices to prevent the exposure of sensitive information outside
of an organization, especially regulated data such as personally identifiable information (PII) and
compliance related data: HIPAA, SOX, PCI DSS, etc.

Intrusion Prevention Systems (IPS): IPS technologies can detect or prevent network security
attacks such as brute force attacks, Denial of Service (DoS) attacks and exploits of known
vulnerabilities. A vulnerability is a weakness for instance in a software system and an exploit is
an attack that leverages that vulnerability to gain control of that system. When an exploit is
announced, there is often a window of opportunity for attackers to exploit that vulnerability
before the security patch is applied. An Intrusion Prevention System can be used in these cases to
quickly block these attacks.

Sandboxing: Sandboxing is a cybersecurity practice where you run code or open files in a safe,
isolated environment on a host machine that mimics end-user operating environments.
Sandboxing observes the files or code as they are opened and looks for malicious behavior to
prevent threats from getting on the network. For example malware in files such as PDF,
Microsoft Word, Excel and PowerPoint can be safely detected and blocked before the files reach
an unsuspecting end user.

Hyperscale Network Security

Hyperscaleis the ability of an architecture to scale appropriately, as increased demand is added to
the system. This solution includes rapid deployment and scaling up or down to meet changes in
network security demands. By tightly integrating networking and compute resources in a
software-defined system, it is possible to fully utilize all hardware resources available in a
clustering solution.

Cloud Network Security

Applications and workloads are no longer exclusively hosted on-premises in a local data center.
Protecting the modern data center requires greater flexibility and innovation to keep pace with
the migration of application workloads to the cloud. Software-defined Networking (SDN) and
Software-defined Wide Area Network (SD-WAN) solutions enable network security solutions in
private, public, hybrid and cloud-hosted Firewall-as-a-Service (FWaaS) deployments.
Robust Network Security Will Protect Against
Virus: A virus is a malicious, downloadable file that can lay dormant that replicates itself by
changing other computer programs with its own code. Once it spreads those files are infected and
can spread from one computer to another, and/or corrupt or destroy network data.
Worms: Can slow down computer networks by eating up bandwidth as well as the slow the
efficiency of your computer to process data. A worm is a standalone malware that can propagate
and work independently of other files, where a virus needs a host program to spread.
Trojan: A trojan is a backdoor program that creates an entryway for malicious users to access
the computer system by using what looks like a real program, but quickly turns out to be
harmful. A trojan virus can delete files, activate other malware hidden on your computer
network, such as a virus and steal valuable data.

Cryptography and Network Security Page 2

Srinivas University BCA V Semester

Spyware: Much like its name, spyware is a computer virus that gathers information about a
person or organization without their express knowledge and may send the information gathered
to a third party without the consumer‘s consent.
Adware: Can redirect your search requests to advertising websites and collect marketing data
about you in the process so that customized advertisements will be displayed based on your
search and buying history.
Ransomware: This is a type of trojan cyberware that is designed to gain money from the person
or organization‘s computer on which it is installed by encrypting data so that it is unusable,
blocking access to the user‘s system.

Threats in Networks – Who Attacks Networks?

A network attack is an attempt to gain unauthorized access to an organization‘s network, with the
objective of stealing data or perform other malicious activity. There are two main types of
network attacks:
Passive: Attackers gain access to a network and can monitor or steal sensitive information, but
without making any change to the data, leaving it intact.
Active: Attackers not only gain unauthorized access but also modify data, either deleting,
encrypting or otherwise harming it.
We distinguish network attacks from several other types of attacks:
Endpoint attacks: gaining unauthorized access to user devices, servers or other endpoints,
typically compromising them by infecting them with malware.
Malware attacks: infecting IT resources with malware, allowing attackers to compromise
systems, steal data and do damage. These also include ransomware attacks.
Vulnerabilities, exploits and attacks: exploiting vulnerabilities in software used in the
organization, to gain unauthorized access, compromise or sabotage systems.
Advanced persistent threats: these are complex multilayered threats, which include network
attacks but also other attack types.
In a network attack, attackers are focused on penetrating the corporate network perimeter and
gaining access to internal systems. Very often, once inside attackers will combine other types of
attacks, for example compromising an endpoint, spreading malware or exploiting a vulnerability
in a system within the network.
What are the Common Types of Network Attacks?
Following are common threat vectors attackers can use to penetrate your network.
1. Unauthorized access
Unauthorized access refers to attackers accessing a network without receiving permission.
Among the causes of unauthorized access attacks are weak passwords, lacking protection against
social engineering, previously compromised accounts, and insider threats.
2. Distributed Denial of Service (DDoS) attacks
Attackers build botnets, large fleets of compromised devices, and use them to direct false traffic
at your network or servers. DDoS can occur at the network level, for example by sending huge
volumes of SYN/ACC packets which can overwhelm a server, or at the application level, for
example by performing complex SQL queries that bring a database to its knees.
3. Man in the middle attacks
A man in the middle attack involves attackers intercepting traffic, either between your network
and external sites or within your network. If communication protocols are not secured or

Cryptography and Network Security Page 3

Srinivas University BCA V Semester

attackers find a way to circumvent that security, they can steal data that is being transmitted,
obtain user credentials and hijack their sessions.
4. Code and SQL injection attacks
Many websites accept user inputs and fail to validate and sanitize those inputs. Attackers can
then fill out a form or make an API call, passing malicious code instead of the expected data
values. The code is executed on the server and allows attackers to compromise it.
5. Privilege escalation
Once attackers penetrate your network, they can use privilege escalation to expand their reach.
Horizontal privilege escalation involves attackers gaining access to additional, adjacent systems,
and vertical escalation means attackers gain a higher level of privileges for the same systems.
6. Insider threats: A network is especially vulnerable to malicious insiders, who already have
privileged access to organizational systems. Insider threats can be difficult to detect and protect
against, because insiders do not need to penetrate the network in order to do harm. New
technologies like User and Even Behavioral Analytics (UEBA) can help identify suspicious or
anomalous behavior by internal users, which can help identify insider attacks.
Network Protection Best Practices
Segregate Your Network
A basic part of avoiding network security threats is dividing a network into zones based on
security requirements. This can be done using subnets within the same network, or by creating
Virtual Local Area Networks (VLANs), each of which behaves like a complete separate
network. Segmentation limits the potential impact of an attack to one zone, and requires attackers
to take special measures to penetrate and gain access to other network zones.
Regulate Access to the Internet via Proxy Server
Do not allow network users to access the Internet unchecked. Pass all requests through a
transparent proxy, and use it to control and monitor user behavior. Ensure that outbound
connections are actually performed by a human and not a bot or other automated mechanism.
Whitelist domains to ensure corporate users can only access websites you have explicitly
approved.
Place Security Devices Correctly
Place a firewall at every junction of network zones, not just at the network edge. If you can‘t
deploy full-fledged firewalls everywhere, use the built-in firewall functionality of your switches
and routers. Deploy anti-DDoS devices or cloud services at the network edge. Carefully consider
where to place strategic devices like load balancers – if they are outside the Demilitarized Zone
(DMZ), they won‘t be protected by your network security apparatus.
Use Network Address Translation
Network Address Translation (NAT) lets you translate internal IP addresses into addresses
accessible on public networks. You can use it to connect multiple computers to the Internet using
a single IP address. This provides an extra layer of security, because any inbound or outgoing
traffic has to go through a NAT device, and there are fewer IP addresses which makes it difficult
for attackers to understand which host they are connecting to.
Monitor Network Traffic
Ensure you have complete visibility of incoming, outgoing and internal network traffic, with the
ability to automatically detect threats, and understand their context and impact. Combine data
from different security tools to get a clear picture of what is happening on the network,
recognizing that many attacks span multiple IT systems, user accounts and threat vectors.

Cryptography and Network Security Page 4

Srinivas University BCA V Semester

Achieving this level of visibility can be difficult with traditional security tools. Cynet 360 is an
integrated security solution offering advanced network analytics, which continuously monitors
network traffic, automatically detect malicious activity, and either respond to it automatically or
pass context-rich information to security staff.
Use Deception Technology
No network protection measures are 100% successful, and attackers will eventually succeed in
penetrating your network. Recognize this and place deception technology in place, which creates
decoys across your network, tempting attackers to ―attack‖ them, and letting you observe their
plans and techniques. You can use decoys to detect threats in all stages of the attack lifecycle:
data files, credentials and network connections.
Cynet 360 is an integrated security solution with built-in deception technology, which provides
both off-the-shelf decoy files and the ability to create decoys to meet your specific security
needs. , while taking into account your environment‘s security needs.

4.2 Threats in Transit: Eavesdropping and Wiretapping

An attacker can gather a significant amount of information about a victim before beginning the
actual attack. Once the planning is done, the attacker is ready to proceed. In this section we turn
to the kinds of attacks that can occur. An attacker has many ways by which to harm in a
computing environment: loss of confidentiality, integrity, or availability to data, hardware or
software, processes, or other assets. Because a network involves data in transit, we look first at
the harm that can occur between a sender and a receiver.
The easiest way to attack is simply to listen in. An attacker can pick off the content of a
communication passing in the clear. The term eavesdrop implies overhearing without expending
any extra effort. For example, we might say that an attacker (or a system administrator) is
eavesdropping by monitoring all traffic passing through a node. The administrator might have a
legitimate purpose, such as watching for inappropriate use of resources (for instance, visiting
non-work-related web sites from a company network) or communication with inappropriate
parties (for instance, passing files to an enemy from a military computer).
A more hostile term is wiretap, which means intercepting communications through some effort.
Passive wiretapping is just "listening," much like eavesdropping. But active wiretapping means
injecting something into the communication. For example, Marvin could replace Manny's
communications with his own or create communications purported to be from Manny. Originally
derived from listening in on telegraph and telephone communications, the term wiretapping
usually conjures up a physical act by which a device extracts information as it flows over a wire.
But in fact no actual contact is necessary. A wiretap can be done covertly so that neither the
sender nor the receiver of a communication knows that the contents have been intercepted.
Wiretapping works differently depending on the communication medium used. Let us look more
carefully at each possible choice.

Cable
At the most local level, all signals in an Ethernet or other LAN are available on the cable for
anyone to intercept. Each LAN connector (such as a computer board) has a unique address; each
board and its drivers are programmed to label all packets from its host with its unique address (as
a sender's "return address") and to take from the net only those packets addressed to its host. But
removing only those packets addressed to a given host is mostly a matter of politeness; there is
little to stop a program from examining each packet as it goes by. A device called a packet

Cryptography and Network Security Page 5

Srinivas University BCA V Semester

sniffer can retrieve all packets on the LAN. Alternatively, one of the interface cards can be
reprogrammed to have the supposedly unique address of another existing card on the LAN so
that two different cards will both fetch packets for one address. (To avoid detection, the rogue
card will have to put back on the net copies of the packets it has intercepted.) Fortunately (for
now), LANs are usually used only in environments that are fairly friendly, so these kinds of
attacks occur infrequently.
Clever attackers can take advantage of a wire's properties and read packets without any physical
manipulation. Ordinary wire (and many other electronic components) emit radiation. By a
process called inductance an intruder can tap a wire and read radiated signals without making
physical contact with the cable. A cable's signals travel only short distances, and they can be
blocked by other conductive materials. The equipment needed to pick up signals is inexpensive
and easy to obtain, so inductance threats are a serious concern for cable-based networks. For the
attack to work, the intruder must be fairly close to the cable; this form of attack is thus limited to
situations with reasonable physical access.

If the attacker is not close enough to take advantage of inductance, then more hostile measures
may be warranted. The easiest form of intercepting a cable is by direct cut. If a cable is severed,
all service on it stops. As part of the repair, an attacker can easily splice in a secondary cable that
then receives a copy of all signals along the primary cable. There are ways to be a little less
obvious but accomplish the same goal. For example, the attacker might carefully expose some of
the outer conductor, connect to it, then carefully expose some of the inner conductor and connect
to it. Both of these operations alter the resistance, called the impedance, of the cable. In the first
case, the repair itself alters the impedance, and the impedance change can be explained (or
concealed) as part of the repair. In the second case, a little social engineering can explain the
change. ("Hello, this is Matt, a technician with Bignetworks. We are changing some equipment
on our end, and so you might notice a change in impedance.")
Signals on a network are multiplexed, meaning that more than one signal is transmitted at a
given time. For example, two analog (sound) signals can be combined, like two tones in a
musical chord, and two digital signals can be combined by interleaving, like playing cards being
shuffled. A LAN carries distinct packets, but data on a WAN may be heavily multiplexed as it
leaves its sending host. Thus, a wiretapper on a WAN needs to be able not only to intercept the
desired communication but also to extract it from the others with which it is multiplexed. While
this can be done, the effort involved means it will be used sparingly.

Microwave
Microwave signals are not carried along a wire; they are broadcast through the air, making them
more accessible to outsiders. Typically, a transmitter's signal is focused on its corresponding
receiver. The signal path is fairly wide, to be sure of hitting the receiver. From a security
standpoint, the wide swath is an invitation to mischief. Not only can someone intercept a
microwave transmission by interfering with the line of sight between sender and receiver,
someone can also pick up an entire transmission from an antenna located close to but slightly off
the direct focus point.
A microwave signal is usually not shielded or isolated to prevent interception. Microwave is,
therefore, a very insecure medium. However, because of the large volume of traffic carried by
microwave links, it is unlikely but not impossible that someone will be able to separate an

Cryptography and Network Security Page 6

Srinivas University BCA V Semester

individual transmission from all the others interleaved with it. A privately owned microwave
link, carrying only communications for one organization, is not so well protected by volume.

Satellite Communication
Satellite communication has a similar problem of being dispersed over an area greater than the
intended point of reception. Different satellites have different characteristics, but some signals
can be intercepted in an area several hundred miles wide and a thousand miles long. Therefore,
the potential for interception is even greater than with microwave signals. However, because
satellite communications are generally heavily multiplexed, the risk is small that any one
communication will be intercepted.

Optical Fiber
Optical fiber offers two significant security advantages over other transmission media. First, the
entire optical network must be tuned carefully each time a new connection is made. Therefore,
no one can tap an optical system without detection. Clipping just one fiber in a bundle will
destroy the balance in the network.
Second, optical fiber carries light energy, not electricity. Light does not emanate a magnetic
field as electricity does. Therefore, an inductive tap is impossible on an optical fiber cable. Just
using fiber, however, does not guarantee security, any more than does using encryption. The
repeaters, splices, and taps along a cable are places at which data may be available more easily
than in the fiber cable itself. The connections from computing equipment to the fiber may also be
points for penetration. By itself, fiber is much more secure than cable, but it has vulnerabilities
too.

Wireless
Wireless networking is becoming very popular, with good reason. With wireless (also known as
WiFi), people are not tied to a wired connection; they are free to roam throughout an office,
house, or building while maintaining a connection. Universities, offices, and even home users
like being able to connect to a network without the cost, difficulty, and inconvenience of running
wires. The difficulties of wireless arise in the ability of intruders to intercept and spoof a
connection.

As we noted earlier, wireless communications travel by radio. In the United States, wireless
computer connections share the same frequencies as garage door openers, local radios (typically
used as baby monitors), some cordless telephones, and other very short distance applications.
Although the frequency band is crowded, few applications are expected to be on the band from
any single user, so contention or interference is not an issue.

But the major threat is not interference; it is interception. A wireless signal is strong for
approximately 100 to 200 feet. To appreciate those figures, picture an ordinary ten-story office
building, ten offices "wide" by five offices "deep," similar to many buildings in office parks or
on university campuses. Assume you set up a wireless base station (receiver) in the corner of the
top floor. That station could receive signals transmitted from the opposite corner of the ground
floor. If a similar building were adjacent, the signal could also be received throughout that
building, too. Few people would care to listen to someone else's baby monitor, but many people
could and do take advantage of a passive or active wiretap of a network connection.

Cryptography and Network Security Page 7

Srinivas University BCA V Semester

A strong signal can be picked up easily. And with an inexpensive, tuned antenna, a wireless
signal can be picked up several miles away. In other words, someone who wanted to pick up
your particular signal could do so from several streets away. Parked in a truck or van, the
interceptor could monitor your communications for quite some time without arousing suspicion.

Interception
Interception of wireless traffic is always a threat, through either passive or active wiretapping.
This illustrates how software faults may make interception easier than you might think. You may
react to that threat by assuming that encryption will address it. Unfortunately, encryption is not
always used for wireless communication, and the encryption built into some wireless devices is
not as strong as it should be to deter a dedicated attacker.

Theft of Service
Wireless also admits a second problem: the possibility of rogue use of a network connection.
Many hosts run the Dynamic Host Configuration Protocol (DHCP), by which a client negotiates
a one -time IP address and connectivity with a host. This protocol is useful in office or campus
settings, where not all users (clients) are active at any time. A small number of IP addresses can
be shared among users. Essentially the addresses are available in a pool. A new client requests a
connection and an IP address through DHCP, and the server assigns one from the pool.

This scheme admits a big problem with authentication. Unless the host authenticates users before
assigning a connection, any requesting client is assigned an IP address and network access.
(Typically, this assignment occurs before the user on the client workstation actually identifies
and authenticates to a server, so there may not be an authenticatable identity that the DHCP
server can demand.) The situation is so serious that in some metropolitan areas a map is
available, showing many networks accepting wireless connections.

Protocol Flaws
Internet protocols are publicly posted for scrutiny by the entire Internet community. Each
accepted protocol is known by its Request for Comment (RFC) number. Many problems with
protocols have been identified by sharp reviewers and corrected before the protocol was
established as a standard.
But protocol definitions are made and reviewed by fallible humans. Likewise, protocols are
implemented by fallible humans. For example, TCP connections are established through
sequence numbers. The client (initiator) sends a sequence number to open a connection, the
server responds with that number and a sequence number of its own, and the client responds with
the server's sequence number. That person could impersonate the client in an interchange.
Sequence numbers are incremented regularly, so it can be easy to predict the next number.

Impersonation
When we hear of ―impersonation,‖ we think of the act of deceiving someone by pretending to be
another person. In the context of social engineering and cyber security, impersonation has
evolved into a dangerous form of cyber-attack. Cyber criminals have been using it to gain access
to networks and systems to commit fraud and identity theft and sell data to the highest bidder on
the dark web.

Cryptography and Network Security Page 8

Srinivas University BCA V Semester

Criminals known as ―pretexters‖ use the art of impersonation in many ways, playing the role of a
trusted individual to deceive their victims and gain access to sensitive information. The practice
of ―pretexting‖ is defined as presenting oneself as someone else to manipulate a recipient into
providing sensitive data such as passwords, credit card numbers, or other confidential
information.
Pretexting is also a common practice for gaining access to restricted systems or services.
Impersonators can play many roles during their careers, such as fellow employees, technicians,
IT support, auditors or managers. For a successful attack, the impersonator needs to carefully
research his target. Impersonation attacks take many forms and can target both individuals and
business entities.
Online Impersonation
Impersonating people online does not immediately classify as a criminal offence. For example,
although there are no federal online impersonation laws established yet, nine out of the 50 states
in the U.S. have legislation on the subject. In Texas, the act of using the name, online identity or
persona of another individual to defraud, harass, intimidate or threaten can be considered a
misdemeanor or third-degree felony punishable by a hefty fine, ban on using Internet-capable
devices or prison.
Online impersonation does not necessarily lead to fraud. Victims can experience defamation or
extreme embarrassment. More and more social media platforms see impersonation as a violation
of their terms of service and policy. According to Twitter‖s impersonation policy, ―accounts that
pose as another person, brand, or organization in a confusing or deceptive manner may be
permanently suspended.‖ Facebook says it does not condone this type of behavior in the
community and encourages users to report a profile or page that does not comply with their
policy.
Email impersonation and vishing (voice phishing)
The act of sending phony emails that appear to come from a reputable source to gain personal
information is known as email phishing. To convince recipients that the message is real,
attackers can impersonate well-known institutions (public or private) or individuals such as a co-
worker or boss.
Companies are a more profitable target for impersonation emails, in crimes such as business
email compromise (BEC), CEO fraud and whaling attacks. Attackers use emails carefully
tailored to look like they come from business owners, executives or human resources personnel,
asking their target to carry out money transfers, pay invoices, or send important data.
In most cases, criminals rely on spoofing the email address and display name. The attacker
chooses the name of a high-ranking individual from a business and sets up an email that looks
similar to the victim‖s. Impersonators can use publicly available information such as a name
from LinkedIn to target people in an organization.
Commonly known as phone scams, vishing is also a popular attack vector among impersonators.
The phone call can be from someone pretending to be represent a bank, credit card company,
debt collector, healthcare provider and pretty much any other service or financial institution.
Tips to protect against impersonation attacks
Fighting online impersonation can be very difficult. Social media platforms and websites are
riddled with personal identifiable information, and a threat actor only needs basic access to this
information to impersonate you. A name or phone number will sometimes suffice. Constantly
monitoring your digital footprint and social media accounts is necessary.

Cryptography and Network Security Page 9

Srinivas University BCA V Semester

When it comes to email impersonation attacks, awareness is key. Perpetrators can play the role
of a friend and send you an email asking you to click on a link, download an attachment or
transfer money. If you see an email from a friend that fits the M.O., call your friend and ask if
the message is legit. The same goes for emails or phone calls from ―your bank‖ or financial
institution that ask you to provide sensitive information over the phone or via a ―secure link‖.
Be suspicious about unsolicited messages and keep in mind that banks will usually call you in
the office to fill out any additional info. Double-check the email address before responding to
any requests and immediately report or flag it if suspicious. Email security solutions that block
spam or malicious attachments before reaching your computer have become a necessity.
Businesses and employees should always be vigilant and make sure that requests are verified
with the appropriate department. The IT department will not call to ask for the username and
password of your workstation to deliver a patch for your system. Workshops and training
employees on email best practices can also help filter out malicious content. If in doubt of the
validity of a request or unsure of authorization permission of an individual, contact a manager or
report the situation to the security staff on premise.
Both organizations and average users rely on a security solution that can protect them from
online phishing, fraud and malware attacks.
The ubiquity of social media complicates our ability to control our digital footprint, and our
identity. We no longer have the luxury of data privacy. Most online data is now public by default
and going private requires much effort.

4.3 Network Security Controls – Architecture

Networks must have security embedded into their very design. Network security architecture
provides a basis for an organization‘s cyber defenses and helps to protect all of the company‘s IT
assets. Here, we discuss the components of network security architecture, how it benefits
businesses, and different models for creating a secure network architecture.
Elements of Network Security Architecture
Network security architecture includes both network and security elements, such as the
following:
Network Elements: Network nodes (computers, routers, etc.), communications protocols
(TCP/IP, HTTP, DNS, etc.), connection media (wired, wireless), and topologies (bus, star, mesh,
etc.).
Security Elements: Cybersecurity devices and software, secure communications protocols (e.g.
IPsec VPN and TLS), and data privacy technologies (classification, encryption, key
management, etc.).
The Purpose of Network Security Architecture
Well-designed cybersecurity architecture enables businesses to maintain resiliency in the face of
a cyberattack or a failure of one or more components of their infrastructure. The architecture
should be optimized for daily use during normal business operations and prepare the company to
handle reasonable bursts, spikes, or surges in traffic and to appropriately manage potential cyber
threats to the organization.
How Does a Security Architect Create Network Security Architecture?
A security architect is responsible for identifying and working to prevent potential cyber threats
to an organization‘s network and systems. As part of their role, security architects should
develop a network and security architecture that provides the visibility and control necessary to
identify and respond to cyber threats to an organization‘s systems. This includes developing a

Cryptography and Network Security Page 10

Srinivas University BCA V Semester

plan for locating security controls to maximize their benefit to the company. Defines a process
for developing a network security architecture that includes four primary phases:

Assess: This phase of the process is for business and architecture reviews. The key steps in this
phase include data capture, business modeling, and risk assessments.
Design: This phase is intended to develop a response to the requirements and to build
customized logical design blueprints and recommendations.
Implement: This phase is for professional services, partners, etc. to add low-level design details
and deliver statement-of-works for real-world solutions.
Manage: This phase is geared towards continuous development and incremental improvements
of the security posture.
Network Security Architecture Frameworks
Network security architectures can be designed based on a few different frameworks. Two of the
most widely used models include zero trust and the Sherwood Applied Business Security
Architecture (SABSA).
Zero Trust
The zero trust security model is designed to replace traditional, perimeter-based security models
that place implicit trust in users, devices, and applications inside of the network. Zero trust
eliminates the network perimeter by treating all devices as potential threats regardless of their
location.
With zero trust architecture, all requests for access to corporate resources are evaluated on a
case-by-case basis. If the request is deemed legitimate based on role-based access controls
(RBACs) and other contextual data, then access is granted only to the requested asset at the
requested level for the duration of the current session.
A zero trust security architecture provides deep visibility and control over the actions performed
within the corporate network. This is accomplished using a combination of strong authentication
systems, including multi-factor authentication (MFA), and granular access control implemented
using micro-segmentation.
The Sherwood Applied Business Security Architecture (SABSA)
SABSA is a model for developing a security architecture based upon risk and business security
needs. The model identifies business security requirements at the beginning of the process and
works to trace them throughout the entire process of designing, implementing, and maintaining a
security architecture.
SABSA includes a matrix for security infrastructure modeling. This includes multiple different
layers (contextual, conceptual, logical, physical, component, and operational) and questions to be
asked (what, why, how, who, where, and when). At each intersection, the model defines the
component of the security architecture that should address that question at that layer.
Architecting Network Security with Check Point
For nearly thirty years, Check Point has set the standard for cybersecurity. Across the ever-
evolving digital world, from enterprise networks through cloud transformations, from securing
remote employees to defending critical infrastructures, we protect organizations from the most
imminent cyber threats.
Encryption
Encryption is a way of scrambling data so that only authorized parties can understand the
information. In technical terms, it is the process of converting human-readable plaintext to
incomprehensible text, also known as ciphertext. In simpler terms, encryption takes readable data

Cryptography and Network Security Page 11

Srinivas University BCA V Semester

and alters it so that it appears random. Encryption requires the use of a cryptographic key: a set
of mathematical values that both the sender and the recipient of an encrypted message agree on.
Although encrypted data appears random, encryption proceeds in a logical, predictable way,
allowing a party that receives the encrypted data and possesses the right key to decrypt the data,
turning it back into plaintext. Truly secure encryption will use keys complex enough that a third
party is highly unlikely to decrypt or break the ciphertext by brute force — in other words, by
guessing the key.
Data can be encrypted "at rest," when it is stored, or "in transit," while it is being transmitted
somewhere else.
Properties of Trustworthy Encryption Systems
1. It is based on sound mathematics:
Good cryptographic algorithms are not just invented. They are derived from solid principles.
2. It has been analyzed by competent experts and found to be sound even the best cryptographic
experts can think of only so many possible attacks. The developers may become too convinced
of the strength of their own algorithm. A review by critical outside experts is essential.
3. It has stood the ―test of time‖.
As new algorithm gains popularity, people continue to review both its mathematical foundations
and the way that it builds upon those foundations.
Although a long period of successful use and analysis is not a guarantee of a good algorithm, the
flaws in many algorithms are discovered relative soon after their release.
Three algorithms are popular in the commercial world, namely
DES (data encryption standard),
RSA (Rivest-Shamir-Adelman),
AES (advanced encryption standard).
Encryption Systems are classified based on types of Key and based on block. Based on key two
classifications are
1. Symmetric Key Encryption-Same key (Public key) used for both Encryption and
Decryption
2. Asymmetric Key Encryption-For Encryption and Decryption two separate key are used
(Public key and Private Key)
Based on block two classifications are
1. Stream Cipher - characters are processed one at a time.
2. Block Cipher - A fixed size block is extracted from the whole plain text and then, the
character is processed one at a time. We will start to see the significance of this
classification once we start digging into the algorithm demonstrations.

Virtual Private Network

VPN stands for Virtual Private Network and describes the opportunity to establish a protected
network connection when using public networks. VPNs encrypt your internet traffic and disguise
your online identity. This makes it more difficult for third parties to track your activities online
and steal data. The encryption takes place in real time.
How does a VPN work?
A VPN hides your IP address by letting the network redirect it through a specially configured
remote server run by a VPN host. This means that if you surf online with a VPN, the VPN server
becomes the source of your data. This means your Internet Service Provider (ISP) and other third
parties cannot see which websites you visit or what data you send and receive online. A VPN

Cryptography and Network Security Page 12

Srinivas University BCA V Semester

works like a filter that turns all your data into "gibberish". Even if someone were to get their
hands on your data, it would be useless.
What are the benefits of a VPN connection?
A VPN connection disguises your data traffic online and protects it from external access.
Unencrypted data can be viewed by anyone who has network access and wants to see it. With a
VPN, hackers and cyber criminals can‘t decipher this data.
Secure encryption: To read the data, you need an encryption key. Without one, it would take
millions of years for a computer to decipher the code in the event of a brute force attack. With
the help of a VPN, your online activities are hidden even on public networks.
Disguising your whereabouts: VPN servers essentially act as your proxies on the internet.
Because the demographic location data comes from a server in another country, your actual
location cannot be determined. In addition, most VPN services do not store logs of your
activities. Some providers, on the other hand, record your behavior, but do not pass this
information on to third parties. This means that any potential record of your user behavior
remains permanently hidden.
Access to regional content: Regional web content is not always accessible from everywhere.
Services and websites often contain content that can only be accessed from certain parts of the
world. Standard connections use local servers in the country to determine your location. This
means that you cannot access content at home while traveling, and you cannot access
international content from home. With VPN location spoofing, you can switch to a server to
another country and effectively ―change‖ your location.
Secure data transfer: If you work remotely, you may need to access important files on your
company‘s network. For security reasons, this kind of information requires a secure connection.
To gain access to the network, a VPN connection is often required. VPN services connect to
private servers and use encryption methods to reduce the risk of data leakage.
Why should you use a VPN connection?
Your ISP usually sets up your connection when you connect to the internet. It tracks you via an
IP address. Your network traffic is routed through your ISP's servers, which can log and display
everything you do online.
Your ISP may seem trustworthy, but it may share your browsing history with advertisers, the
police or government, and/or other third parties. ISPs can also fall victim to attacks by cyber
criminals: If they are hacked, your personal and private data can be compromised.
This is especially important if you regularly connect to public Wi-Fi networks. You never know
who might be monitoring your internet traffic and what they might steal from you, including
passwords, personal data, payment information, or even your entire identity.
What should a good VPN do?
You should rely on your VPN to perform one or more tasks. The VPN itself should also be
protected against compromise. These are the features you should expect from a comprehensive
VPN solution:
Encryption of your IP address: The primary job of a VPN is to hide your IP address from your
ISP and other third parties. This allows you to send and receive information online without the
risk of anyone but you and the VPN provider seeing it.
Encryption of protocols: A VPN should also prevent you from leaving traces, for example, in
the form of your internet history, search history and cookies. The encryption of cookies is
especially important because it prevents third parties from gaining access to confidential
information such as personal data, financial information and other content on websites.

Cryptography and Network Security Page 13

Srinivas University BCA V Semester

Kill switch: If your VPN connection is suddenly interrupted, your secure connection will also be
interrupted. A good VPN can detect this sudden downtime and terminate preselected programs,
reducing the likelihood that data is compromised.
Two-factor authentication: By using a variety of authentication methods, a strong VPN checks
everyone who tries to log in. For example, you might be prompted to enter a password, after
which a code is sent to your mobile device. This makes it difficult for uninvited third parties to
access your secure connection.
What kinds of VPNs are there?
There are many different types of VPNs, but you should definitely be familiar with the three
main types:
SSL VPN
Often not all employees of a company have access to a company laptop they can use to work
from home. During the corona crisis in Spring 2020, many companies faced the problem of not
having enough equipment for their employees. In such cases, use of a private device (PC, laptop,
tablet, mobile phone) is often resorted to. In this case, companies fall back on an SSL-VPN
solution, which is usually implemented via a corresponding hardware box.
The prerequisite is usually an HTML-5-capable browser, which is used to call up the company's
login page. HTML-5 capable browsers are available for virtually any operating system. Access is
guarded with a username and password.
Site-to-site VPN
A site-to-site VPN is essentially a private network designed to hide private intranets and allow
users of these secure networks to access each other's resources.
A site-to-site VPN is useful if you have multiple locations in your company, each with its own
local area network (LAN) connected to the WAN (Wide Area Network). Site-to-site VPNs are
also useful if you have two separate intranets between which you want to send files without users
from one intranet explicitly accessing the other.
Site-to-site VPNs are mainly used in large companies. They are complex to implement and do
not offer the same flexibility as SSL VPNs. However, they are the most effective way to ensure
communication within and between large departments.
Client-to-Server VPN
Connecting via a VPN client can be imagined as if you were connecting your home PC to the
company with an extension cable. Employees can dial into the company network from their
home office via the secure connection and act as if they were sitting in the office. However, a
VPN client must first be installed and configured on the computer.
This involves the user not being connected to the internet via his own ISP, but establishing a
direct connection through his/her VPN provider. This essentially shortens the tunnel phase of the
VPN journey. Instead of using the VPN to create an encryption tunnel to disguise the existing
internet connection, the VPN can automatically encrypt the data before it is made available to the
user.
This is an increasingly common form of VPN, which is particularly useful for providers of
insecure public WLAN. It prevents third parties from accessing and compromising the network
connection and encrypts data all the way to the provider. It also prevents ISPs from accessing
data that, for whatever reason, remains unencrypted and bypasses any restrictions on the user's
internet access (for instance, if the government of that country restricts internet access).
The advantage of this type of VPN access is greater efficiency and universal access to company
resources. Provided an appropriate telephone system is available, the employee can, for example,

Cryptography and Network Security Page 14

Srinivas University BCA V Semester

connect to the system with a headset and act as if he/she were at their company workplace. For
example, customers of the company cannot even tell whether the employee is at work in the
company or in their home office.

4.4 Public Key Infrastructure (PKI) and Certificates

The most distinct feature of Public Key Infrastructure (PKI) is that it uses a pair of keys to
achieve the underlying security service. The key pair comprises of private key and public key.
Since the public keys are in open domain, they are likely to be abused. It is, thus, necessary to
establish and maintain some kind of trusted infrastructure to manage these keys.
Key Management
It goes without saying that the security of any cryptosystem depends upon how securely its keys
are managed. Without secure procedures for the handling of cryptographic keys, the benefits of
the use of strong cryptographic schemes are potentially lost.
It is observed that cryptographic schemes are rarely compromised through weaknesses in their
design. However, they are often compromised through poor key management.
There are some important aspects of key management which are as follows −
Cryptographic keys are nothing but special pieces of data. Key management refers to the secure
administration of cryptographic keys.
Key management deals with entire key lifecycle as depicted in the following illustration −

There are two specific requirements of key management for public key cryptography.
Secrecy of private key: Throughout the key lifecycle, secret keys must remain secret from all
parties except those who are owner and are authorized to use them.
Assurance of public keys: In public key cryptography, the public keys are in open domain and
seen as public pieces of data. By default there are no assurances of whether a public key is
correct, with whom it can be associated, or what it can be used for. Thus key management of
public keys needs to focus much more explicitly on assurance of purpose of public keys.
Cryptography and Network Security Page 15
Srinivas University BCA V Semester

The most crucial requirement of ‗assurance of public key‘ can be achieved through the public-
key infrastructure (PKI), a key management systems for supporting public-key cryptography.
Public Key Infrastructure (PKI)
PKI provides assurance of public key. It provides the identification of public keys and their
distribution. An anatomy of PKI comprises of the following components.
Public Key Certificate, commonly referred to as ‗digital certificate‘.
Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
 Digital Certificate
For analogy, a certificate can be considered as the ID card issued to the person. People use ID
cards such as a driver's license, passport to prove their identity. A digital certificate does the
same basic thing in the electronic world, but with one difference.
Digital Certificates are not only issued to people but they can be issued to computers, software
packages or anything else that need to prove the identity in the electronic world.
Digital certificates are based on the ITU standard X.509 which defines a standard certificate
format for public key certificates and certification validation. Hence digital certificates are
sometimes also referred to as X.509 certificates.
Public key pertaining to the user client is stored in digital certificates by The Certification
Authority (CA) along with other relevant information such as client information, expiration date,
usage, issuer etc.
CA digitally signs this entire information and includes digital signature in the certificate.
Anyone who needs the assurance about the public key and associated information of client, he
carries out the signature validation process using CA‘s public key. Successful validation assures
that the public key given in the certificate belongs to the person whose details are given in the
certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the following
illustration.
As shown in the illustration, the CA accepts the application from a client to certify his public
key. The CA, after duly verifying identity of client, issues a digital certificate to that client.
Certifying Authority (CA)
As discussed above, the CA issues certificate to a client and assist other users to verify the
certificate. The CA takes responsibility for identifying correctly the identity of the client asking
for a certificate to be issued, and ensures that the information contained within the certificate is
correct and digitally signs it.
Key Functions of CA
The key functions of a CA are as follows −
Generating key pairs − The CA may generate a key pair independently or jointly with the client.
Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport
agency − the CA issues a certificate after client provides the credentials to confirm his identity.
The CA then signs the certificate to prevent modification of the details contained in the
certificate.
Publishing Certificates − The CA need to publish certificates so that users can find them. There
are two ways of achieving this. One is to publish certificates in the equivalent of an electronic

Cryptography and Network Security Page 16

Srinivas University BCA V Semester

telephone directory. The other is to send your certificate out to those people you think might
need it by one means or another.

Verifying Certificates − The CA makes its public key available in environment to assist
verification of his signature on clients‘ digital certificate.
Revocation of Certificates − At times, CA revokes the certificate issued due to some reason such
as compromise of private key by user or loss of trust in the client. After revocation, CA
maintains the list of all revoked certificate that is available to the environment.
Classes of Certificates
There are four typical classes of certificate −
Class 1 − These certificates can be easily acquired by supplying an email address.
Class 2 − These certificates require additional personal information to be supplied.
Class 3 − These certificates can only be purchased after checks have been made about the
requestor‘s identity.
Class 4 − They may be used by governments and financial organizations needing very high
levels of trust.
Registration Authority (RA)
CA may use a third-party Registration Authority (RA) to perform the necessary checks on the
person or company requesting the certificate to confirm their identity. The RA may appear to the
client as a CA, but they do not actually sign the certificate that is issued.
Certificate Management System (CMS)
It is the management system through which certificates are published, temporarily or
permanently suspended, renewed, or revoked. Certificate management systems do not normally
delete certificates because it may be necessary to prove their status at a point in time, perhaps for

Cryptography and Network Security Page 17

Srinivas University BCA V Semester

legal reasons. A CA along with associated RA runs certificate management systems to be able to
track their responsibilities and liabilities.
Private Key Tokens
While the public key of a client is stored on the certificate, the associated secret private key can
be stored on the key owner‘s computer. This method is generally not adopted. If an attacker
gains access to the computer, he can easily gain access to private key. For this reason, a private
key is stored on secure removable storage token access to which is protected through a password.
Different vendors often use different and sometimes proprietary storage formats for storing keys.
For example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore
use the standard .p12 format.
Hierarchy of CA
With vast networks and requirements of global communications, it is practically not feasible to
have only one trusted CA from whom all users obtain their certificates. Secondly, availability of
only one CA may lead to difficulties if CA is compromised.
In such case, the hierarchical certification model is of interest since it allows public key
certificates to be used in environments where two communicating parties do not have trust
relationships with the same CA.
The root CA is at the top of the CA hierarchy and the root CA's certificate is a self-signed
certificate.
The CAs, which are directly subordinate to the root CA (For example, CA1 and CA2) have CA
certificates that are signed by the root CA.
The CAs under the subordinate CAs in the hierarchy (For example, CA5 and CA6) have their
CA certificates signed by the higher-level subordinate CAs.
Certificate authority (CA) hierarchies are reflected in certificate chains. A certificate chain traces
a path of certificates from a branch in the hierarchy to the root of the hierarchy.
The following illustration shows a CA hierarchy with a certificate chain leading from an entity
certificate through two subordinate CA certificates (CA6 and CA3) to the CA certificate for the
root CA.
Verifying a certificate chain is the process of ensuring that a specific certificate chain is valid,
correctly signed, and trustworthy. The following procedure verifies a certificate chain, beginning
with the certificate that is presented for authentication −
A client whose authenticity is being verified supplies his certificate, generally along with the
chain of certificates up to Root CA.
Verifier takes the certificate and validates by using public key of issuer. The issuer‘s public key
is found in the issuer‘s certificate which is in the chain next to client‘s certificate.
Now if the higher CA who has signed the issuer‘s certificate, is trusted by the verifier,
verification is successful and stops here.
Else, the issuer's certificate is verified in a similar manner as done for client in above steps. This
process continues till either trusted CA is found in between or else it continues till Root CA.

4.5 Overview of IP Security (IPSec)

The IP security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of protocols
between 2 communication points across the IP network that provide data authentication,
integrity, and confidentiality. It also defines the encrypted, decrypted and authenticated packets.
The protocols needed for secure key exchange and key management are defined in it.
Uses of IP Security

Cryptography and Network Security Page 18

Srinivas University BCA V Semester

IPsec can be used to do the following things:

 To encrypt application layer data.
 To provide security for routers sending routing data across the public internet.
 To provide authentication without encryption, like to authenticate that the data originates
from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in which all data is
being sent between the two endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
Components of IP Security
It has the following components:
Encapsulating Security Payload (ESP)
It provides data integrity, encryption, authentication and anti-replay. It also provides
authentication for payload.
Authentication Header (AH) –
It also provides data integrity, authentication and anti-replay and it does not provide encryption.
The anti-replay protection, protects against unauthorized transmission of packets. It does not
protect data‘s confidentiality.

Internet Key Exchange (IKE)

It is a network security protocol designed to dynamically exchange encryption keys and find a
way over Security Association (SA) between 2 devices. The Security Association (SA)
establishes shared security attributes between 2 network entities to support secure
communication. The Key Management Protocol (ISAKMP) and Internet Security Association
which provides a framework for authentication and key exchange. ISAKMP tells how the setup
of the Security Associations (SAs) and how direct connections between two hosts that are using
IPsec.
Internet Key Exchange (IKE) provides message content protection and also an open frame for
implementing standard algorithms such as SHA and MD5. The algorithm‘s IP sec users produces
a unique identifier for each packet. This identifier then allows a device to determine whether a
packet has been correct or not. Packets which are not authorized are discarded and not given to
receiver.
Working of IP Security
The host checks if the packet should be transmitted using IPsec or not. These packet traffic
triggers the security policy for themselves. This is done when the system sending the packet
apply an appropriate encryption. The incoming packets are also checked by the host that they are
encrypted properly or not.
Then the IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate themselves to each
other to start a secure channel. It has 2 modes. The Main mode which provides the greater
security and the Aggressive mode which enables the host to establish an IPsec circuit more
quickly.

Cryptography and Network Security Page 19

Srinivas University BCA V Semester

The channel created in the last step is then used to securely negotiate the way the IP circuit will
encrypt data across the IP circuit.
Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts negotiate the
type of cryptographic algorithms to use on the session and agreeing on secret keying material to
be used with those algorithms.
Then the data is exchanged across the newly created IPsec encrypted tunnel. These packets are
encrypted and decrypted by the hosts using IPsec SAs.
When the communication between the hosts is completed or the session times out then the IPsec
tunnel is terminated by discarding the keys by both the hosts.

IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These
protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec
Architecture includes protocols, algorithms, DOI, and Key Management. All these components
are very important in order to provide the three main services:
 Confidentiality
 Authentication
 Integrity
IP Security Architecture:
1. Architecture:
Architecture or IP Security Architecture covers the general concepts, definitions, protocols,
algorithms and security requirements of IP Security technology.
2. ESP Protocol: ESP(Encapsulation Security Payload) provide the confidentiality service.
Encapsulation Security Payload is implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.

Cryptography and Network Security Page 20

Srinivas University BCA V Semester

Packet Format

Security Parameter Index(SPI): This parameter is used in Security Association. It is used to

give a unique number to the connection build between Client and Server.
Sequence Number: Unique Sequence number are allotted to every packet so that at the receiver
side packets can be arranged properly.
Payload Data: Payload data means the actual data or the actual message. The Payload data is in
encrypted format to achieve confidentiality.
Padding: Extra bits or space added to the original message in order to ensure confidentiality.
Padding length is the size of the added bits or space in the original message.
Next Header: Next header means the next payload or next actual data.
Authentication Data: This field is optional in ESP protocol packet format.

Cryptography and Network Security Page 21

Srinivas University BCA V Semester

3. Encryption algorithm: Encryption algorithm is the document that describes various

encryption algorithm used for Encapsulation Security Payload.
4. AH Protocol: AH (Authentication Header) Protocol provides both Authentication and
Integrity service. Authentication Header is implemented in one way only: Authentication along
with Integrity.

Authentication Header covers the packet format and general issue related to the use of AH for
packet authentication and integrity.
5. Authentication Algorithm:
Authentication Algorithm contains the set of the documents that describe authentication
algorithm used for AH and for the authentication option of ESP.
6. DOI (Domain of Interpretation):
DOI is the identifier which support both AH and ESP protocols. It contains values needed for
documentation related to each other.
7. Key Management:
Key Management contains the document that describes how the keys are exchanged between
sender and receiver.

Mode of Operation in IPSec

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel
mode. The modes do not affect the encoding of packets. The packets are protected by AH, ESP,
or both in each mode. The modes differ in policy application when the inner packet is an IP
packet, as follows:
In transport mode, the outer header determines the IPsec policy that protects the inner IP packet.
In tunnel mode, the inner IP packet determines the IPsec policy that protects its contents.
In transport mode, the outer header, the next header, and any ports that the next header supports,
can be used to determine IPsec policy. In effect, IPsec can enforce different transport mode
policies between two IP addresses to the granularity of a single port. For example, if the next
header is TCP, which supports ports, then IPsec policy can be set for a TCP port of the outer IP

Cryptography and Network Security Page 22

Srinivas University BCA V Semester

address. Similarly, if the next header is an IP header, the outer header and the inner IP header can
be used to determine IPsec policy.
Tunnel mode works only for IP-in-IP datagrams. Tunneling in tunnel mode can be useful when
computer workers at home are connecting to a central computer location. In tunnel mode, IPsec
policy is enforced on the contents of the inner IP datagram. Different IPsec policies can be
enforced for different inner IP addresses. That is, the inner IP header, its next header, and the
ports that the next header supports, can enforce a policy. Unlike transport mode, in tunnel mode
the outer IP header does not dictate the policy of its inner IP datagram.
Therefore, in tunnel mode, IPsec policy can be specified for subnets of a LAN behind a router
and for ports on those subnets. IPsec policy can also be specified for particular IP addresses, that
is, hosts, on those subnets. The ports of those hosts can also have a specific IPsec policy.
However, if a dynamic routing protocol is run over a tunnel, do not use subnet selection or
address selection because the view of the network topology on the peer network could change.
Changes would invalidate the static IPsec policy. For examples of tunneling procedures that
include configuring static routes, see Protecting a VPN With IPsec.
In Oracle Solaris, tunnel mode can be enforced only on an IP tunneling network interface. For
information about tunneling interfaces. The ipsecconf command provides a tunnel keyword to
select an IP tunneling network interface. When the tunnel keyword is present in a rule, all
selectors that are specified in that rule apply to the inner packet.
In transport mode, ESP, AH, or both, can protect the datagram.
The following figure shows an IP header with an unprotected TCP packet.
Unprotected IP Packet Carrying TCP Information

In transport mode, ESP protects the data as shown in the following figure. The shaded area
shows the encrypted part of the packet.
Protected IP Packet Carrying TCP Information

In transport mode, AH protects the data as shown in the following figure.

Packet Protected by an Authentication Header

AH protection, even in transport mode, covers most of the IP header.

In tunnel mode, the entire datagram is inside the protection of an IPsec header. The datagram is
protected in tunnel mode by an outer IPsec header, and in this case ESP, as is shown in the
following figure.
Figure 14-6 IPsec Packet Protected in Tunnel Mode

The ipsecconf command includes keywords to set tunnels in tunnel mode or transport mode.

Cryptography and Network Security Page 23

Srinivas University BCA V Semester

4.7 Security Associations (SA)

An IPsec security association (SA) specifies security properties that are recognized by
communicating hosts. These hosts typically require two SAs to communicate securely. A single
SA protects data in one direction. The protection is either to a single host or a group (multicast)
address. Because most communication is peer-to-peer or client-to-server, two SAs must be
present to secure traffic in both directions.
The security protocol (AH or ESP), destination IP address, and security parameter index (SPI)
identify an IPsec SA. The SPI, an arbitrary 32-bit value, is transmitted with an AH or ESP
packet. The ipsecah (7P) and ipsecesp (7P) man pages explain the extent of protection that is
provided by AH and ESP. An integrity checksum value is used to authenticate a packet. If the
authentication fails, the packet is dropped.
Security associations are stored in a security associations database. A socket-based
administration engine, the pf_key interface, enables privileged applications to manage the
database. The in.iked daemon provides automatic key management.
Key Management
A security association contains the following information:
 Material for keys for encryption and authentication
 The algorithms that can be used
 The identities of the endpoints
 Other parameters that are used by the system
SAs require keying material for authentication and encryption. The managing of keying material
that SAs require is called key management. The Internet Key Exchange (IKE) protocol handles
key management automatically. You can also manage keys manually with the ipseckey
command. SAs on IPv4 and IPv6 packets can use automatic key management.

How security associations work

A security association (SA) is an authenticated simplex (uni-directional) data connection
between two end-stations.
Security associations are typically configured in pairs. An SA has all of the following:
 A unique Security Parameter Index (SPI) number
 An IP destination address
 An IPsec security protocol
The IPsec security protocol must be either of the following:
 Authentication Header (AH)
 Encapsulating Security Payload (ESP)
The AH protocol inserts an authentication header into each packet before the data payload. The
authentication header includes a checksum created with a cryptographic hash algorithm, either
Message Digest function 95 (MD5 - 128 bit key) or Secure Hash Algorithm (SHA - 160 bit key).
The AH protocol does not alter the packet's data payload.
The ESP protocol inserts a header before the data payload and a trailer after it. When you specify
an encryption algorithm, either Data Encryption Standard (DES) or triple DES, ESP alters the
data payload by encrypting it. Alternatively, you can specify packet authentication using the
same MD5 or SHA-1 algorithms that are available with the AH protocol. If you use the ESP
security protocol, you need to specify either authentication or encryption, or both.

Cryptography and Network Security Page 24

Srinivas University BCA V Semester

Note: When you specify the AH protocol, only packet authentication (providing data integrity) is
enabled. When you specify the ESP protocol, both packet authentication and packet encryption
(providing data privacy) can be enabled.
At least two security associations, inbound and outbound, are required between end-stations.
Security associations are stored in the Security Association Database (SAD) when IPsec is
enabled on an end-station. Security associations are created from security policies.

Key Management for IPsec Security Associations

Security associations (SAs) require keying material for authentication and for encryption. The
managing of this keying material is called key management. Oracle Solaris provides two
methods for managing the keys for IPsec SAs: IKE and manual key management.
IKE for IPsec SA Generation
The Internet Key Exchange (IKE) protocol handles key management automatically. Oracle
Solaris 11.2 supports IKE version 2 (IKEv2) and IKE version 1 (IKEv1) of the IKE protocol.
The use of IKE to manage IPsec SAs is encouraged. These key management protocols offer the
following advantages:
 Simple configuration
 Provide strong peer authentication
 Automatically generate SAs with a high quality random key source
 Do not require administrative intervention to generate new SAs
Manual Keys for IPsec SA Generation
The use of manual keys is more complicated than IKE and is potentially risky. A system file,
/etc/inet/secret/ipseckeys, contains the encryption keys. If these keys are compromised, they can
be used to decrypt recorded network traffic. Because IKE frequently changes the keys, the
window of exposure to such a compromise is much smaller. Using the ipseckeys file or its
command interface, ipseckey, is appropriate only for systems that do not support IKE.
While the ipseckey command has only a limited number of general options, the command
supports a rich command language. You can specify that requests be delivered by means of a
programmatic interface specific for manual keying. Typically, manual SA generation is used
when IKE is unavailable for some reason. However, if the SPI values are unique, manual SA
generation and IKE can be used at the same time.

4.8 Security Policy in IPSec

IPSec encrypts data information contained in IP datagrams through encapsulation to provide data
integrity, data confidentiality, data origin authentication, and replay protection. The two main
IPSec components that are installed when you install IPSec are the IPSec Policy Agent and the
IPSec driver. The IPSec Policy Agent is a service running on a Windows Server 2003 computer
that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy
information in the local Windows registry or in Active Directory. The IPSec Policy Agent then
passes this information to the IPSec driver. The IPSec driver performs a number of operations to
enable secure network communications such as initiating IKE communication, creating IPSec
packets, encrypts data, and calculates hashes.
IPSec policies are used to apply security in your network. The IPSec policies define when and
how data should be secured. The IPSec policies also determine which security methods to use
when securing data at the different levels in your network. You can configure IPSec policies so
that different types of traffic are affected by each individual policy.

Cryptography and Network Security Page 25

Srinivas University BCA V Semester

The different components of an IPSec policy are listed here:

IP filter; informs the IPSec driver on the type of inbound traffic and outbound traffic which
should be secured.
IP filter list; used to group multiple IP filters into a single list in order to isolate a specific set of
network traffic.
Filter action; used to define how the IPSec driver should secure traffic.
Security method; refers to security types and algorithms used for the key exchange process and
for authentication.
Connection type: identifies the type of connection which the IPSec policy impacts.
Tunnel setting; the tunnel endpoint‘s IP address/DNS name.
Rule; a grouping of components such as filters and filter actions to secure a specific subset of
traffic in a particular manner:
IPSec policies can be applied at the following levels within a network:
 Active Directory domain.
 Active Directory site.
 Active Directory organizational unit.
 Computers.
 Applications.
When you configure and manage IPSec, you would basically be configuring the following
aspects of IPSec policies:
 Assign the predefined default IPSec policies.
 Create customized IPSec policies that include customized rules and filters.
 Control how IPSec policies are applied.
 Apply IPSec policies at different levels on the network.
To configure IPSec policies, you can use either of the following methods:
 You can use the IP Security Policy Management snap-in to configure IP security policies
on the local computer. To create a new IPSec policy, you have to right-click the IP
Security Policies node in the IP Security Policy Management snap-in, and then click
Create IP Security Policy.
 You can use the Group Policy Object Editor snap-in to change local and domain GPOs.
To create a new IPSec policy, you have to right-click the IP Security Policies node in the
Group Policy Object Editor and then click Create IP Security Policy.
The IP Security Policy Management snap-in is used to manage IPSec with respect to:
 Create IPSec policies.
 Edit existing IPSec policies.
 Assign IPSec policies.
 Add and remove filters which are applied to IPSec policies.
When you install the IPSec IP Security Policy Management snap-in, you need to select which
IPSec policy you want to manage, and on what network level you want to manage IPSec. You
can select either of the following options:
 Manage a local IPSec policy on the computer.
 Manage the local IPSec policy a different computer.
 Manage the default policy for the domain in which the computer resides.
 Manage the default policy for a different domain.

Cryptography and Network Security Page 26

Srinivas University BCA V Semester

Authentication Header (AH)

The Authentication Header (AH) is an IPSec protocol that provides data integrity, data origin
authentication, and optional anti-replay services to IP. Authentication Header (AH) does not
provide any data confidentiality (Data encryption). Since Authentication Header (AH) does not
provide confidentiality, there is no need for an encryption algorithm. AH protocol is specified in
RFC 2402.
Authentication Header (AH) is an IP protocol and has been assigned the protocol number 51 by
IANA. In the IP header of Authentication Header (AH) protected datagram, the 8-bit protocol
field will be 51, indicating that following the IP header is an Authentication Header (AH) header.
Next Header: Next header field points to next protocol header that follows the AH header. It can
be a Encapsulating Security Payload (ESP) header, a TCP header or a UDP header (depending
on the network application).
Payload Length: specifies the length of AH in 32-bit words (4-byte units), minus 2.
RESERVED: This field is currently set to 0, reserved for future use.
Security Parameter Index (SPI): The Security Parameter Index (SPI) field contains the Security
Parameter Index, is used to identify the security association used to authenticate this packet.
Sequence Number: Sequence Number field is the number of messages sent from the sender to
the receiver using the current SA. The initial value of the counter is 1. The function of this field
is to enable replay protection, if required.
Authentication Data: The Authentication Data field contains the result of the Integrity Check
Value calculation, that can be used by the receiver to check the authentication and integrity of
the packet. This field is padded to make total length of the AH is an exact number of 32-bit
words. RFC 2402 requires that all AH implementations support at least HMAC-MD5-96 and
HMAC-SHA1-96.
AH Protocol: AH (Authentication Header) Protocol provides both Authentication and Integrity
service. Authentication Header is implemented in one way only: Authentication along with
Integrity.

Authentication Header covers the packet format and general issue related to the use of AH for
packet authentication and integrity.

Cryptography and Network Security Page 27

Srinivas University BCA V Semester

Encapsulating Security Payload (ESP)

Encapsulating Security Payload (ESP) provides all encryption services in IPSec based on
integrity for the payload and not for the IP header, confidentiality and authentication that using
encryption, without authentication is strongly discouraged because it is insecure.
Any translations in readable message format into an unreadable format are encrypted and used to
hide the message content against data tampering.
IPSec provides an open framework, such as SHA and MD5 for implementing industry standard
algorithms.
Encryption/decryption allows only the sender and the authorised receiver to make the data to be
received in readable form and only after the integrity verification process is complete, the data
payload in the packet is decrypted.
IPSec uses a unique identifier for each packet, which is a data equivalent of a fingerprint and
checks for packets that are authorised or not. It doesn't sign the entire packet unless it is being
tunnelled—ordinarily, for this IP data payload is protected, not the IP header. In Tunnel Mode,
where the entire original IP packet is encapsulated with a new packet header added.
ESP in transport mode does not provide integrity and authentication for the entire IP packet.
The ESP format is diagrammatically represented as follows
mat is diagrammatically represented as follows −

Explanation
Security Parameters Index (32 bits) − Identifies a security association. This field is mandatory.
The value of zero is reserved for local, implementation- specific use and MUST NOT be sent on
the wire.
Sequence Number (32 bits) − A monotonically increasing counter value; this provides an anti-
replay function, as discussed for AH. The first packet sent using a given SA will have a
Sequence number of 1.
Payload Data (variable) − This is a transport-level segment (transport mode) or IP packet
(tunnel mode) that is protected by encryption. The type of content that was protected is indicated
by the Next Header field.
Padding (0-255 bytes) − Padding for encryption, to extend the payload data to a size that fits the
encryption's cipher block size, and to align the next field.
Pad Length (8 bits) − Indicates the number of pad bytes immediately preceding this field.
Next Header (8 bits) − Identifies the type of data contained in the payload data field by
identifying the first header in that payload.

Cryptography and Network Security Page 28

Srinivas University BCA V Semester

Authentication Data (variable) − A variable-length field (must be an integral number of 32-bit

words) that contains the Integrity. Check Value computed over the ESP packet minus the
Authentication Data field. This field is optional and is included only if the authentication service
has been selected for the SA in question.

Internet Key Exchange (IKE)

Internet Key Exchange (IKE) is a key management protocol standard used in conjunction with
the Internet Protocol Security (IPSec) standard protocol. It provides security for virtual private
networks' (VPNs) negotiations and network access to random hosts. It can also be described as a
method for exchanging keys for encryption and authentication over an unsecured medium, such
as the Internet.

IKE is a hybrid protocol based on:

ISAKMP (RFC2408): Internet Security Association and Key Management Protocols are used for
negotiation and establishment of security associations. This protocol establishes a secure
connection between two IPSec peers.
Oakley (RFC2412): This protocol is used for key agreement or key exchange. Oakley defines the
mechanism that is used for key exchange over an IKE session. The default algorithm for key
exchange used by this protocol is the Diffie-Hellman algorithm.
SKEME: This protocol is another version for key exchange.
IKE enhances IPsec by providing additional features along with flexibility. IPsec, however, can
be configured without IKE.

4.9 Assignment-4
Multiple Choice Questions

1. Which controls incoming and outgoing traffic on networks, with predetermined security
rules?
(A) Firewall (B) IP (C) Network (D) TCP
2. What is Full form of RBAC in Network Protection?
(A) Rule Based Access Control (B) Role Based Access Control
(C) Random Based Access Control (D) Rotation Based Access Control
3. Which can detect or prevent network security attacks such as brute force attacks, Denial
of Service (DoS) attacks and exploits of known vulnerabilities?
(A) IPS Technologies (B) DLP (C) Authorization (D) Access Control
4. ―Attackers gain access to a network and can monitor or steal sensitive information, but
without making any change to the data, leaving it intact‖- Which type of attack it is?
(A) Active (B) Passive (C) DOS (D) Brute Force
5. What is full form of VLAN?
(A) Variable Local Area Networks (B) Virtual Local Area Networks
(C) Virtual Locational Area Networks (D) Virtual Local Access Networks
6. Which type of signals are not carried along a wire; they are broadcast through the air,
making them more accessible to outsiders?
(A) Small Signals (B) Large Signals (C) Air Signals (D) Microwave
7. Which is also a common practice for gaining access to restricted systems or services?
(A) Man in Middle Attack (B) Cyber Attack (C) Pretexting (D) Post texting

Cryptography and Network Security Page 29

Srinivas University BCA V Semester

8. Which is a way of scrambling data so that only authorized parties can understand the
information?
(A) Encryption (B) Decryption (C) Plaintext (D) Scrambling Text
9. Full form of ARPANET?
(A) Advanced Research Projects Agency Network
(B) Advanced Research Project and Network
(C) Advanced reorganized Plan Agency Network
(D) Added Research Project Agency Network
10. Identify Odd man out from the following
(A) Publishing Certificates (B) Verifying Certificates
(C) Revocation of Certificates (D) Authorized Certificates
11. Identify Odd man out from the following
(A) Class1 Certificate (B) Class 2 Certificate
(C) Class3 Certificates (D) Class 5 Certificates
12. What is full form of IETF in connection with IPSec?
(A) Internet Engineering Task Force (B) Intranet Engineering Task Force
(C) Internal Engineering Task Force (D) Internal Enforcement Task Force
13. Which provides data integrity, authentication and anti-replay in IPSec?
(A) Authentication Header (B) Authentication Protocol
(C) Authorization (D) Availability
14. What is full form of ESP?
(A) Encrypted System Protocol (B) Encapsulation Security Payload
(C) Encrypted Standard Protocol (D) Encapsulation Security Protocol
15. What is the one word used for Extra bits or space added to the original message in order
to ensure confidentiality?
(A) Combining (B) Integrating (C) Join (D) Padding
16. Which mode works only for IP-in-IP datagrams?
(A) Tunnel (B) Transport (C) Transmission (D) Network
17. Who is known by the name crackers in the context of Computer Security?
(A) Black Hat Hackers (B) White Hat Hackers (C) Elite Hackers (D) Script Kiddle
18. In computing, which is a network security system that monitors and controls incoming?
and outgoing network traffic based on predetermined security rules?
(A) Spyware (B) Cookie (C) Spam (D) Firewall
19. A Computer Virus is a
(A) Hardware (B) Software (C) Bacteria (D) Freeware
20. Network security architecture does not include
(A) Access (B) Design (C) Implement (D) Execute
21. What is full form of SD-WAN?
(A) Software-defined Wide Area Network
(B) Software-demand Wide Area Network
(C) Standard- defined Wide Area Network
(D) Simulation-defined Wide Area Network
22. Which is a cybersecurity practice where you run code or open files in a safe, isolated
environment?
(A) Hard box (B) Soft Box (C) Sandboxing (D) Cipher Text
23. DMZ stands for?

Cryptography and Network Security Page 30

Srinivas University BCA V Semester

(A) Demilitarized Zone (B) Decreased Mode Zone

(C) Decentralized Mode Zone (D) Demand Mode Zone
24. Which translate internal IP addresses into addresses accessible on public networks?
(A) Network Address Translator (B) Network Accessed Translator
(C) IP Translator (D) UDP
25. DHCP Stands for?
(A) Dynamic Hybrid Community Protocol
(B) Dynamic Host Configuration Protocol
(C) Dedicated Host Configuration Protocol
(D) Dynamic Hybrid Compute Protocol

Long Answer Questions

1. Briefly explain various types of Network Security Protections
2. Explain Network Protection best practices.
3. Write s short note on Eavesdropping.
4. Write s short note on Wiretapping
5. Explain Network Security Control
6. Elaborate on Virtual Private Network
7. Explain Public Key Infrastructure.
8. Write a short note on Certification Authority
9. Briefly explain IP Security (IPSec)
10. Write a short note IP Security Architecture
11. Explain two modes of operation of IP Security
12. Explain IP Security Association
13. Write a short note on Authentication Header
14. Write a short note on Encapsulating Security Payload

Cryptography and Network Security Page 31