Network Security & Management

NOTES OF
NETWORK SECURITY
& MANAGEMENT

Prepared and Compiled by

CE & IT Department

LJ Polytechnic
 STUDENT ADVISORY

Dear Students,
Please be informed that the notes provided by the institute
offer a concise presentation of the syllabus. While these notes
are helpful for an overview and quick revision, We would
strongly suggest that you refer to the prescribed textbooks /
Reference book for a comprehensive understanding and
thorough preparation of all exams and writing in the
examination.
Best regards,
LJ Polytechnic.

પ્રિય પ્રિદ્યાર્થીઓ,

તમને જાણ કરિામા આિે છે કે સંસ્ર્થા દ્વારા િદાન કરિામાં

આિેલી નોંધો અભ્યાસક્રમની સંક્ષિપ્ત િસ્તુપ્રત આપે છે . આ
નોંધો પ્રિહંગાિલોકન અને ઝડપી પુનરાિતતન માટે મદદરૂપ
હોઈ શકે છે તેમ છતા, અમે ભારપ ૂિતક સ ૂચન કરીએ છીએ કે
પ્રિદ્યાર્થી તમામ પરીિાઓ અને પરીિામાં લેખનની વ્યાપક
સમજણ અને સંપ ૂણત તૈયારી માટે માત્ર સ ૂચિેલા
પાઠ્યપુસ્તકો/સંદભત પુસ્તકનો સંદભત લો.

એલજે પોક્ષલટેકપ્રનક.
 NETWORK SECURITY & MANAGEMENT

UNIT-1
INTRODUCTION TO SECURITY MECHANISMS
1.1 VARIOUS SECURITY TERMS
1.1.1 Introduction
Computer data often travels from one computer to another, leaving the safety of its protected physical
surroundings. Once the data is out of hand, people with bad intentions could modify or forge your data, either
for amusement or for their benefit.
In many cases information is sensitive so we need to take care that only authorized parties can get that data.
For its maintenance, we require some mechanism or physical device which ensures that it is safe. Such a
mechanism is known as a Security System.
Computer Security: The generic name for the collection of tools designed to protect data and prevent hackers
is Computer Security.
Network Security: Network Security refers to the measures taken by any enterprise or organization to
secure its computer network and data using both hardware and software systems. Network security measures
are needed to protect data during their transmission.
Internet Security: Internet security refers to security designed to protect systems and the activities of
employees and other users while connected to the internet, web browsers, web apps, websites and networks.
Internet security solutions protect users and corporate assets from cybersecurity attacks and threats.
Threat: A potential for violation of security, which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a
vulnerability.
Attack: An attack is an information security threat that involves an attempt to obtain, alter, destroy, remove,
implant or reveal information without authorized access or permission.
Hacker: A hacker is a person who makes use of a computer system to gain unauthorized access to another
system for data or who makes another system unavailable.

1.1.2 Virus
A virus is a type of code that enters the system along with any file or program and carries out malfunctions in
the system. The virus-affected program will be a replica of the existing program. They enter the system through
any file and when the file runs, parallelly the virus also runs in the background.
There are many ways in which the virus gets into the system. Some of them are through mail attachments, by
clicking inappropriate advertisements and by downloading any software or files from unauthorized websites.
The main objective of viruses is to spread them along different hosts. They steal the personal data and other
credentials of the system. Various types of viruses are explained as follows:
 NETWORK SECURITY & MANAGEMENT

1) Parasitic Virus: The traditional and still most common form of virus. A parasitic virus attaches itself
to executable files and replicates, when the infected program is executed, by finding other executable
files to infect.
2) Memory-Resident Virus: Lodges in main memory as part of a resident system program. From that
point on, the virus infects every program that executes.
3) Boot Sector Virus: Infects a master boot record or boot record and spreads when a system is booted
from the disk containing the virus.
4) Stealth Virus: A form of virus explicitly designed to hide itself from detection by antivirus software.
5) Polymorphic Virus: A virus that mutates with every infection, making detection by the "signature" of
the virus impossible.
6) Metamorphic Virus: As with a polymorphic virus, a metamorphic virus mutates with every infection.
The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the
difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.

How can a computer be protected from viruses?

• Install an anti-malware program to stop software from installing without your knowledge.
• Never download and install software from the Internet unless you are certain it is from a trusted source.
• Do not open email attachments unless you have scanned them first, even a picture can carry a virus.
• Do not trust cracked or hacked software as they often contain malware or Trojans.
• The most suitable way of making your computer virus-free is by installing an Anti-virus software.
Such software helps in removing viruses from the device. It should be kept up to date and should
regularly run scans. It can be installed on a computer via two means: Online download, Buying an
Anti-virus software, and installing it.

1.1.3 Antivirus
An anti-virus is software that comprises programs or sets of programs that can detect and remove all harmful
and malicious software from your device. This anti-virus software is designed in a manner that they can search
through the files in a computer and determine the files that are heavy or mildly infected by a virus.
Most antivirus programs nowadays include more than just a virus scanner — they also come with features that
add additional protection, like a network firewall, phishing protection, a virtual private network (VPN), a
password manager, parental controls, as well as dedicated protections for mobile devices. Following are some
of the most commonly used anti-virus software:
1) Norton
2) Bitdefender
3) TotalAV
 NETWORK SECURITY & MANAGEMENT

4) McAfee
5) Intego
6) Malwarebytes
7) Norton 360
8) Surfshark
9) Avira
10) Trend Micro

1.1.4 Intruder
An intruder (also called a hacker) is an individual who performs security attacks on another's domain in a
networked computing environment. The intruder may attempt to read privileged data (like password cracking),
perform unauthorized modification of data or disrupt normal functioning of data. There are three types of
intruders:
1) Masquerader: An individual who is not authorized to use the computer and who penetrates a system's
access controls to exploit a legitimate user's account. The masquerader is likely to be an outsider
2) Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not
authorized, or who is authorized for such access but misuses his or her privileges. Misfeasor is an
insider.
3) Clandestine User: An individual who seizes supervisory control of the system and uses this control to
evade auditing and access controls or to suppress audit collection. Clandestine users can be either
insiders or outsiders.

1.2 SECURITY BASICS

1.2.1 Pillars of Information Security
It is necessary to protect information from being stolen, compromised or attacked. The CIA triad is one of the
most important models that is designed to guide policies for information security within an organization. CIA
stands for Confidentiality, Integrity and Availability. These are considered as three pillars of Information
Security.
1) Confidentiality:
Confidentiality means that only authorized individuals/systems can view sensitive or classified information.
The data being sent over the network should not be accessed by unauthorized individuals. The attacker may
try to capture the data using different tools available on the Internet and gain access to your information.
For Example: User A sends a message to User B. Another User C gets access to this message which is not
desired and therefore defeats the purpose of confidentiality. This type of attack is called Interception and we
can say that confidentiality of the message is lost.
 NETWORK SECURITY & MANAGEMENT

(Figure: Loss of Confidentiality)

To fight against confidentiality breaches, you can classify and label restricted data, enable access control
policies, encrypt data, and use multi-factor authentication (MFA) systems. It is also advisable to ensure that
all in the organization have the training and knowledge they need to recognize the dangers and avoid them.

2) Integrity:
Integrity makes sure that data has not been modified.
For Example, User A wants to send a message to User B. User C somehow manages to access the data of User
A changes its contents and sends a changed message to User B. Users A and B have no idea that the contents
of the message were changed. This type of attack is called Modification and we can say that the integrity of
the message is lost.

(Figure: Loss of Integrity)

To protect the integrity of your data, you can use hashing, encryption, digital certificates, or digital signatures.
For websites, you can employ trustworthy certificate authorities (CAs) that verify the authenticity of your
website so visitors know they are getting the site they intended to visit.

3) Availability:
Availability means that the network should be readily available to its users.
This applies to systems and data. To ensure availability, the network administrator should maintain hardware,
make regular upgrades, have a plan for fail-over and prevent bottlenecks in a network.
 NETWORK SECURITY & MANAGEMENT

For Example: Due to the intentional actions of unauthorized User C, an authorized User A may not be able to
contact server computer B. This type of attack is called Interruption. Thus, proper measures should be taken
to prevent such attacks.

(Figure: Loss of Availability)

To ensure availability, organizations can use redundant networks, servers and applications. These can be
programmed to become available when the primary system has been disrupted or broken. You can also enhance
availability by staying on top of upgrades to software packages and security systems. Backups and full disaster
recovery plans also help a company regain availability soon after a negative event.

1.2.2 The OSI Security Architecture

The OSI (Open Systems Interconnection) security architecture provides a systematic framework for defining
security attacks, security mechanisms and security services. As this architecture was developed as an
international standard, various vendors have developed security features for their products and services that
relate to this structured definition of services and mechanisms.
• Security Attacks: Any action that compromises the security of information owned by an organization.
• Security Mechanisms: A process (or a device incorporating such a process) that is designed to detect,
prevent or recover from a security attack.
• Security Services: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the service.
Security Attacks:
Security Attacks are of two types:
1) Passive Attack
2) Active Attack
Passive Attack:
In a passive attack, the attacker attempts to learn or make use of information from the system but does not
affect system resources. The goal of the opponent/attacker is to obtain information that is transmitted. Passive
attacks are of two types:
 NETWORK SECURITY & MANAGEMENT

a) Release of message contents

b) Traffic analysis
a) Release of Message Contents:
A telephone conversation, an electronic mail message and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the contents of these
transmissions.

b) Traffic Analysis:
Suppose that we had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information from the message. The
common technique for masking contents is encryption. If we had encryption protection in place, an
opponent might still be able to observe the pattern of these messages. The opponent could determine the
location and identity of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the communication that was
taking place.
 NETWORK SECURITY & MANAGEMENT

Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically,
the message traffic is sent and received in a normal fashion and neither the sender nor receiver is aware that a
third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success
of these attacks, usually using encryption. Thus, the emphasis in dealing with passive attacks is on prevention
rather than detection.

Active Attack:
Active attacks involve some modification of the data stream or the creation of a false stream and can be
subdivided into four categories:
a) Masquerade b) Replay
c) Modification of Messages d) Denial of Service
a) Masquerade:
A masquerade takes place when one entity pretends to be a different entity.

b) Replay:
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an
unauthorized effect.
 NETWORK SECURITY & MANAGEMENT

c) Modification of Message:
Modification of messages simply means that some portion of a legitimate message is altered or that
messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning
"Allow John Smith to read confidential file accounts" is modified to mean "Allow Fred Brown to read
confidential file accounts."

d) Denial of Service:
The denial of service prevents or inhibits the normal use or management of communications facilities.
This attack may have a specific target. For example, an entity may suppress all messages directed to a
particular destination (e.g., the security audit service). Another form of service denial is the disruption of
an entire network, either by disabling the network or by overloading it with messages to degrade
performance.

It is quite difficult to prevent active attacks because of the wide variety of potential physical, software and
network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or
delays caused by them.
 NETWORK SECURITY & MANAGEMENT

Active Attack Passive Attack

In an active attack, modification in information In a passive attack, modification in the information
takes place. does not take place.
Active Attack is a danger to integrity as well
Passive Attack is a danger to confidentiality.
as availability.
In an active attack, attention is on prevention. In a passive attack, attention is on detection.
Due to active attacks, the execution system is Due to passive attack, there is no harm to the
always damaged. system.
In an active attack, the victim gets informed about In a passive attack, the victim does not get informed
the attack. about the attack.
Active attacks are tough to restrict from entering A passive attack is easy to prohibit in comparison to
systems or networks. an active attack.
The prevention possibility of active attack is high. The prevention possibility of passive attack is low.
The duration of an active attack is short. The duration of a passive attack is long.
The purpose of an active attack is to harm the The purpose of a passive attack is to learn the
system. system.

Security Services:
Various security services are explained as follows:
1) Confidentiality: It ensures the protection of data from unauthorized disclosure.
2) Authentication: It is the assurance that the communicating entity is the one that it claims to be.
3) Integrity: It is the assurance that data received are exactly as sent by an authorized entity (i.e., contain no
modification, insertion, deletion or replay).
4) Non-repudiation: It protects against denial by one of the entities involved in a communication of having
participated in all or part of the communication.
5) Access Control: The prevention of unauthorized use of a resource (i.e., this service controls who can have
access to a resource, under what conditions access can occur and what those accessing the resource are allowed
to do).
6) Availability: It states that resources/information should be available to authorized parties at all times.

Security Mechanisms:
Security Mechanisms are classified into two types:
1) Specific Security Mechanism
2) Pervasive Security Mechanism
 NETWORK SECURITY & MANAGEMENT

Specific Security Mechanism

Specific Security Mechanisms may be incorporated into the appropriate protocol layer to provide some of the
OSI security services.
a) Encipherment: The use of mathematical algorithms to transform data into a form that is not readily
intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or
more encryption keys.
b) Digital Signature: A digital signature is an authentication mechanism that enables the creator of a message
to attach a code that acts as a signature.
c) Access Control: A variety of mechanisms that enforce access rights to resources.
d) Data Integrity: A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
e) Authentication Exchange: A mechanism intended to ensure the identity of an entity by means of
information exchange.
f) Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
g) Routing Control: Enables selection of particular physically secure routes for certain data and allows
routing changes, especially when a breach of security is suspected.
h) Notarization: The use of a trusted third party to assure certain properties of a data exchange.

Pervasive Security Mechanism

Pervasive Security Mechanisms are not specific to any particular OSI security service or protocol layer.
a) Trusted Functionality: That which is perceived to be correct with respect to some criteria (e.g., as
established by a security policy).
b) Security Label: The marking bound to a resource (which may be a data unit) that names or designates the
security attributes of that resource.
c) Event Detection: Detection of security-relevant events.
d) Security Audit Trail: Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities.
e) Security Recovery: Deals with requests from mechanisms, such as event handling and management
functions, and takes recovery actions.

1.3 TYPES OF COMPUTER AND NETWORK ATTACKS

1) Eavesdropping
Eavesdropping attacks involve the bad actor intercepting traffic as it is sent through the network. In this way,
an attacker can collect usernames, passwords, and other confidential information like credit cards.
Eavesdropping can be active or passive. With active eavesdropping, the hacker inserts a piece of software
within the network traffic path to collect information that the hacker analyses for useful data. Passive
eavesdropping attacks are different in that the hacker “listens in,” or eavesdrops, on the transmissions, looking
 NETWORK SECURITY & MANAGEMENT

for useful data they can steal. Both active and passive eavesdropping are types of MITM attacks. One of the
best ways of preventing them is by encrypting your data, which prevents it from being used by a hacker,
regardless of whether they use active or passive eavesdropping.
2) Distributed Denial of Service
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted
server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet
traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources
of attack traffic. Exploited machines can include computers and other networked resources such as IoT
devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway,
preventing regular traffic from arriving at its destination.
DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack.
They are most common in the Network (layer 3), Transport (Layer 4), Presentation (Layer 6) and Application
(Layer 7) Layers.

DDoS attacks are carried out with networks of Internet-connected machines. These networks consist of
computers and other devices (such as IoT devices) that have been infected with malware, allowing them to be
controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group
of bots is called a botnet. Once a botnet has been established, the attacker is able to direct an attack by sending
remote instructions to each bot. When a victim’s server or network is targeted by the botnet, each bot sends
requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting
in a denial of service to normal traffic. Because each bot is a legitimate Internet device, separating the attack
traffic from normal traffic can be difficult.
3) Malware
Malware is a general term for malicious software. Malware infects a computer and changes how it functions,
destroys data, or spies on the user or network traffic as it passes through. Malware can either spread from one
device to another or remain in place, only impacting its host device.
 NETWORK SECURITY & MANAGEMENT

Several of the attack methods can involve forms of malware, including MITM attacks, Phishing, Ransomware,
SQL injection, Trojan horses, Drive-by attacks, and XSS attacks.
In a malware attack, the software has to be installed on the target device. This requires an action on the part
of the user. Therefore, in addition to using firewalls that can detect malware, users should be educated
regarding which types of software to avoid, the kinds of links they should verify before clicking, and the
emails and attachments they should not engage with.
4) Man-in-the-Middle Attack
Man-in-the-middle (MITM) type of cyber-attack refers to breaches in cybersecurity that make it possible for
an attacker to eavesdrop on the data sent back and forth between two people, networks, or computers. It is
called a “man in the middle” attack because the attacker positions themselves in the “middle” or between the
two parties trying to communicate. In effect, the attacker is spying on the interaction between the two parties.
In an MITM attack, the two parties involved feel like they are communicating as they normally do. What they
do not know is that the person sending the message illicitly modifies or accesses the message before it reaches
its destination. Some ways to protect yourself and your organization from MITM attacks are by using strong
encryption on access points or by using a virtual private network (VPN).
For example, the attacker can re-route a data exchange. When computers are communicating at low levels of
the network layer, the computers might not be able to determine with whom they are exchanging data. If an
attacker puts himself between a client and a webpage, a Man-in-the-Middle (MITM) attack occurs. This form
of assault comes in many different ways.
For example: To intercept financial login credentials, a fraudulent banking website can be used. Between the
user and the real bank webpage, the fake site lies "in the middle."
Typically, these attacks are carried out through a two-step process known as data interception and decryption.
Data interception consists of an attacker intercepting a data transfer between a client and a server. The attacker
tricks the client and the server into believing that they are exchanging information with each other, while the
attacker intercepts the data, creates a connection to the real site, and acts as a proxy to read and insert false
information into the communication. The decryption phase is where the intercepted data is unencrypted. This
essential step enables the attacker to finally decipher and use the data to their advantage
 NETWORK SECURITY & MANAGEMENT

5) Phishing
Phishing attacks are fraudulent emails, text messages, phone calls, or websites that seem to be coming from
trusted, legitimate sources in an attempt to grab sensitive information from the target. Phishing attacks are
designed to trick users into actions like the following
• Downloading malware.
• Sharing sensitive information or personal data (for example, Social Security and credit card numbers,
bank account numbers, login credentials).
• Other actions that expose themselves or their organizations to cybercrime.
Successful phishing attacks often lead to identity theft, credit card fraud, ransomware attacks, data breaches
and huge financial losses for individuals and corporations.
To execute the attack, the attacker may send a link that brings you to a website that then fools you into
downloading malware such as viruses or giving the attacker your private information. In many cases, the target
may not realize they have been compromised, which allows the attacker to go after others in the same
organization without anyone suspecting malicious activity.
You can prevent phishing attacks from achieving their objectives by thinking carefully about the kinds of
emails you open and the links you click on. Pay close attention to email headers, and do not click on anything
that looks suspicious. Check the parameters for “Reply-to” and “Return-path.” They need to connect to the
same domain presented in the email.

6) SQL Injection:
SQL injection is a technique used to extract user data by injecting web page inputs as statements through SQL
commands. Malicious users can use these instructions to manipulate the application’s web server. SQL
 NETWORK SECURITY & MANAGEMENT

injection is a code injection technique that can compromise your database. SQL injection is one of the most
common web hacking techniques. SQL injection is the injection of malicious code into SQL statements via
web page input.
An SQL injection attack can be done with the following intentions:
• To dump the whole database of a system,
• To modify the content of the databases, or
• To perform different queries that are not allowed by the application.
This type of attack works when the applications don’t validate the inputs properly, before passing them to an
SQL statement. Injections are normally placed in address bars, search fields, or data fields. The easiest
way to detect if a web application is vulnerable to an SQL injection attack is to use the " ‘ " character in a
string and see if you get any error.

7) Session Hijacking
Session hijacking is one of multiple types of MITM attacks. The attacker takes over a session between a client
and the server. The computer being used in the attack substitutes its Internet Protocol (IP) address for that of
the client computer, and the server continues the session without suspecting it is communicating with the
attacker instead of the client. This kind of attack is effective because the server uses the client's IP address to
verify its identity. If the attacker's IP address is inserted partway through the session, the server may not suspect
a breach because it is already engaged in a trusted connection.
 NETWORK SECURITY & MANAGEMENT

To prevent session hijacking, use a VPN to access business-critical servers. This way, all communication is
encrypted and an attacker cannot gain access to the secure tunnel created by the VPN.
8) Insider Threat
Sometimes, the most dangerous actors come from within an organization. People within a company’s doors
pose a special danger because they typically have access to a variety of systems and in some cases, admin
privileges that enable them to make critical changes to the system or its security policies.
In addition, people within the organization often have an in-depth understanding of its cybersecurity
architecture, as well as how the business reacts to threats. This knowledge can be used to gain access to
restricted areas, make changes to security settings, or deduce the best possible time to conduct an attack.
One of the best ways to prevent insider threats in organizations is to limit employees' access to sensitive
systems to only those who need them to perform their duties. Also, for the select few who need access, use
MFA, which will require them to use at least one thing they know in conjunction with a physical item they
have to gain access to a sensitive system.
9) Ransomware
With Ransomware, the victim’s system is held hostage until they agree to pay a ransom to the attacker. After
the payment has been sent, the attacker then provides instructions regarding how the target can regain control
of their computer. The name "ransomware” is appropriate because the malware demands a ransom from the
victim.
In a ransomware attack, the target downloads ransomware, either from a website or from within an email
attachment. The malware is written to exploit vulnerabilities that have not been addressed by either the
system’s manufacturer or the IT team. The ransomware then encrypts the target's workstation. At times,
ransomware can be used to attack multiple parties by denying access to either several computers or a central
server essential to business operations.
 NETWORK SECURITY & MANAGEMENT

Affecting multiple computers is often accomplished by not initiating systems captivation until days or even
weeks after the malware's initial penetration. The malware can send AUTORUN files that go from one system
to another via the internal network or Universal Serial Bus (USB) drives that connect to multiple computers.
Then, when the attacker initiates the encryption, it works on all the infected systems simultaneously.
10) DNS Spoofing
DNS Spoofing is a type of computer attack wherein a user is forced to navigate to a fake website disguised to
look like a real one, to divert traffic or steal the credentials of the users. Spoofing attacks can go on for a long
period without being detected and can cause serious security issues.
In a DNS spoofing attack, the attacker takes advantage of the fact that the user thinks the site they are visiting
is legitimate. This gives the attacker the ability to commit crimes in the name of an innocent company, at least
from the perspective of the visitor.
Domain Name Server (DNS) resolves the alphabetical domain names like www.example.com into respective
IP addresses that are used for locating and communicating between nodes on the Internet. DNS spoofing is
done by replacing the IP addresses stored in the DNS server with the ones under the control of the attacker.
Once it is done, whenever users try to go to a particular website, they get directed to the false websites placed
by the attacker in the spoofed DNS server.
To prevent DNS spoofing, make sure your DNS servers are kept up-to-date. Attackers aim to exploit
vulnerabilities in DNS servers, and the most recent software versions often contain fixes that close known
vulnerabilities.
 NETWORK SECURITY & MANAGEMENT

1.4 TYPES OF CRYPTOGRAPHY

1.4.1 Introduction to Cryptography
Cryptography is a technique of securing information and communications through the use of codes so that
only those people for whom the information is intended can understand and process it. Thus, preventing
unauthorized access to information. The prefix “crypt” means “hidden” and the suffix “graphy” means
“writing”. In Cryptography, the techniques that are used to protect information are obtained from mathematical
concepts and a set of rule-based calculations known as algorithms to convert messages in ways that make it
hard to decode them. These algorithms are used for cryptographic key generation, digital signing and
verification to protect data privacy, web browsing on the internet and to protect confidential transactions such
as credit card and debit card transactions.
Cryptographic systems are characterized along three independent dimensions:
1) The type of operations used for transforming plaintext to ciphertext (Substitution and Transposition).
2) The number of keys used (Symmetric Key and Asymmetric Key).
3) The way in which the plaintext is processed (Block Cipher and Stream Cipher).

Features of Cryptography:
1) Confidentiality
2) Integrity
3) Non-repudiation
4) Authentication

1.4.2 Symmetric Cipher Model

 NETWORK SECURITY & MANAGEMENT

A symmetric cipher scheme consists of 5 main components:

1) Plain Text: The original message, before being transformed, is called plaintext.
2) Encryption Algorithm: The process of transforming the plaintext into ciphertext is known as
enciphering or encryption. It takes plain text and key value as input to produce cipher text. The
encryption algorithm performs various substitutions and transformations on the plaintext.
3) Secret Key: The secret key is also input to the encryption algorithm. The key is a value independent
of the plaintext and the algorithm. The algorithm will produce a different output depending on the
specific key being used at the time. The exact substitutions and transformations performed by the
algorithm depend on the key.
4) Cipher Text: The original message after being transformed into a non-readable message is called
ciphertext. This is the scrambled message produced as output. It depends on the plaintext and the secret
key. For a given message, two different keys will produce two different ciphertexts.
5) Decryption Algorithm: The process of transforming the cipher text back into plain text is known as
deciphering or decryption. It takes cipher text and key value as input to produce plain text back.

1.4.3 Cryptanalysis
Typically, the objective of attacking an encryption system is to recover the key in use rather than simply
to recover the plaintext of a single ciphertext. There are two general approaches to attacking a conventional
encryption scheme:
1) Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge
of the general characteristics of the plaintext or even some sample plaintext ciphertext pairs. This type
of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to
deduce the key being used.
2) Brute-force attack: The attacker tries every possible key on a piece of ciphertext until an intelligible
translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve
success.

1.4.4 Types of Cryptography

There are three types of Cryptography:
1) Symmetric Key Cryptography
2) Asymmetric Key Cryptography
3) Hash Function
Symmetric Key Cryptography:
Symmetric key cryptography is also known as secret-key cryptography, and in this type of cryptography, you
can use only a single key. The sender and the receiver can use that single key to encrypt and decrypt a message.
Because there is only one key for encryption and decryption, the symmetric key system has one major
 NETWORK SECURITY & MANAGEMENT

disadvantage: the two parties must exchange the key securely. The most popular symmetric key cryptography
systems are Data Encryption System (DES), Advanced Encryption System (AES), Blowfish.

Asymmetric Key Cryptography:

Asymmetric key cryptography is also known as public key cryptography and it employs the use of two keys.
This cryptography differs from and is more secure than symmetric key cryptography. In this system, each user
encrypts and decrypts using two keys or a pair of keys (private key and public key). Each user keeps the
private key secret and the public key is distributed across the network so that anyone can use those public keys
to send a message to any other user. You can use any of those keys to encrypt the message and can use the
remaining key for decryption. The most popular symmetric key cryptography system is DSA and RSA.

Hash Function:
It is a type of cryptography in which an algorithm followed by a hash function takes an arbitrary length of the
message as input and returns a fixed length of the output. It is also referred to as a mathematical equation
because it uses numerical values as input to generate the hash message. This method does not require a key
because it operates in a one-way scenario. Each round of hashing operations considers input as an array of the
most recent block and generates the last round of activity as output. Commonly used hash algorithms include:
Message Digest 5 (MD5), SHA (Secure Hash Algorithm)
NETWORK SECURITY & MANAGEMENT
 NETWORK SECURITY & MANAGEMENT

UNIT-2
CRYPTOGRAPHY IN NETWORK
2.1 INTRODUCTION TO SYMMETRIC ENCRYPTION & ASYMMETRIC ENCRYPTION
2.1.1 Symmetric Encryption
Symmetric Encryption is a type of encryption where only one key (a secret key) is used to encrypt and decrypt
electronic data. The entities communicating via symmetric encryption must exchange the key so that it can be
used in the decryption process.
By using symmetric encryption algorithms, data is "scrambled" so that it can't be understood by anyone who
does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the
message, the algorithm reverses its action so that the message is returned to its original readable form. The
secret key that the sender and recipient both use could be a specific password/code or it can be a random string
of letters or numbers that have been generated by a secure Random Number Generator (RNG).

There are two types of Symmetric Encryption Algorithms:

1) Block Algorithms: Set lengths of bits are encrypted in blocks of electronic data with the use of a
specific secret key. As the data is being encrypted, the system holds the data in its memory as it waits
for complete blocks.
2) Stream Algorithms: Data is encrypted as it streams instead of being retained in the system’s memory.
Some examples of symmetric encryption algorithms include:
1) AES (Advanced Encryption Standard)
2) DES (Data Encryption Standard)
3) IDEA (International Data Encryption Algorithm)
4) Blowfish (Drop-in replacement for DES or IDEA)
5) RC4 (Rivest Cipher 4)
6) RC5 (Rivest Cipher 5)
7) RC6 (Rivest Cipher 6)
AES, DES, IDEA, Blowfish, RC5 and RC6 are block ciphers. RC4 is a stream cipher.
 NETWORK SECURITY & MANAGEMENT

2.1.2 Asymmetric Encryption

Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of
keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone,
and a private key, which is kept secret by the owner. In asymmetric encryption, the sender uses the recipient’s
public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach
allows secure communication between two parties without the need for both parties to have the same secret
key. Asymmetric encryption is commonly used in various applications like secure online communication
including email encryption, e-commerce, online banking, digital and secure data transfer. Examples of
asymmetric encryption algorithms include RSA, Diffie-Hellman and Elliptic Curve Cryptography (ECC).
Digital Signature which is used to confirm the legitimacy of digital documents and messages is another
application of it.

Advantages:
1) Enhanced Security: Asymmetric encryption provides a higher level of security compared to symmetric
encryption where only one key is used for both encryption and decryption with asymmetric encryption a
different key is used for each process and the private key is used for decryption is kept secret by the
receiver making, it harder for an attacker to intercept and decrypt the data.
2) Authentication: Asymmetric encryption can be used for authentication purposes which means that the
receiver can verify the sender’s identity.
3) Non-repudiation: Asymmetric encryption also provides non-repudiation which means that the sender
cannot deny sending a message or altering its contents this is because the message is encrypted with the
sender’s private key and only their public key can decrypt it. Therefore, the receiver can be sure that the
message was sent by the sender and has not been tampered with.
4) Key Distribution: Asymmetric encryption eliminates the need for a secure key distribution system that
is required in symmetric encryption with symmetric encryption, the same key is used for both encryption
and decryption and the key needs to be securely shared between the sender and the receiver asymmetric
 NETWORK SECURITY & MANAGEMENT

encryption, on the other hand, allows the public key to be shared openly and the private key is kept secret
by the receiver.
5) Versatility: Asymmetric encryption can be used for a wide range of applications including secure email
communication online banking transactions and e-commerce it is also used to secure SSL/TSL
connections which are commonly used to secure internet traffic.

2.1.3 Difference between Symmetric Encryption and Asymmetric Encryption

Parameters Symmetric Encryption Asymmetric Encryption

It uses a single shared key (secret key) to It uses two different keys for encryption
Keys used
encrypt and decrypt the message. and decryption.
The size of ciphertext in symmetric The size of ciphertext in asymmetric
Size encryption could be the same or smaller encryption could be the same or larger than
than the plain text. the plain text.

It is efficient as this technique is It is inefficient as this technique is used

Efficiency
recommended for large amounts of text. only for short messages.

The encryption process in asymmetric

The encryption process of symmetric encryption is slower as it uses two different
Speed encryption is faster as it uses a single key keys; both keys are related to each other
for encryption and decryption. through a complicated mathematical
process.
It is mainly used in smaller transactions. It
Symmetric encryption is mainly used to
Purpose is used for establishing a secure connection
transmit bulk data.
channel before transferring the actual data.
It is less secure as there is a use of a It is safer as there are two keys used for
Security
single key for encryption. encryption and decryption.
The algorithms used in symmetric
Algorithms encryption are 3DES, AES, DES and RSA, DSA, Diffie-Hellman, ECC.
RC4.
Existence It is an old technique. It is a new technique.
 NETWORK SECURITY & MANAGEMENT

2.2 SUBSTITUTION TECHNIQUES FOR ENCRYPTION AND DECRYPTION

2.2.1 Introduction
The two basic building blocks of all encryption techniques are substitution and transposition. A substitution
technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols. In
simple terms, the plaintext characters are substituted and additional substitute letters, numerals and symbols
are implemented in their place. If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with ciphertext bit patterns. A character's identity is changed, but its place
remains constant in the substitution technique. There are various methods for substitution techniques such as
Caesar Cipher, Shift Cipher, Monoalphabetic Cipher, Playfair Cipher, Polyalphabetic Cipher (Vigenere
Cipher), One Time Pad (Vernam Cipher), Hill Cipher.

2.2.2 Caesar Cipher Substitution Technique

It is the earliest known use of a substitution cipher and the simplest method. It was invented by Julius Caesar.
The Caesar Cipher involves replacing each letter of the alphabet with the letter standing three places further
down the alphabet. The encryption can be represented using modular arithmetic by first transforming the
letters into numbers.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

The formula of Encryption is:

CT = E (K, PT) = (PT + K) mod 26
The formula of Decryption is:
PT = D (K, CT) = (CT - K) mod 26
Where
PT = Plain Text,
CT = Cipher Text,
K = Key,
E = Encryption,
D = Decryption
In any case, during decryption, if the value becomes negative (-ve), then in that case, 26 will be added to that
particular negative value and then decryption will be carried out.
 NETWORK SECURITY & MANAGEMENT

EXAMPLE:
Plain Text: SECURITY, Key: 3
ENCRYPTION:
Encryption
Plain Text Cipher Text
CT = (PT+3) Mod 26
S (18) (18 + 3) mod 26 = 21 mod 26 = 21 V
E (04) (04 + 3) mod 26 = 07 mod 26 = 07 H
C (02) (02 + 3) mod 26 = 05 mod 26 = 05 F
U (20) (20 + 3) mod 26 = 23 mod 26 = 23 X
R (17) (17 + 3) mod 26 = 20 mod 26 = 20 U
I (08) (08 + 3) mod 26 = 11 mod 26 = 11 L
T (19) (19 + 3) mod 26 = 22 mod 26 = 22 W
Y (24) (24 + 3) mod 26 = 27 mod 26 = 01 B
Cipher Text: VHFXULWB

DECRYPTION:
Decryption
Cipher Text Plain Text
PT = (CT-3) Mod 26
V (21) (21 - 3) mod 26 = 18 mod 26 = 18 S
H (07) (07 - 3) mod 26 = 04 mod 26 = 04 E
F (05) (05 - 3) mod 26 = 02 mod 26 = 02 C
X (23) (23 - 3) mod 26 = 20 mod 26 = 20 U
U (20) (20 - 3) mod 26 = 17 mod 26 = 17 R
L (11) (11 - 3) mod 26 = 08 mod 26 = 08 I
W (22) (22 - 3) mod 26 = 19 mod 26 = 19 T
B (01) (01 - 3) mod 26 = 24 mod 26 = 24 Y
Plain Text: SECURITY

*Calculation for (1-3) mod26:

Here 1 – 3 = -2. Modulo division of negative numbers is not possible. So firstly, we will add 26 to the
negative number i.e. -2+26 = 24. After that modulo division is carried out i.e. 24 mod 26 =24.
 NETWORK SECURITY & MANAGEMENT

Features:
1) Ease of Implementation
2) Speed
3) Symmetric Encryption
4) Weak Security
5) Limited Applicability

2.2.3 Playfair Cipher Technique

The Playfair cipher was invented by Sir Charles Wheatstone, but it was popularized by his friend Lyon
Playfair, hence the name "Playfair Cipher." The Playfair cipher is a digraphic substitution cipher, meaning it
operates on pairs of letters (digraphs) rather than individual letters, which adds an extra layer of complexity
compared to simpler substitution ciphers like the Caesar Cipher. The best-known multiple-letter encryption
cipher is the Playfair. The Playfair algorithm is based on the use of a 5 x 5 matrix of letters constructed using
a keyword. The matrix is constructed by filling in the letters of the keyword (minus duplicates) from left to
right and from top to bottom, and then filling in the remainder of the matrix with the remaining letters in
alphabetic order. The letters I and J count as one letter. Plaintext is encrypted two letters at a time, according
to the following rules:
1) Firstly, break down plain text in the pair of 2. For example, playfair would be pl ay fa ir.
2) While making a pair from plain text, if the last letter is single then add a filler letter such as x. For example,
the technique would be te ch ni qu ex.
3) Repeating plain text letters that are in the same pair are separated with a filler letter such as x. For example,
the balloon would be treated as ba lx lo on.
4) If repeating plain text letters that are in a different pair then there is no need to separate it with any other
filler letter.
5) Two plain text letters that fall in the same row of the matrix are each replaced by the letter to the right, with
the first element of the row circularly following the last.
6) Two plain text letters that fall in the same column are each replaced by the letter beneath, with the top
element of the column circularly following the last.
7) Otherwise, each plain text letter in a pair is replaced by the letter that lies in its own row and the column
occupied by the other plain text letter.
8) For decryption, if two cipher text letters that fall in the same row of the matrix are each replaced by the
letter to the left, with the last element of the row circularly following the first.
9) For decryption, if two ciphertext letters that fall in the same column are each replaced by the letter above,
with the bottom element of the column circularly following the first.
10) Otherwise, each cipher text letter in a pair is replaced by the letter that lies in its own row and the
column occupied by the other cipher text letter.
 NETWORK SECURITY & MANAGEMENT

EXAMPLE:
1) Plain Text: COMPUTER, Key: NETWORK

N E T W O
R K A B C
D F G H I/J
L M P Q S
U V X Y Z

Solution (for encryption):

• First, break plain text into pairs of 2. i.e. CO MP UT ER
• Here CO is in the same column. So, replace it with the below letter in that column. So, CO will be IC.
• Here MP is in the same row. So, replace it with the next letter in that row. So, MP will be PQ.
• Here UT is neither in the same row nor in the same column. Then as per rule 7, UT will be replaced by
XN.
• Here ER is neither in the same row nor in the same column. Then as per rule 7, ER will be replaced by
NK.
• Therefore, the cipher text will be ICPQXNNK.
Solution (for decryption):
• First, break cipher text into a pair of 2. i.e. IC PQ XN NK.
• Here IC is in the same column. So, replace it with the above letter in that column. So, IC will be CO.
• Here PQ is in the same row. So, replace it with the previous letter in that row. So, PQ will be MP.
• Here XN is neither in the same row nor in the same column. Then as per rule 10, XN will be replaced by
UT.
• Here NK is neither in the same row nor in the same column. Then as per rule 10, NK will be replaced by
ER.
2) Plain Text: INSTRUMENTS
Key: MONARCHY

M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
 NETWORK SECURITY & MANAGEMENT

Solution (for encryption):

• First, break plain text into pairs of 2. i.e. IN ST RU ME NT S
• Here, the last letter is single. So as per rule no. 2, add filler letter X.
• Therefore, it would be now IN ST RU ME NT SX.
• Here IN is neither in the same row nor in the same column. Then as per rule 7, IN will be replaced by
GA.
• Here ST is in the same row. So, replace it with the next letter in that row. So, ST will be TL. (Here, T is
the last letter in that particular row. So, it is replaced with the very first letter of that particular row).
• Here RU is neither in the same row nor in the same column. Then as per rule 7, RU will be replaced by
MZ.
• Here ME is in the same column. So, replace it with the below letter in that column. So, ME will be CL.
• Here NT is neither in the same row nor in the same column. Then as per rule 7, NT will be replaced by
RQ.
• Here SX is in the same column. So, replace it with the below letter in that column. So, SX will be XA.
(Here, X is the last letter in that particular column. So, it is replaced with the very first letter of that
particular column).
• Therefore, the cipher text will be GATLMZCLRQXA.
Solution (for decryption):
• First, break cipher text into a pair of 2. i.e. GA TL MZ CL RQ XA.
• Here GA is neither in the same row nor in the same column. Then as per rule 10, GA will be replaced by
IN.
• Here TL is in the same row. So, replace it with the next letter in that row. So, TL will be ST. (Here, L is
the first letter in that particular row. So, it is replaced with the very last letter of that particular row).
• Here MZ is neither in the same row nor in the same column. Then as per rule 10, MZ will be replaced by
RU.
• Here CL is in the same column. So, replace it with the below letter in that column. So, CL will be ME.
• Here RQ is neither in the same row nor in the same column. Then as per rule 10, RQ will be replaced by
NT.
• Here XA is in the same column. So, replace it with the below letter in that column. So, XA will be SX.
(Here, A is the first letter in that particular column. So, it is replaced with the very last letter of that
particular column).
• Therefore, plain text will be INSTRUMENTSX.
 NETWORK SECURITY & MANAGEMENT

Features:
1) Digraphic Substitution
2) Polygraphic Nature
3) Key-Based Encryption
4) Key Table
5) Handling of Odd Letters
6) Letter Pairs
7) Handling Repeated Letters
8) Security

2.2.4 Shift Cipher Technique

Shift Cipher Technique is one of the earliest and simplest known substitution techniques. It is similar to the
Caesar Cipher Technique. The only difference is that in the Caesar cipher, the key value is fixed i.e. 3 whereas
in the shift cipher, the key value ranges from 0 to 25. A given plain text is encrypted into cipher text by shifting
each letter of the plain text by n positions.
The encryption/decryption can be represented using modular arithmetic by first transforming the letters into
numbers.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

The formula of Encryption is:

CT = E (K, PT) = (PT + K) mod 26
The formula of Decryption is:
PT = D (K, CT) = (CT - K) mod 26
In any case, during decryption, if the value becomes negative (-ve), then in that case, 26 will be added to that
particular negative value and then decryption will be carried out.
 NETWORK SECURITY & MANAGEMENT

EXAMPLE:
1)Plain Text: HELLO
Key: 6

ENCRYPTION:
Encryption
Plain Text Cipher Text
CT = (PT+3) Mod 26
H (07) (07 + 06) mod 26 = 13 mod 26 = 13 N
E (04) (04 + 06) mod 26 = 10 mod 26 = 10 K
L (11) (11 + 06) mod 26 = 17 mod 26 = 17 R
L (11) (11 + 06) mod 26 = 17 mod 26 = 17 R
O (14) (14 + 06) mod 26 = 20 mod 26 = 20 U
Cipher Text: NKRRU

DECRYPTION:
Decryption
Cipher Text Plain Text
PT = (CT-3) Mod 26
N (13) (13 - 06) mod 26 = 07 mod 26 = 07 H
K (10) (10 - 06) mod 26 = 04 mod 26 = 04 E
R (17) (17 - 06) mod 26 = 11 mod 26 = 11 L
R (17) (17 - 06) mod 26 = 11 mod 26 = 11 L
U (20) (20 - 06) mod 26 = 14 mod 26 = 14 O
Plain Text: HELLO
 NETWORK SECURITY & MANAGEMENT

2) Plain Text: LAYOUT

Key: 15

ENCRYPTION:
Encryption
Plain Text Cipher Text
CT = (PT+3) Mod 26
L (11) (11 + 15) mod 26 = 26 mod 26 = 00 A
A (0) (00 + 15) mod 26 = 15 mod 26 = 15 P
Y (24) (24 + 15) mod 26 = 39 mod 26 = 13 N
O (14) (14 + 15) mod 26 = 29 mod 26 = 03 C
U (20) (20 + 15) mod 26 = 35 mod 26 = 09 J
T (19) (19 + 15) mod 26 = 34 mod 26 = 08 I
Cipher Text: APNCJI

DECRYPTION:
Decryption
Cipher Text Plain Text
PT = (CT-3) Mod 26
A (0) (00 - 15) mod 26 = 18 mod 26 = 11 L
P (15) (15 - 15) mod 26 = 04 mod 26 = 00 A
N (13) (13 - 15) mod 26 = 02 mod 26 = 24 Y
C (03) (03 - 15) mod 26 = 20 mod 26 = 14 O
J (09) (09 - 15) mod 26 = 17 mod 26 = 20 U
I (08) (08 - 15) mod 26 = 08 mod 26 = 19 T
Plain Text: LAYOUT

*Calculation for (0-15) mod26:

Here 0 – 15 = -15. Modulo division of negative numbers is not possible. So firstly, we will add 26 to the
negative number i.e. -15+26 = 11. After that modulo division is carried out i.e. 11 mod 26 =11.
* The same rule is applicable whenever we get negative value while subtracting key values from cipher
text during decryption.
.
 NETWORK SECURITY & MANAGEMENT

2.2.5 Vigenere Cipher Technique

Vigenere Cipher is a method of encrypting alphabetic text. It uses a simple form of polyalphabetic substitution.
A polyalphabetic cipher is any cipher based on substitution, using multiple substitution alphabets. This
algorithm was first described in 1553 by Giovan Battista Bellaso. It uses a Vigenere Table or Vigenere Square
for encryption and decryption of the text. The Vigenere table is also called the Tabula Recta. There are two
methods to perform the Vigenere cipher.

Method 1:
When the Vigenere table is given, the encryption and decryption are done using the Vigenere table (26 * 26
matrix) in this method.

For generating the key, the given keyword is repeated circularly until it matches the length of
the plain text.
EXAMPLE: The plaintext is "CYBERSECURITY", and the key is "BEST".
C Y B E R S E C U R I T Y
B E S T B E S T B E S T B

ENCRYPTION:
The first letter of the plaintext is combined with the first letter of the key. The column of plain text "C" and
the row of key "B" intersects the alphabet of "D" in the Vigenere table, so the first letter of ciphertext is "D".
 NETWORK SECURITY & MANAGEMENT

Similarly, the second letter of the plaintext is combined with the second letter of the key. The column of plain
text "Y" and the row of key "E" intersect the alphabet of "C" in the Vigenere table, so the second letter of
ciphertext is "C".
This process continues continuously until the plaintext is finished.
Ciphertext = D C T X S W W V V V A M Z

DECRYPTION:
Decryption is done by the row of keys in the Vigenere table. First, select the row of the key letter, find the
ciphertext letter's position in that row, and then select the column label of the corresponding ciphertext as the
plaintext.
D C T X S W W V V V A M Z
B E S T B E S T B E S T B

For example, in the row of the key is "B" and the ciphertext is "D" and this ciphertext letter appears in the
column "C", which means the first plaintext letter is "C".
Next, in the row of the key is "E" and the ciphertext is "C" and this ciphertext letter appears in the column
"Y", which means the second plaintext letter is "Y".
This process continues continuously until the ciphertext is finished.
Plaintext = CYBER SECURITY

Method 2:
When the Vigenere table is not given, the encryption and decryption are done by the algebraic formula in this
method (convert the letters (A-Z) into the numbers (0-25)).

The formula of Encryption is:

Ei = (Pi + Ki) mod 26
The formula of Decryption is:
Di = (Ei - Ki) mod 26

*If any case (Di) value becomes negative (-ve), in this case, we will add 26 to the negative value.
Where,
E denotes the encryption, D denotes the decryption, P denotes the plaintext, K denotes the key.
Note: "i" denotes the offset of the ith number of the letters, as shown in the table below.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
 NETWORK SECURITY & MANAGEMENT

EXAMPLE:
Plaintext: CYBER SECURITY
Key: BEST
ENCRYPTION:
Ei = (Pi + Ki) mod 26

Plaintext C Y B E R S E C U R I T Y

Plaintext value (P) 02 24 01 04 17 18 04 02 20 17 08 19 24

Key B E S T B E S T B E S T B

Key value (K) 01 04 18 19 01 04 18 19 01 04 18 19 01

Ciphertext value (E) 03 02 19 23 18 22 22 21 21 21 00 12 25

Ciphertext D C T X S W W V V V A M Z

Cipher Text: D C T X S W W V V V A M Z

DECRYPTION:
Di = (Ei - Ki) mod 26
If any case (Di) value becomes negative (-ve), in this case, we will add 26 to the negative value.
Like, the second letter of the ciphertext;
C = 02 and E = 04
D1 = (02 - 04) mod 26 = -2 mod 26 = (-2 + 26) mod 26 = 24 mod 26 = 24

Ciphertext D C T X S W W V V V A M Z

Ciphertext value (E) 03 02 19 23 18 22 22 21 21 21 00 12 25

Key B E S T B E S T B E S T B

Key value (K) 01 04 18 19 01 04 18 19 01 04 18 19 01

Plaintext value (P) 02 24 01 04 17 18 04 02 20 17 08 19 24

Plaintext C Y B E R S E C U R I T Y

Plain Text: CYBER SECURITY

 NETWORK SECURITY & MANAGEMENT

2.2.6 One-Time Pad (Vernam Cipher) Technique

One Time Pad algorithm is the improvement of the Vernam Cipher, proposed by an Army Signal Corp officer,
Joseph Mauborgne. It is the only available algorithm that is unbreakable (completely secure). It is a method
of encrypting alphabetic plain text. In this mechanism, we assign a number to each character of the Plain-Text.
Method to take key:
In the Vernam cipher algorithm, we take a key to encrypt the plain text whose length should be equal to the
length of the plain text.

ENCRYPTION:
Treat each plaintext character as a number in an increasing sequence from a = 0, b= 1 … z = 25. Do the same
for each character of the Key/ OTP. Add each number corresponding to the plain text character to the
corresponding character of the key. If the produced cipher text is greater than 25; then subtract 26 from it.
Convert each number of the cipher text into corresponding alphabet characters.

EXAMPLE:
Plaintext: COMPUTER
Key: SECURITY

Plain C O M P U T E R
Text (02) (14) (12) (15) (20) (19) (04) (17)
Key/ S E C U R I T Y
OTP (18) (04) (02) (20) (17) (08) (19) (24)
PT + 35 37 27 41
20 18 14 23
Key 35-26=09 37-26=11 27-26=01 41-26=15
Cipher U S O J L B X P
Text (20) (18) (14) (09) (11) (01) (23) (15)
Cipher Text: USOJLBXP

DECRYPTION:
Treat each cipher text character as a number in an increasing sequence from a = 0, b= 1 … z = 25. Do the
same for each character of the key/ OTP. Subtract each number corresponding to the cipher text character to
the corresponding key character number. If the produced cipher text is a negative number; then add 26 to it.
Convert each number of the plain text into the corresponding alphabet character.
 NETWORK SECURITY & MANAGEMENT

Cipher U S O J L B X P
Text (20) (18) (14) (09) (11) (01) (23) (15)
Key/ S E C U R I T Y
OTP (18) (04) (02) (20) (17) (08) (19) (24)
-11 -06 -07 -09
CT - Key 02 14 12 -11+26 -06+26 -07+26 04 -09+26
= 15 = 20 =19 =17
Plain
C O M P U T E R
Text
Plain Text: COMPUTER

2.2.7 Hill Cipher Technique

The Hill Cipher was invented by Lester S. Hill in 1929 and like the other digraphic ciphers, it acts on groups
of letters. Unlike the others though it is extendable to work on different-sized blocks of letters. So, technically
it is a polygraphic substitution cipher, as it can work on digraphs, trigraphs (3 letter blocks) or theoretically
any sized blocks.
The Hill Cipher uses an area of mathematics called linear algebra and in particular, requires the user to have
an elementary understanding of matrices. It also makes use of modulo arithmetic. Because of this, the cipher
has a significantly more mathematical nature than some of the others. However, it is this nature that allows it
to act (relatively) easily on larger blocks of letters.

ENCRYPTION:
To encrypt the text using a hill cipher, we need to perform the following operation.
E (K, P) = (K * P) mod 26
Where K is the key matrix and P is plain text in vector form. Matrix multiplication of K and P generates the
encrypted ciphertext.
Step 1: Convert the key using a substitution scheme into a n * n key matrix.
Step 2: Now, we will convert our plain text into vector form. Since the key matrix is n * n, the vector must be
n * 1 for matrix multiplication. (Suppose the key matrix is 2x2, a vector will be a 2x1 matrix.)
Step 3: Multiply the key matrix with each n * 1 plain text vector, and take the modulo of the result by 26.

DECRYPTION:
To encrypt the text using a hill cipher, we need to perform the following operation.
D (K, C) = (K-1 * C) mod 26
Where K is the key matrix and C is the ciphertext in vector form. Matrix multiplication of the inverse of key
matrix K and ciphertext C generates the decrypted plain text.
 NETWORK SECURITY & MANAGEMENT

Step 1: Calculate the inverse of the key matrix. First, we need to find the determinant of the key matrix (must
be between 0-25). Here the Extended Euclidean algorithm is used to get the modulo multiplicative inverse of
the key matrix determinant
Step 2: Now, we multiply the n * 1 blocks of ciphertext and the inverse of the key matrix. The resultant block
after concatenation is the plain text that we have encrypted.

EXAMPLE:
1) Plain Text: HI
Key: BEAT

Solution (Encryption):
Convert key into 2*2 matrix and then convert it into numeric form (A = 0, B = 1 ……. Z = 25)
𝐵 𝐸 1 4
[ ]=[ ]
𝐴 𝑇 0 19
𝐻 7
Convert plain text into a 2*1 matrix and then convert it into numeric form. P = [ ] = [ ]
𝐼 8
E = KP mod 26
1 4 7
=[ ] [ ] mod 26
0 19 8
1∗7+4∗8
=[ ] mod 26
0 ∗ 7 + 19 ∗ 8
7 + 32
=[ ] mod 26
0 + 152
39
=[ ] mod 26
152
13
=[ ]
22
𝑁
=[ ]
𝑊
Cipher Text = NW

2) Plain Text: CIPHER

Key: HILL
Solution:
Convert key into 2*2 matrix and then convert it into numeric form (A = 0, B = 1 ……. Z = 25)
𝐻 𝐼 7 8
K=[ ]=[ ]
𝐿 𝐿 11 11
Here, plain text of 2*1 is only possible. So, break the given plain text into 3 parts of a 2*1 matrix and then
convert it into numeric form.
𝐶 2
P1 = [ ] = [ ]
𝐼 8
 NETWORK SECURITY & MANAGEMENT

𝑃 15
P2 = [ ] = [ ]
𝐻 7
𝐸 4
P3 = [ ] = [ ]
𝑅 17
E = E1 + E2 + E3
= K P1 mod 26 + K P2 mod 26 + K P3 mod 26
7 8 2 7 8 15 7 8 4
=[ ] [ ] mod 26 + [ ] [ ] mod 26 + [ ] [ ] mod 26
11 11 8 11 11 7 11 11 17
78 161 164
=[ ] mod 26 + [ ] mod 26 + [ ] mod 26
110 242 231
0 5 8
=[ ]+[ ]+[ ]
6 8 23
𝐴 𝐹 𝐼
=[ ]+[ ]+[ ]
𝐺 𝐼 𝑋
Cipher Text = AGFIIX

Features:
1) Matrix-Based Encryption
2) Key Matrix
3) Modular Arithmetic
4) Block Processing
5) Key Generation
6) Padding

2.3 TRANSPOSITION TECHNIQUE: RAIL FENCE CIPHER

2.3.1 Introduction
Transposition Technique rearranges the position of the plain text’s characters. In the transposition technique,
the position of the character is changed but the character’s identity is not changed. Transposition is a type of
encryption technique where the positions of the letters in the plaintext message are rearranged to form a
ciphertext message. This technique does not alter the letters themselves but rather the order in which they
appear. Rail Fence Technique and Columnar Transposition are the most commonly used transposition
techniques.

2.3.2 Rail Fence Cipher Technique

The rail fence cipher (also called a zigzag cipher) is a form of transposition cipher. It derives its name from
how it is encoded.
 NETWORK SECURITY & MANAGEMENT

ENCRYPTION:
In the rail fence cipher, the plain text is written downwards and diagonally on successive rails of an imaginary
fence. When we reach the bottom rail, we traverse upwards moving diagonally, after reaching the top rail, the
direction is changed again. Thus, the alphabets of the message are written in a zig-zag manner. After each
alphabet has been written, the individual rows are combined to obtain the cipher text.
For example, if the message is THIS IS SECRET MESSAGE” and the number of rails (key) = 3 then the
cipher is prepared as:

T I C M A
H S S E R T E S G
I S E S E

Its encryption will be done row-wise. Therefore, the cipher text will be: TICMAHSSERTESGISESE

DECRYPTION:
Let cipher-text = “TICMAHSSERTESGISESE”, and Key = 3
Number of columns in matrix = length of cipher-text = 13
Number of rows = key = 3
Hence original matrix will be of 3*19, now marking places with text as ‘*’ or any other symbol ( - ).
The decryption process for the Rail Fence Cipher involves reconstructing the diagonal grid used to encrypt
the message. We start writing the message, but leaving a dash in place of the spaces yet to be occupied.
Gradually, you can replace all the dashes with the corresponding letters and read off the plaintext from the
table.
We start by making a grid with as many rows as the key is and as many columns as the length of the ciphertext.
We then place the first letter in the top left square and dash diagonally downwards where the letters will be.
When we get back to the top row, we place the next letter in the ciphertext. Continue like this across the row,
and start the next row when you reach the end
Here the ciphertext received is " TICMAHSSERTESGISESE ", encrypted with a key of 3, you start by placing
the "T" in the first square. You then dash the diagonal down spaces until you get back to the top row and place
the "I" here.

- - - - -
- - - - - - - - -
- - - - -
 NETWORK SECURITY & MANAGEMENT

T I C M A
- - - - - - - - -
- - - - -

Continuing to fill the rows you get the pattern below

T I C M A
H S S E R T E S G
- - - -

T I C M A
H S S E R T E S G
I S E S E

2.4 ASYMMETRIC ENCRYPTION: DIGITAL SIGNATURE

A digital signature is an electronic, encrypted stamp of authentication on digital information such as messages.
The digital signature confirms the integrity of the message. This signature ensures that the information
originated from the signer and was not altered, which proves the identity of the organization that created the
digital signature. Any change made to the signed data invalidates the whole signature.
The use of digital signatures is important because they can ensure end-to-end message integrity and can also
provide authentication information about the originator of a message.

To be the most effective, the digital signature must be part of the application data so that it is generated at the
time the message is created.
Then, the signature is verified at the time the message is received and processed.
You can choose to sign the entire message or sign parts of the message (even overlapping parts of a message
can be signed).
You can choose to sign only parts of a message if a part of the message must be modified before it reaches the
consumer.
In this scenario, if the entire message was signed, the whole signature is invalidated if even one part of the
message is modified.
 NETWORK SECURITY & MANAGEMENT

A digital signature for an electronic message is created by using a form of cryptography and is equivalent to a
personal signature on a written document. A digital certificate owner combines the data to be signed with their
private key and then transforms the data with an algorithm. The recipient of the message uses the
corresponding certificate public key to decrypt the signature. The public key decryption also verifies the
integrity of the signed message and verifies the sender as the source. Only the organization with the private
key can create the digital signature. However, anyone who has access to the corresponding public key can
verify the digital signature.

The steps of the digital signature process are as follows:

1) The sender computes a message digest (with an algorithm such as RSA or SHA1) and then encrypts
the digest with their private key, which forms the digital signature. Multiple signatures and signature
formats can be attached to a message, each referencing different (or even overlapping) parts of the
message.
2) The sender transmits the digital signature with the message.
3) The receiver decrypts the digital signature with the public key of the sender, thus regenerating the
message digest.
4) The receiver computes a message digest from the message data that was received and verifies that the
two digests are the same. If these digests match, the message is both intact and authentic.

When a content creator digitally signs a message, the signature must meet the following criteria to be
valid:
1) The certificate that is associated with the digital signature is current (not expired).
2) The certificate that is associated with the digital signature is issued to the signing publisher by a
reputable certificate authority (CA). The CA signs certificates that it issues. The signature consists of
a data string that is encrypted with the private key of the CA. Any user can then verify the signature
on the certificate by using the CA public key to decrypt the signature.
3) The publisher (the signing organization), is trusted.
 NETWORK SECURITY & MANAGEMENT

A Digital Signature is used to assure:

1) Authenticity:
The identity of the organization that sent the message (the message signer) is confirmed.
2) Integrity:
The message content was not changed or tampered with since it was digitally signed.
3) Nonrepudiation:
The origin of the signed content is verified to all parties so the message signer cannot deny association
with the signed content.
 NETWORK SECURITY & MANAGEMENT

UNIT-3
NETWORK SECURITY
3.1 WORKING PRINCIPLES OF FIREWALL
3.1.1 Introduction to Firewall
A Firewall is a hardware or software to prevent a private computer or a network of computers from
unauthorized access, it acts as a filter to prevent unauthorized users from accessing private computers and
networks. It is a vital component of network security. It is the first line of defense for network security. A
firewall has a set of rules which are applied to each packet. The rules decide if a packet can pass or whether it
is discarded. It filters network packets and stops malware from entering the user’s computer or network by
blocking access and preventing the user from being infected. A firewall establishes a barrier between secured
internal networks and outside untrusted networks, such as the Internet.

3.1.2 Five Principles of Firewall Design

Firewall design principles are critical to protect your private network and maximize your network security.
Here are five principles you can use when establishing your firewall and implementing security policies.
1) Develop a Solid Security Policy
Having a proper security policy is an essential part of designing a firewall. Without it in place, it’s a headache
to allow users to navigate the company network and restrict intruders. This proper security policy will also
help you know the proper protocol if there is a security breach and it is useful for reporting security threats.
A properly developed security policy can protect you. A solid security policy includes guidance on proper
internet protocol, preventing users from using devices on public networks and recognizing external threats.
Simply having a security policy is only the first step. In addition to establishing security policies, one should
have frequent training and refreshers for all employees.
2) Use a Simple Design
If you have a complex design, you’ll need to find complex solutions anytime a problem arises. A simple design
helps alleviate some of the pain you may feel when a problem comes up. Also, complex designs are more
likely to suffer from configuration errors that can open paths for external attacks.
3) Choose the Right Device
You need to have the right tools to do the job. If you use the wrong device, you have the wrong tools and are
at a disadvantage from the start. Using the right part that fits your design will help you create the best firewall
for your network.
4) Build a Layered Defense
Firewalls should have layers to properly protect your network. A multi-layered defense creates a complicated
protection system that hackers can’t easily break through. Creating layers builds an effective defense and will
keep your network safe.
 NETWORK SECURITY & MANAGEMENT

5) Build Protection Against Internal Threats

Don’t just focus on attacks from external sources. A large percentage of data breaches are the result of internal
threats and carelessness. Mistakes made by those internally can open your network to attacks from outside
sources. Implementing proper security solutions for your internal network can help prevent this from
happening. Something as simple as accessing a web server can expose your network if you aren’t protected
internally as well as externally.

3.1.3 Types of Firewalls:

There are five main types of firewalls depending upon their operational method:
1) Stateless or Packet Filtering Firewall
2) Stateful Inspection Firewall
3) Circuit-Level Gateway
4) Application-Level Gateway
5) Next-Generation Firewall (NGFW)

1) Stateless or Packet Filtering Firewall:

A packet filtering firewall protects the network by analyzing traffic in the transport protocol layer where
applications can communicate with each other using specific protocols like Transmission Control Protocol
(TCP) and User Datagram Protocol (UDP). The firewall examines the data packets at this layer, looking for
malicious code that can infect the network or device. If a data packet is identified as a potential threat, the
firewall rejects it. Small businesses that need basic protection from existing cyber threats can benefit from a
packet-filtering firewall. Packet-filtering firewalls analyze surface-level details only and do not open the
packet to examine the actual data (content payload). They check each one in isolation for destination and IP
address, packet type, port number and network protocols but not in context with current traffic streams.
 NETWORK SECURITY & MANAGEMENT

2) Stateful Inspection Firewall:

Stateful inspection firewalls operate at the gateway between systems behind the firewall and resources outside
the enterprise network. Stateful inspection firewalls are situated at Layers 3 and 4 of the OSI model. State-
aware firewalls examine each packet (stateful inspection) and track and monitor the state of active network
connections while analyzing incoming traffic for potential risks. The “state” is the most recent or immediate
status of a process or application. Stateful firewalls can detect attempts by unauthorized individuals to access
a network, as well as analyze the data within packets to see if they contain malicious code. They are very
effective at defending the network against denial of service (DoS) attacks. It is important to monitor the state
and context of network communications because this information can be used to identify threats either based
on where they are coming from, where they are going, or the content of their data packets. This method offers
more security than either packet filtering or circuit monitoring alone but exacts a greater toll on network
performance.
3) Circuit-level Gateway:

Circuit-level gateways operate at the session layer of the OSI model. In the OSI model, a handshake must
occur before information can be passed from one cyber entity to another. Circuit-level gateways determine the
security of an established connection between the transport layer and the application layer of the TCP/Internet
Protocol (TCP/IP) stack by monitoring TCP handshakes between local and remote hosts. While circuit-level
gateways have minimal impact on network performance, a data packet containing malware can bypass a
 NETWORK SECURITY & MANAGEMENT

circuit-level gateway easily even if it has a legitimate TCP handshake. This is because circuit-level gateways
do not filter the content in data packets. To fill this gap, circuit-level gateways are often paired with another
type of firewall that performs content filtering.
4) Application-level Gateway:

It is also referred to as a “proxy firewall” and serves as an intermediate between internal and external systems.
An application-level gateway operates at the application layer, the highest of the OSI model. It employs deep
packet inspection (DPI) on incoming traffic to check both data packet payloads (content) and headers. This
firewall makes sure that only valid data exists at the application level before allowing it to pass through.
Application-level gateways follow a set of application-specific policies to determine which communications
are allowed to pass to and from an application. They help protect a network by masking clients’ requests before
sending them to the host. When network anonymity is required, application-level gateways are often in play.
They are ideal for securing web apps from bad actors (malicious intent).
5) Next-Generation Firewall (NGFW):
 NETWORK SECURITY & MANAGEMENT

A Next-Generation Firewall (NGFW) is the only type of firewall that provides the capabilities to protect
modern businesses against emerging cyber threats. As malware and threats have become more difficult to
detect at the access point, NGFW security has evolved to span the network and monitor behavior and intent.
NGFWs provide functions like deep-packet inspection, intrusion prevention (IPS), advanced malware
detection, application control and provide overall network visibility through inspection of encrypted traffic.
They can be found anywhere from an on-premises network edge to its internal boundaries and can also be
employed on public or private cloud networks. NGFWs CPU-intensive capabilities include decryption at a
very high-performance level, deep-packet inspection post decryption, detection of malicious URLs,
identification of command-and-control activities and download of malware and threat correlation. Due to these
advanced security capabilities, NGFWs are critical for heavily regulated industries such as finance or
healthcare and are often integrated with other security systems and SIEMs for end-to-end surveillance and
reporting.

3.1.4 Characteristics of Firewall

1) Physical Barrier: A firewall does not allow any external traffic to enter a system or a network without its
allowance. A firewall creates a choke point for all the external data trying to enter the system or network
and hence can easily block access if needed.
2) Multi-Purpose: A firewall has many functions other than security purposes. It configures domain names
and Internet Protocol (IP) addresses. It also acts as a network address translator. It can act as a meter for
internet usage.
3) Flexible Security Policies: Different local systems or networks need different security policies. A firewall
can be modified according to the requirement of the user by changing its security policies.
4) Security Platform: It provides a platform from which any alert to the issue related to security or fixing
issues can be accessed. All the queries related to security can be kept under check from one place in a
system or network.
5) Access Handler: Determines which traffic needs to flow first according to priority or can change for a
particular network or system. Specific action requests may be initiated and allowed to flow through the
firewall.

3.1.5 Advantages of Firewall

1) Blocks Infected Files: While surfing the internet we encounter many unknown threats. Any friendly-
looking file might have malware in it. The firewall neutralizes this kind of threat by blocking file access
to the system.
2) Stop Unwanted Visitors: A firewall does not allow a cracker to break into the system through a network.
A strong firewall detects the threat and then stops the possible loophole that can be used to penetrate
through security into the system.
 NETWORK SECURITY & MANAGEMENT

3) Prevents Email spamming: In this too many emails are sent to the same address leading to the server
crashing. A good firewall blocks the spammer source and prevents the server from crashing.
4) Control of Network Access: By limiting access to specified individuals or groups for particular servers
or applications, firewalls can be used to restrict access to particular network resources or services.
5) Monitoring of Network Activity: Firewalls can be set up to record and keep track of all network activity.
This information is essential for identifying and looking into security problems and other kinds of shady
behavior.

3.1.6 Disadvantages of Firewall

1) Infected Files: In the modern world, we come across various kinds of files through emails or the internet.
Most of the files are executable under the parameters of an operating system. It becomes impossible for
the firewall to keep track of all the files flowing through the system.
2) User Restriction: Restrictions and rules implemented through a firewall make a network secure but they
can make work less effective when it comes to a large organization or a company. Even making a slight
change in data can require a permit from a person of higher authority making work slow. The overall
productivity drops because of all of this.
3) System Performance: A software-based firewall consumes a lot of resources of a system. Using the
RAM and consuming the power supply leaves very less resources for the rest of the functions or programs.
The performance of a system can experience a drop. On the other hand, a hardware firewall does not
affect the performance of a system much, because it’s very less dependent on the system resources.
4) Complexity: Setting up and keeping up a firewall can be time-consuming and difficult, especially for
bigger networks or companies with a wide variety of users and devices.
5) Cost: Purchasing many devices or add-on features for a firewall system can be expensive, especially for
businesses.

3.2 INTERNET PROTOCOL SECURITY AND ITS USE IN SECURE COMMUNICATION

3.2.1 Introduction
IPsec is a set of protocols to secure internet communication at the network layer. It was developed by the
Internet Engineering Task Force (IETF) to provide a secure way to exchange data over the Internet, ensuring
that sensitive information is protected from unauthorized access, interception, or modification.
IPsec is the short acronym for Internet Protocol Security. The “IP” stands for Internet Protocol, which is the
main routing protocol used on the Internet for sending data to its destination using IP addresses. The “sec”
stands for secure, as it provides encryption and authentication to the data transmission process, making it more
secure.
 NETWORK SECURITY & MANAGEMENT

IPsec uses a variety of protocols to establish secure connections and protect data during transmission. IPsec is
not one protocol but a suite of protocols. The suite includes the following:
1) Authentication Header (AH): It provides data integrity and authentication and ensures that the transmitted
data has not been modified or tampered with. Yet, it does not encrypt data.
2) Encapsulating Security Protocol (ESP): It encrypts both the IP header and the payload of each packet
unless transport mode is used, in which case only the payload is encrypted. In addition, ESP adds its header
and a trailer to each data packet.
3) Security Association (SA): An SA is a set of security parameters defining how two devices communicate
securely. It includes information such as the encryption algorithm, authentication method, and key size. One
of the most commonly used SA protocols is the Internet Key Exchange (IKE). IPsec uses port 500 for its IKE
(Internet Key Exchange) protocol.

3.2.2 Modes of IPSec

IPSec operates in one of two different modes: Transport Mode or Tunnel Mode
 NETWORK SECURITY & MANAGEMENT

Transport Mode

In the transport mode, IPSec protects what is delivered from the transport layer to the network layer. In other
words, the transport mode protects the network layer payload, the payload to be encapsulated in the network
layer. Note that the transport mode does not protect the IP header. The transport mode does not protect the
whole IP packet; it protects only the packet from the transport layer (the IP layer payload). In this mode, the
IPSec header and trailer are added to the information corning from the transport layer. The IP header is added
later.

The transport mode is normally used when we need host-to-host (end-to-end) protection of data. The sending
host uses IPSec to authenticate and/or encrypt the payload delivered from the transport layer. The receiving
host uses IPSec to check the authentication and/or decrypt the IP packet and deliver it to the transport layer.
The figure above shows this concept.

Tunnel Mode

In the tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, including the header, applies
IPSec security methods to the entire packet, and then adds a new IP header as shown in figure below. The new
IP header, as we will see shortly, has different information than the original IF header.
 NETWORK SECURITY & MANAGEMENT

The tunnel mode is normally used between two routers, between a host and a router, or between a router and
a host as shown in figure above. In other words, we use the tunnel mode when either the sender or the receiver
is not a host. The entire original packet is protected from intrusion between the sender and the receiver. It's as
if the whole packet goes through an imaginary tunnel. IPSec in tunnel mode protects the original IP header.

3.2.3 Features of IPSec

1) Authentication: IPSec provides authentication of IP packets using digital signatures or shared secrets. This
helps ensure that the packets are not tampered with or forged.
2) Confidentiality: IPSec provides confidentiality by encrypting IP packets, preventing eavesdropping on the
network traffic.
3) Integrity: IPSec provides integrity by ensuring that IP packets have not been modified or corrupted during
transmission.
4) Key management: IPSec provides key management services, including key exchange and key revocation,
to ensure that cryptographic keys are securely managed.
5) Tunneling: IPSec supports tunneling, allowing IP packets to be encapsulated within another protocol, such
as GRE (Generic Routing Encapsulation) or L2TP (Layer 2 Tunneling Protocol).
6) Flexibility: IPSec can be configured to provide security for a wide range of network topologies, including
point-to-point, site-to-site, and remote access connections.
7) Interoperability: IPSec is an open standard protocol, which means that it is supported by a wide range of
vendors and can be used in heterogeneous environments.

3.2.4 Advantages of IPSec

1) Strong security: IPSec provides strong cryptographic security services that help protect sensitive data
and ensure network privacy and integrity.
2) Wide compatibility: IPSec is an open standard protocol that is widely supported by vendors and can be
used in heterogeneous environments.
 NETWORK SECURITY & MANAGEMENT

3) Flexibility: IPSec can be configured to provide security for a wide range of network topologies, including
point-to-point, site-to-site, and remote access connections.
4) Scalability: IPSec can be used to secure large-scale networks and can be scaled up or down as needed.
5) Improved Network Performance: IPSec can help improve network performance by reducing network
congestion and improving network efficiency.

3.2.5 Disadvantages of IPSec

1) Configuration complexity: IPSec can be complex to configure and requires specialized knowledge and
skills.
2) Compatibility issues: IPSec can have compatibility issues with some network devices and applications,
which can lead to interoperability problems.
3) Performance impact: IPSec can impact network performance due to the overhead of encryption and
decryption of IP packets.
4) Key management: IPSec requires effective key management to ensure the security of the cryptographic
keys used for encryption and authentication.
5) Limited protection: IPSec only protects IP traffic and other protocols such as ICMP, DNS and routing
protocols may still be vulnerable to attacks.

3.2.6 Difference between IPv4 and IPv6

Parameters IPv4 IPv6
Address length IPv4 is a 32-bit address. IPv6 is a 128-bit address.
IPv6 is an alphanumeric address that
IPv4 is a numeric address that consists of 4
Fields consists of 8 fields, which are separated
fields which are separated by a dot (.).
by a colon.
IPv4 has 5 different classes of IP addresses
IPv6 does not contain classes of IP
Classes that includes Class A, Class B, Class C, Class
addresses.
D and Class E.
Number of IP
IPv4 has a limited number of IP addresses. IPv6 has a large number of IP addresses.
addresses
It supports VLSM (Virtual Length Subnet
Mask). Here, VLSM means that Ipv4
VLSM It does not support VLSM.
converts IP addresses into a subnet of
different sizes.
Address It supports manual, DHCP, auto-
It supports manual and DHCP configuration.
configuration configuration, and renumbering.
 NETWORK SECURITY & MANAGEMENT

It generates 340 undecillion unique

Address space It generates 4 billion unique addresses
addresses.
End-to-end
In IPv4, end-to-end connection integrity is In the case of IPv6, end-to-end connection
connection
unachievable. integrity is achievable.
integrity
In IPv4, security depends on the application.
Security In IPv6, IPSEC is developed for security
This IP address is not developed in keeping
features purposes.
the security feature in mind.
Address In IPv4, the IP address is represented in In IPv6, the representation of the IP
representation decimal. address in hexadecimal.
Fragmentation is done by the senders and the Fragmentation is done by the senders
Fragmentation
forwarding routers. only.
Packet flow It does not provide any mechanism for It uses flow label field in the header for
identification packet flow identification. the packet flow identification.
Checksum The checksum field is not available in
The checksum field is available in IPv4.
field IPv6.
On the other hand, IPv6 is multicasting,
Transmission
IPv4 is broadcasting. which provides efficient network
scheme
operations.
Encryption
It does not provide encryption and
and It provides encryption and authentication.
authentication.
Authentication
It consists of 8 fields, and each field
Number
It consists of 4 octets. contains 2 octets. Therefore, the total
of octets
number of octets in IPv6 is 16.

3.3 VARIOUS TYPES OF IDSs

3.3.1 Introduction
An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and
issues alerts when such activity is discovered. It is a software application that scans a network or a system for
harmful activity or policy breaches. Any malicious venture or violation is normally reported either to an
administrator or collected centrally using a Security Information and Event Management (SIEM) system. A
SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate
malicious activity from false alarms.
 NETWORK SECURITY & MANAGEMENT

Although intrusion detection systems monitor networks for potentially malicious activity, they are also
disposed to false alarms. Hence, organizations need to fine-tune their IDS products when they first install
them. It means properly setting up the intrusion detection systems to recognize what normal traffic on the
network looks like as compared to malicious activity.
IDS and firewall both are related to network security but an IDS differs from a firewall as a firewall looks
outwardly for intrusions to stop them from happening. Firewalls restrict access between networks to prevent
intrusion and if an attack is from inside the network it doesn’t signal. An IDS describes a suspected intrusion
once it has happened and then signals an alarm. The most optimal and common position for an IDS is behind
the firewall. Although this position varies considering the network.

3.3.2 Detection Methods of IDS

1) Signature-based Method:
Signature-based IDS detects the attacks based on specific patterns such as the number of bytes or number
of 1’s or number of 0’s in the network traffic. It also detects based on the already known malicious
instruction sequence that is used by the malware. The detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in the system,
but it is quite difficult to detect new malware attacks as their pattern (signature) is not known.
2) Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware attacks as new malware is developed
rapidly. In anomaly-based IDS there is the use of machine learning to create a trustful activity model and
anything coming is compared with that model and it is declared suspicious if it is not found in the model.
Machine learning-based method has a better- generalized property in comparison to signature-based IDS
as these models can be trained according to the applications and hardware configurations.

3.3.3 Classification of IDS

Intrusion Detection Systems are classified into 5 types:
1) Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point within the network to examine traffic
from all devices on the network. It performs an observation of passing traffic on the entire subnet and matches
the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or
abnormal behavior is observed, the alert can be sent to the administrator. An example of a NIDS is installing
it on the subnet where firewalls are located in order to see if someone is trying to crack the firewall.
 NETWORK SECURITY & MANAGEMENT

2) Host Intrusion Detection System (HIDS):

Host Intrusion Detection System (HIDS) run on independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious
or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous
snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate.
An example of HIDS usage can be seen on mission-critical machines, which are not expected to change their
layout.

3) Protocol-based Intrusion Detection System (PIDS):

A Protocol-Based Intrusion Detection System (PIDS) comprises a system or agent that would consistently
reside at the front end of a server, controlling and interpreting the protocol between a user/device and the
server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream and accepting
 NETWORK SECURITY & MANAGEMENT

the related HTTP protocol. As HTTPS is unencrypted and before instantly entering its web presentation layer
then this system would need to reside in this interface, between to use the HTTPS.
4) Application Protocol-based Intrusion Detection System (APIDS):
An Application Protocol-Based Intrusion Detection System (APIDS) is a system or agent that generally resides
within a group of servers. It identifies the intrusions by monitoring and interpreting the communication on
application-specific protocols. For example, this would monitor the SQL protocol explicitly to the middleware
as it transacts with the database in the web server.
5) Hybrid Intrusion Detection System:
Hybrid intrusion detection system is made by the combination of two or more approaches to the intrusion
detection system. In the hybrid intrusion detection system, the host agent or system data is combined with
network information to develop a complete view of the network system. The hybrid intrusion detection system
is more effective in comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.

3.4 DISTINGUISH HOST-BASED IDS AND NETWORK-BASED IDS

Parameters HIDS NIDS

Full Form Host Intrusion Detection System. Network Intrusion Detection System.

Type It doesn’t work in real-time. It operates in real-time.

HIDS is related to just a single system, as NIDS is concerned with the entire
the name suggests it is only concerned network system, NIDS examines the
Concern
with the threats related to the Host activities and traffic of all the systems in
system/computer. the network.

NIDS being concerned with the network

HIDS can be installed on every computer
Installation is installed at places like routers or
or server i.e., anything that can serve as a
Point servers as these are the main intersection
host.
points in the network system.

HIDS operates by taking a snapshot of NIDS works in real-time by closely

Execution
the current status of the system and examining the data flow and immediately
Process
comparing it against some already stored reporting anything unusual.
 NETWORK SECURITY & MANAGEMENT

malicious tagged snapshots stored in the

database, this clearly shows that there is a
delay in its operation and activities.

As the network is very large making it

HIDS are more informed about the
Information hard to keep track of the integrating
attacks as they are associated with system
about attack functionalities, they are less informed of
files and processes.
the attacks.

Ease of As it needs to be installed on every host, Few installation points make it easier to
Installation the installation process can be tiresome. install NIDS.

Response Time Response time is slow. Response time is fast.

3.5 HIDS AND NIDS COMPONENTS

1) Data Collectors: Using either agents or an agentless approach, your HIDS deploys sensors that collect data
from hosts.
2) Data Storage: After being collected, the data is usually aggregated and stored in a central location. The
data is retained at least as long as is necessary to analyze it, although organizations may also choose to keep
the data on hand so they can reference it at a later time if desired.
3) Analytics Engine: The HIDS uses an analytics engine to process and evaluate the various data sources that
it collects. The purpose of analytics is to look for patterns or anomalies, and then assess the likelihood that
they are the result of security risks or attacks.

3.6 ADVANTAGES AND DISADVANTAGES OF HIDS, NIDS

Advantages of HIDS:
1) Verifies success or failure of an attack: Since a host-based IDS uses system logs containing events that
have occurred, they can determine whether an attack occurred or not.
2) Monitors System Activities: A host-based IDS sensor monitors user and file access activity including file
accesses, changes to file permissions, attempts to install new executables, etc.
3) Detects attacks that a network-based IDS fails to detect: Host-based systems can detect attacks that
network-based IDS sensors fail to detect. For example, if an unauthorized user makes changes to system
files from the system console, this kind of attack goes unnoticed by the network sensors.
4) Near real-time detection and response: Although host-based IDS do not offer true real-time response, it
can come very close if implemented correctly.
 NETWORK SECURITY & MANAGEMENT

5) Lower entry cost: Host-based IDS sensors are far cheaper than network-based IDS sensors.

Disadvantages of HIDS:
1) Host-based IDSs are harder to manage, as information must be configured and managed for every host.
2) The information sources for host-based IDSs reside on the host targeted by attacks, the IDSs may be
attacked and disabled as part of the attack.
3) Host-based IDSs are not well suited for detecting network scans or other such surveillance that targets an
entire network.
4) Host-based IDSs can be disabled by certain denial-of-service attacks.

Advantages of NIDS:
1) A few well-placed network-based IDS can monitor a large network.
2) The deployment of NIDSs has little impact on an existing network.
3) NIDSs can be made very secure against attack and even made invisible to many attackers.
.
Disadvantages of NIDS:
1) NIDSs may have difficulty possessing all packets in a large or busy network and, therefore, may fail to
recognize an attack launched during a period of high traffic.
2) Many of the advantages of NIDSs don’t apply to more modern switch-based networks.
3) NIDSs cannot analyze encrypted information. This problem is increasing as organizations and attackers
use virtual private networks.
4) Most NIDSs cannot tell whether or not an attack was successful; they can only find that an attack was
initiated.
 NETWORK SECURITY & MANAGEMENT

UNIT-4
NETWORK ADMINISTRATION PROTOCOLS AND SERVICES
4.1 DIRECTORY SERVICE
Directory Service is defined as a network service that identifies all resources on a network and makes them
accessible to users and applications. (Resources include email address, domain name, computer and peripheral
devices such as printer). In most networks, you optimize the function of different services by hosting them on
different computers. Doing so makes sense. Putting all services on one computer may be a bit complex.
Moreover, you can achieve optimal performance, more reliability and higher security by segregating network
services in various ways.
Most networks have quite a few services that need to be provided, and often these services run on different
servers. Even a relatively simple network now offers the following services:
• File storage and sharing and Printer sharing
• E-mail services
• Web hosting, both for the Internet and an intranet
• Database server services
• Specific application servers
• Internet connectivity
• Fax services
• Domain Name System (DNS) service, Windows Internet Naming Service
• Dynamic Host Configuration Protocol (DHCP) services
• Centralized virus-detection services
• Backup and restore services
Directory services were invented to remove complexities from the network. Basically, directory services work
just like a phone book. Instead of using a name to look up an address and phone number in a phone book, you
query the directory service for a service name (such as the name of a network folder or a printer), and the
directory service tells you where the service is located.
You can also request directory services by property. For instance, if you request the directory service for all
items that are “printers,” it can return a complete list, no matter where the printers are located in the
organization.
Even better, directory services enable you to browse all the resources on a network easily. We don’t need to
make separate user lists on each server. Directory services eliminate this kind of complexity. By sharing itself
with all other servers.
To provide the above redundancy directory services usually run on multiple servers in an organization, with
each server having an entire copy of the directory service database. To avoid loss of data, it requires making
a backup directory server.
 NETWORK SECURITY & MANAGEMENT

There are five types of well-known directory services:

1) Novell Directory Services (NDS)
2) Microsoft’s Windows NT Domains
3) Microsoft’s Active Directory
4) X.500 Directory Access Protocol
5) Lightweight Directory Access Protocol

4.2 DIFFERENT DIRECTORIES ACCESS PROTOCOLS

4.2.1 Novell Directory Service (NDS)
Novell eDirectory has been available since 1993, introduced as NDS as part of NetWare 4.x. This product was
a real boon and was rapidly implemented in Novell networks, particularly in larger organizations that had
many NetWare servers and needed its capabilities. eDirectory is a reliable, robust directory service that has
continued to evolve(developed gradually) since its introduction. eDirectory uses a Master/Slave approach to
directory servers and also allows partitioning of the tree.
In addition to running on Novell network operating systems, eDirectory is also available for Windows, Solaris,
AIX(Advanced Interactive eXecutive) and Linux systems. The product’s compatibility with such a variety of
systems makes it a good choice for managing all these platforms under a single directory structure.
The NDS tree is managed from a client computer logged into the network with administrative privileges. You
can either use a graphical tool designed to manage the tree called NWAdmin or a text-based tool called NET
ADMIN. Both allow full management of the tree, although the graphical product is much easier to use.
The NDS tree contains a number of different object types. The standard directory service types are countries,
organizations and organizational units. The system also has objects to represent NetWare security groups,
NetWare servers and NetWare server volumes.

4.2.2 Windows NT Domains

The Windows NT (New Technology) domain model breaks an organization into chunks called domains, all of
which are part of an organization. The domains are usually organized geographically, which helps minimize
domain-to-domain communication requirements across WAN links, although you’re free to organize domains
as you wish.
Each domain is controlled by a primary domain controller (PDC), which might have one or more backup
domain controllers (BDCs) to kick in if the PDC fails.
All changes within the domain are made to the PDC, which then replicates those changes to any BDCs. BDCs
are read-only, except for valid updates received from the PDC. In case of a PDC failure, BDCs automatically
continue authenticating users. To make administrative changes to a domain that suffers PDC failure, any of
the BDCs can be promoted to PDC. Once the PDC is ready to come back online, the promoted BDC can be
demoted back to BDC status.
 NETWORK SECURITY & MANAGEMENT

Windows NT domains can be organized into one of four domain models:

1) Single domain: In this model, only one domain contains all network resources.
2) Master domain: The master model usually puts users in the top-level domain and then places network
resources, such as shared folders or printers, in lower-level domains (called resource domains). In this
model, the resource domains trust the master domain.
3) Multiple master domain: This is a slight variation on the master domain model, in which users might
exist in multiple master domains, all of which trust one another, and in which resources are located in
resource domains, all of which trust all the master domains.
4) Complete trust: This variation of the single-domain model spreads users and resources across all
domains, which all trust each other.
You can choose an appropriate domain model depending on the physical layout of the network, the number of
users to be served and other factors. (If you’re planning a domain model, you should review the white papers
on Microsoft’s website for details on planning large domains, because the process can be complex.)
Explicit trust relationships must be maintained between domains using the master or multiple master domain
models and must be managed on each domain separately. Maintaining these relationships is one of the biggest
difficulties in the Windows NT domain structure approach, at least for larger organizations. If you have 100
domains, you must manage the 99 possible trust relationships for each domain, for a total of 9,900 trust
relationships. For smaller numbers of domains (for example, less than 10 domains), management of the trust
relationship is less of a problem, although it can still cause difficulties.

4.2.3 X.500 Directory

The X.500 standard was developed jointly by the International Telecommunications Union (ITU) and the
International Standards Organization (ISO). Its purpose was to provide an international standard for directory
systems. The primary concept of X.500 is that there is a single Directory Information Tree (DIT), a hierarchical
organization of entries that are distributed across one or more servers, called Directory System Agents (DSA).
The X.500 protocol architecture consists of a Client-Server communicating via the Open Systems
Interconnection (OSI) networking model. The Client is called the Directory Service Agent (DUA) and the
Server is called the Directory System Agent (DSA).
X.500 is a directory service used in the same way as a conventional name service, but it is primarily used to
satisfy descriptive queries and is designed to discover the names and attributes of other users or system
resources.
Users may have a variety of requirements for searching and browsing in a directory of network users,
organizations and system resources to obtain information about the entities that the directory contains. The
uses for such a service are likely to be quite diverse. They range from inquiries that are directly analogous to
the use of telephone directories, such as a simple “white pages” access to obtain a user's electronic mail address
or a “yellow pages” query aimed, for example, at obtaining the names and telephone numbers of garages
 NETWORK SECURITY & MANAGEMENT

specializing in the repair of a particular make of car, to the use of the directory to access personal details such
as job roles, dietary habits or even photographic images of the individuals.

The above figure shows the model for X.500.

• In the X.500 directory architecture, the client queries and receives responses from one or more servers
in the servers Directory Service with the Directory Access Protocol (DAP) controlling the
communication between the client and the server.
• The Directory client, called the Directory User Agent (DUA), supports users in searching or browsing
through one or more directory databases and in retrieving the requested directory information. The
DUA can be implemented in all kinds of user interfaces through dedicated DUA clients, Web-server
gateways, e-mail applications or middleware. DUAs are currently available for virtually all types of
workstations.
• Directory information is stored in a Directory System Agent (DSA), a hierarchical database designed
to provide fast and efficient search and retrieval.
• The Directory System Protocol (DSP) controls the interaction between two or more DSAs. This is
done in a way that allows users to access information in the Directory without knowing its exact
location.
• The Directory Access Protocol (DAP) is used for controlling communication between a DUA and
DSA.
 NETWORK SECURITY & MANAGEMENT

4.2.4 LDAP
LDAP stands for Lightweight Directory Access Protocol.
LDAP was developed to solve the problem associated with x.500. LDAP contains 90% of the functionality of
the X.500, by this it is a sub-set of X.500.
LDAP runs over TCP/IP and uses a client/server model.
The LDAP standard describes not only the layout and fields within an LDAP directory but also the methods
to be used when a person logs in to a server that uses LDAP or queries or updates the LDAP directory
information on an LDAP server.
An LDAP tree starts with a root, which then contains entries. Each entry can have one or more attributes. Each
of these attributes has both a type and values associated with it. One example is the CommonName entry (CN),
which contains at least two attributes: FirstName and Surname. All attributes in LDAP use the text string data
type. Entries are broken up into a tree and managed geographically and then within each organization.
One nice feature of LDAP is an organization can build a global directory structure using a feature called
referral, where LDAP directory queries that are managed by a different LDAP server are transparently routed
to that server. Because each LDAP server knows its parent LDAP server and its child servers, any user
anywhere in the network can access the entire LDAP tree. In fact, the user won't even know he or she is
running on different servers in different locales.
The following are 4 basic models that describe LDAP:
1) Information Model: It defines the structure of the data stored in the directory.
2) Naming Model: It describes how to reference and organize the data.
3) Functional Model: It describes how to work with the data.
4) Security Model: It defines how to keep the data in the directory secure.

4.3 ACTIVE DIRECTORY

Active Directory was developed by Microsoft. Active Directory is essentially a database of network resources
(known as objects) and information about each of these objects. Active Directory is fully compatible with
LDAP and also with the Domain Name System (DNS) used on the Internet.
Active Directory uses a peer approach to domain controllers; all domain controllers are full participants at all
times. This arrangement is called a Multimaster because there are many “master” domain controllers but no
backup controllers.
Active Directory is built on a structure that allows “trees of trees,” which is called a forest. Each tree has its
domain and its domain controllers.
Within a domain, separate organizational units are allowed to make administration easier and more logical.
Trees are then aggregated into a larger forest structure. According to Microsoft, Active Directory can handle
millions of objects through this approach.
 NETWORK SECURITY & MANAGEMENT

Active Directory does not require the management of trust relationships, except when connected to Windows
NT 4. x servers that are not using Active Directory. Otherwise, all domains within a tree have automatic trust
relationships.
Active Directory uses two types of domain controller:
1) Primary Domain Controller
2) Backup Domain Controller
Active Directory uses LDAP protocol to access objects. Each domain controller in a domain is capable of
accepting requests for changes to the domain database and replicating that information with the other DCs in
the domain. The first domain that is created is referred to as the "root domain" and is at the top of the directory
tree. After combining this kind of tree becomes one general tree called a domain forest. All subsequent
domains will live under the root domain and are referred to as child domains. The child domain names must
be unique as shown in the below figure
There are three Directory Components :
1) Object: Objects in the database can include printers, users, servers, clients, shares, services, etc. and
are the most basic component of the directory. There are two basic types of objects in an active
directory:
a) Container Object: It is simply an object that stores other objects. These objects essentially function
as the branches of the tree.\
b) Leaf Object: It stands alone and can’t store other objects.
2) Attributes: An attribute describes an object. For example, passwords and names are attributes of user
objects. Different objects will have a different set of attributes that define them, however, different
objects may also share attributes. For example, a printer and Windows Vista computer may both have
an IP address as an attribute.
3) Schema: A schema defines the list of attributes that describe a given type of object. For example, let's
say that all printer objects are defined by name, PDL type and speed attributes. This list of attributes
comprises the schema for the object class "printers". The schema is customizable, meaning that the
attributes that define an object class can be modified.

4.4 VPN AND ITS PROTOCOLS

4.4.1 Introduction
A VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote
offices or individual users with secure access to their organization's network.
In other words, A VPN is a network technology that creates a secure network connection over a public network
such as the Internet or a private network owned by a service provider.
 NETWORK SECURITY & MANAGEMENT

4.4.2 Working of VPN

A VPN works by routing a device's internet connection through a private service rather than the user's regular
internet service provider (ISP). The VPN acts as an intermediary between the user getting online and
connecting to the internet by hiding their IP address.
Using a VPN creates a private, encrypted tunnel through which a user’s device can access the internet while
hiding their personal information, location, and other data. All network traffic is sent through a secure
connection via the VPN. This means that any data transmitted to the internet is redirected to the VPN rather
than from the user’s computer.
When the user connects to the web using their VPN, their computer submits information to websites through
the encrypted connection created by the VPN. The VPN then forwards that request and sends a response from
the requested website back to the connection.

4.4.3 Working of VPN in practice

Streaming services like Amazon Prime Video, Hulu, and Netflix offer different content to users located in
different countries. Using a VPN enables a streaming customer to access the content intended for people living
in different countries regardless of their actual location.
It can also enable a user to access a streaming subscription they have in their home country while traveling.
For example, a user on holiday in another country could use a VPN to set their location to the U.S. and stream
their favorite sports team’s live game.

4.4.4 VPN Protocols

VPN protocols work in various ways, but they usually perform two basic functions: authentication and
encryption. Authentication ensures your device is communicating with a trusted VPN server and encryption
makes the communication itself unreadable to outsiders.
Different encryption standards and authentication methods result in differing levels of speed and security for
VPN users. VPN protocols also have differing rules on how to handle potential errors, which affects stability
and reliability.
1) Point-to-Point Tunneling Protocol (PPTP)
PPTP is one of the oldest protocols still active on the internet. Created by Microsoft, it uses the Transmission
Control Protocol (TCP) control channel and Generic Routing Encapsulation (GRE) tunneling protocol. It
relies on the Point-to-Point Protocol (PPP), which is a Layer 2 communications protocol directly between two
routers, to implement security functionalities. This protocol has only the capability to encrypt data with 128-
bit so it ensures low security. PPTP is fast and simple to deploy but only really applicable to people using
older Windows operating systems. It also has several well-known security issues, so any VPN that only uses
PPTP should be avoided.
 NETWORK SECURITY & MANAGEMENT

2) Layer Two Tunneling Protocol (L2TP)

Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used
by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the
Internet. L2TP allows multiprotocol traffic to be encrypted and then sent over any medium that supports point-
to-point datagram delivery, such as IP or Asynchronous Transfer Mode (ATM). L2TP is a combination of
PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP represents the
best features of PPTP and L2F. Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE
(Microsoft Point-to-Point Encryption) to encrypt PPP datagrams. L2TP relies on Internet Protocol security
(IPsec) in Transport Mode for encryption services. The combination of L2TP and IPsec is known as
L2TP/IPsec. Both L2TP and IPsec must be supported by both the VPN client and the VPN server. L2TP is
installed with the TCP/IP protocol. L2TP is available across famous operating systems, including Android,
Windows, macOS and iOS.

3) Secure Socket Tunneling Protocol (SSTP)

SSTP is a VPN tunnel created by Microsoft and is a much more secure option. It transports PPP traffic through
the secure sockets layer/transport layer security (SSL/TLS) channel, which provides encryption, key
negotiation, and traffic integrity checking. As such, only the two parties that transmit the data are able to
decode it. Using this over the TCP port 443 ensures that SSTP can travel through most firewalls and proxy
servers. SSTP is well-suited for Windows devices. While it supports other platforms—macOS, Linux or
mobile devices—may be more limited compared to other VPN protocols.

4) Internet Key Exchange Version 2 (IKEv2)

IKEv2 handles request and response actions to ensure traffic is secure and authenticated, usually using IPsec.
It establishes the security attributes of the device and server, then authenticates them, and agrees which
encryption methods to use. It supports 256-bit encryption and allows the use of popular ciphers such as
Advanced Encryption Standard (AES), Camellia and ChaCha20. IKEv2 is mostly used to secure mobile
devices, in which it is particularly effective. The protocol is extensively supported on a wide range of
platforms, including MacOS, Windows, Linux, iOS and Android.

5) OpenVPN
OpenVPN is an open-source and highly configurable protocol that is known for its security and versatility.
There are two types of OpenVPN protocols: Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP) for communication. OpenVPN is widely used due to its ability to provide a balance between
speed and security. It uses end-to-end AES 256-bit encryption, intrusion detection and prevention systems to
safeguard your data and SSL/TLS encryption. A kill switch feature prevents Domain Name Server (DNS)
 NETWORK SECURITY & MANAGEMENT

attacks and leakage, in case the VPN loses connection. It is available on MacOS, Microsoft Windows, MacOS,
Android, Linux and iOS.

6) Wireguard
Launched in 2015, WireGuard is a communication protocol that was developed by Jason A. Donenfeld. Unlike
older protocols, it is designed to be lightweight and efficient which makes it one of the fastest protocols.
WireGuard emphasizes simplicity in its design and implementation. Not only is it easier to set up and maintain,
but it also supports multiple types of primitives and encryption. WireGuard has gathered attention for its
potential to become a next-generation VPN protocol that offers both speed and security. The protocol is
available on multiple operating systems such as Windows, Linux, macOS, Android and iOS.

4.5 DHCP ARCHITECTURE, RARP AND BOOTP

4.5.1 DHCP
Introduction
DHCP (Dynamic Host Configuration Protocol) is a network administration protocol that is responsible for the
task of assigning an IP address to your system and network device. DHCP works on the Application layer of
the TCP/IP Protocol. The DHCP network model is based on the client-server architecture, where the
connection is established when the client device sends a request message to the server device to provide the
system with an IP address.

DHCP Architecture
The DHCP architecture is made up of DHCP clients, DHCP servers and DHCP relay agents. The client
interacts with servers using DHCP messages in a DHCP conversation to obtain and renew IP address leases.
Here is a brief description of the DHCP components:
1) DHCP Server: It automatically provides network information (IP address, subnet mask, gateway address)
on lease. Once the duration has expired, that network information can be assigned to another machine. It
also maintains the data storage which stores the available IP addresses.
2) DHCP Client: A DHCP client is any IP device connected on the network that has been configured to act
as a host requesting configuration parameters such as an IP address from a DHCP server.
3) DHCP Relay Agent: DHCP relay agents pass DHCP messages between servers and clients where the
DHCP server does not reside on the same IP subnet as its clients. Other components include the IP address
pool, subnet, lease and DHCP communications protocol.
The following diagram shows the changing port numbers and the source and destination addresses used during
the DHCP transaction. UDP port 68 is reserved for DHCP clients and UDP port 67 is reserved for DHCP
servers.
 NETWORK SECURITY & MANAGEMENT

Step 1: DHCP DISCOVER

Sent by the client looking for the IP address. The source IP is 0.0.0.0 because the client doesn’t have an IP
address. The destination is 255.255.255.255, which is the broadcast address, as the client doesn’t know where
the DHCP server is located, so it broadcasts to all devices on the network.

Step 2: DHCP OFFER

Sent by the DHCP server offering an IP address to the client. The source address is the DHCP server address.
The DHCP server doesn’t know the client address yet, so it broadcasts the offer to all devices on the network.

Step 3: DHCP REQUEST

Sent by the client to the DHCP server to say “I will take that IP address, thanks.” The client IP address is still
0.0.0.0 and it is again broadcast to all so that any other servers on the network that may have offered an IP
address will know to stop communicating with the client for now.
 NETWORK SECURITY & MANAGEMENT

Step 4: DHCP ACKNOWLEDGEMENT

Sent by the DHCP server to the client. It confirms the IP address and other details such as subnet mask,
default gateway and lease time with the client. The source address is the DHCP server and the destination is
still the broadcast address.

DHCP Client, Server and Relay Agent Model

The DHCP relay agent is located between a DHCP client and a DHCP server and forwards DHCP messages
between servers and clients as follows:
 NETWORK SECURITY & MANAGEMENT

1) The DHCP client sends a discover packet to find a DHCP server in the network from which to obtain
configuration parameters for the subscriber (or DHCP client), including an IP address.
2) The DHCP relay agent receives the discovered packet and forwards copies to each of the two DHCP
servers. The DHCP relay agent then creates an entry in its internal client table to keep track of the client’s
state.
3) In response to receiving the discover packet, each DHCP server sends an offer packet to the client. The
DHCP relay agent receives the offer packets and forwards them to the DHCP client.
4) On receipt of the offer packets, the DHCP client selects the DHCP server from which to obtain
configuration information. Typically, the client selects the server that offers the longest lease time on the
IP address.
5) The DHCP client sends a request packet that specifies the DHCP server from which to obtain
configuration information.
6) The DHCP relay agent receives the request packet and forwards copies to each of the two DHCP servers.
7) The DHCP server requested by the client sends an acknowledgement (ACK) packet that contains the
client’s configuration parameters.
8) The DHCP relay agent receives the ACK packet and forwards it to the client.
9) The DHCP client receives the ACK packet and stores the configuration information.
10) If configured to do so, the DHCP relay agent installs a host route and Address Resolution Protocol (ARP)
entry for this client.
11) After establishing the initial lease on the IP address, the DHCP client and the DHCP server use unicast
transmission to negotiate lease renewal or release. The DHCP relay agent “snoops” on all of the packets
unicast between the client and the server that pass through the router (or switch) to determine when the
lease for this client has expired or been released. This process is referred to as lease shadowing or passive
snooping.

4.5.2 RARP
The Reverse Address Resolution Protocol (RARP) is a networking protocol that is used to map a physical
(MAC) address to an Internet Protocol (IP) address. It is the reverse of the more commonly used Address
Resolution Protocol (ARP), which maps an IP address to a MAC address.
 NETWORK SECURITY & MANAGEMENT

RARP was developed in the early days of computer networking as a way to provide IP addresses to diskless
workstations or other devices that could not store their own IP addresses. RARP is specified in RFC 903 and
operates at the data link layer of the OSI model.

With RARP, the device would broadcast its MAC address and request an IP address and a RARP server on the
network would respond with the corresponding IP address.
While RARP was widely used in the past, it has largely been replaced by newer protocols such as DHCP
(Dynamic Host Configuration Protocol), which provides more flexibility and functionality in assigning IP
addresses dynamically. However, RARP is still used in some specialized applications, such as booting
embedded systems and configuring network devices with pre-assigned IP addresses.

4.5.3 BOOTP
Bootstrap Protocol (BOOTP) is a basic protocol that automatically provides each participant in a network
connection with a unique IP address for identification and authentication as soon as it connects to the network.
This helps the server to speed up data transfers and connection requests.
BOOTP uses a unique IP address algorithm to provide each system on the network with a completely different
IP address in a fraction of a second. This shortens the connection time between the server and the client. It
starts the process of downloading and updating the source code even with very little information.
BOOTP uses a combination of TFTP (Trivial File Transfer Protocol) and UDP (User Datagram Protocol) to
request and receive requests from various network-connected participants and to handle their responses.
In a BOOTP connection, the server and client just need an IP address and a gateway address to establish a
successful connection. Typically, in a BOOTP network, the server and client share the same LAN, and the
routers used in the network must support BOOTP bridging.
 NETWORK SECURITY & MANAGEMENT

A great example of a network with a TCP / IP configuration is the Bootstrap Protocol network. Whenever a
computer on the network asks for a specific request to the server, BOOTP uses its unique IP address to quickly
resolve them.

4.6 INTRODUCTION TO DNS AND ITS OBJECTIVES

4.6.1 Introduction to DNS
The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through
domain names, such as gmail.com or youtube.com. Web browsers interact through Internet Protocol (IP)
addresses. DNS translates domain names to IP addresses so browsers can load Internet resources.
Each device connected to the Internet has a unique IP address which other machines use to find the device.
DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more
complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).

How Does DNS Work?

In a usual DNS query, the URL typed in by the user has to go through four servers for the IP address to be
provided. The four servers work with each other to get the correct IP address to the client, and they include:
1) DNS Recursor: The DNS recursor, which is also referred to as a DNS resolver, receives the query
from the DNS client. Then it communicates with other DNS servers to find the right IP address. After
the resolver retrieves the request from the client, the resolver acts like a client itself. As it does this, it
makes queries that get sent to the other three DNS servers: root nameservers, top-level domain (TLD)
nameservers, and authoritative nameservers.
2) Root Name Servers: The root nameserver is designated for the internet's DNS root zone. Its job is to
answer requests sent to it for records in the root zone. It answers requests by sending back a list of the
authoritative nameservers that go with the correct TLD.
3) TLD Name Servers: A TLD (Top Level Domain) nameserver keeps the IP address of the second-level
domain contained within the TLD name. It then releases the website’s IP address and sends the query
to the domain’s nameserver.
4) Authoritative Name Servers: An authoritative nameserver is what gives you the real answer to your
DNS query. There are two types of authoritative nameservers: a master server or primary nameserver
and a slave server or secondary nameserver. The master server keeps the original copies of the zone
records, while the slave server is an exact copy of the master server. It shares the DNS server load and
acts as a backup if the master server fails.
 NETWORK SECURITY & MANAGEMENT

What is a Top Level Domain?

Top level domains (TLDs) are more commonly known as domain extensions. A top-level domain is everything
that follows the last dot in a domain name. For instance, .com is the TLD in the domain name
“domainwheel.com“.
The second-level domain is the actual website name, and the third-level domain (more often referred to as a
subdomain) is reserved for specific sections of your website. Note that all websites have a top-level domain
and a second-level domain, but most websites don’t have any third-level domains.
Example:
URL: https://www.example.com
In this URL:
1) Top-Level Domain (TLD): ".com" is the top-level domain. It represents the commercial domain
category and is one of the most commonly used TLDs on the internet.
2) Second-Level Domain (SLD): "example" is the second-level domain. It typically represents the name
of the organization, business, or entity that owns the domain. In this case, "example" is used as a
placeholder or demonstration domain.
3) Subdomain: "www" is the subdomain. It is an optional prefix added to the domain name to create
specific web addresses or to organize content within a domain. In this example, "www" is commonly
used to denote the World Wide Web portion of the website.
Together, these components form a complete URL that specifies the protocol (https://), subdomain (www),
second-level domain (example), and top-level domain (.com).

Top-Level Domain Types

There are five official types of TLDs:
1) Generic Top-level Domains (gTLD): Domains that can be used by anyone, without restrictions.
2) Country Code Top-level Domains (ccTLD): Domains that signal that your website operates in a
certain country. Many of these domains require you to prove that you live and/or do business in the
appropriate country.
3) Sponsored Top-level Domains (sTLD): These domains are overseen by specific authority
companies/organizations and typically have specific requirements for registration.
4) Infrastructure Top-Level Domain (ARPA): This domain extension is used by the Internet
Engineering Taskforce.
5) Test Top-Level Domains (tTLD): These TLDs are intended for documentation and website testing.

The first two types are the most common on the internet.
 NETWORK SECURITY & MANAGEMENT

Generic top-level domains are some of the oldest types of extensions, and there are eight of them:

Original top-level
The original meaning of the domain ending
domain

.com Open domain for commercial web offers

.org Open TLD for non-profit organizations

.net Open address for Internet service providers

Strictly limited extension for internationally operating

.int
companies, organizations and programs

.edu Domain intended for trade schools and universities

.gov Domain for government institutions

TLD is available only to departments, services, and agencies

.mil
of the U.S. Department of Defense

Some of the most popular ccTLDs are:

Country-specific top-level domain Domain ending meaning

.ch Switzerland

.cn China

.de Germany

.eg Egypt

.es Spain

.fr France

.it Italy

.in India

4.6.2 Objectives of DNS

The Domain Name System (DNS) serves several key objectives in computer networking and the internet:
1) Mapping Domain Names to IP Addresses: The primary function of DNS is to translate human-readable
domain names (like "example.com") into machine-readable IP addresses (like "192.0.2.1"). This mapping
allows users to access websites, send emails, and perform other network activities using familiar domain
names rather than numerical IP addresses.
 NETWORK SECURITY & MANAGEMENT

2) Hierarchical Structure: DNS organizes domain names in a hierarchical structure, which helps in efficient
and scalable management of the naming system. This hierarchy includes top-level domains (TLDs), such as
.com, .org, .net, and country-code TLDs like .uk, .fr, etc.
3) Distribution of Authority: DNS implements a distributed database system, where different parts of the
domain namespace are managed by various organizations and servers. This decentralization ensures reliability,
scalability, and fault tolerance of the DNS system.
4) Load Distribution and Load Balancing: DNS can be used to distribute incoming network traffic across
multiple servers, thereby optimizing resource usage and improving performance. This is achieved through
techniques like round-robin DNS and geographic load balancing.
5) Alias and Redirection: DNS supports aliasing and redirection, allowing multiple domain names to point
to the same IP address or to different IP addresses based on various criteria such as geographic location or
server availability.
6) Caching: DNS servers cache DNS records to reduce the time and resources required to resolve domain
names. Cached records can be reused for subsequent requests, improving the overall efficiency of DNS
resolution and reducing network latency.
7) Security: DNS plays a crucial role in security by supporting mechanisms like DNSSEC (Domain Name
System Security Extensions), which provides data integrity and authentication of DNS data to prevent DNS
spoofing and other malicious activities.
8) Scalability and Growth: DNS is designed to accommodate the growth of the internet and the increasing
number of domain names and network devices. Its distributed architecture and hierarchical structure make it
highly scalable and adaptable to changes in network topology and size.
 NETWORK SECURITY & MANAGEMENT

UNIT-5
NETWORK PLANNING AND IMPLEMENTATION
5.1 NETWORK NEEDS
A computer network is a collection of interconnected computers, servers, and other devices that can
communicate with each other, either wirelessly or through physical connections like cables or fiber optics.
These interconnected devices can share resources such as files, printers and internet connections, and they can
also facilitate communication through email, messaging, and other means. Computer networks can vary in
size and complexity, ranging from small local networks within a home or office to large-scale global networks
like the Internet.
Networks serve various purposes and fulfill multiple needs for individuals, businesses and organizations.
Some of the key needs of a network include:
1) Communication: Networks enable communication between individuals, devices and systems regardless
of their physical location. This includes email, instant messaging, voice and video calls and data sharing.
2) Resource Sharing: Networks allow for the sharing of hardware resources such as printers, scanners and
storage devices, as well as software resources like applications and databases.
3) Data Transfer and Access: Networks facilitate the transfer of data between devices and provide access to
shared data repositories, allowing users to retrieve, store and manipulate information.
4) Collaboration: Networks support collaboration among users by enabling them to work together on
projects, share documents and coordinate tasks in real-time, regardless of their geographical location.
5) Remote Access: Networks enable remote access to resources and services, allowing users to connect to
their organization's network from external locations securely.
6) Internet Access: Networks provide connectivity to the Internet, allowing users to access a vast array of
online resources, services and information.
7) Centralized Management: Networks allow for centralized management of resources, user accounts,
security policies and network configurations, streamlining administration and maintenance tasks.
8) Backup and Disaster Recovery: Networks facilitate backup and replication of data to remote locations,
ensuring data integrity and enabling disaster recovery in case of hardware failures, natural disasters or
cyberattacks.
9) Scalability: Networks can be scaled to accommodate the growth of an organization by adding additional
devices, expanding infrastructure capacity, and adapting to changing requirements.
10) Security: Networks provide security mechanisms such as firewalls, encryption, access controls and
intrusion detection systems to protect against unauthorized access, data breaches and cyber threats.
 NETWORK SECURITY & MANAGEMENT

5.2 INSTALL AND CONFIGURE WINDOWS SERVER

Windows Server 2012 R2 Hardware Requirements:
As with previous Windows versions, your hardware must meet certain requirements for Windows Server
2012 R2 to function properly. First of all, Windows Server 2012 R2 requires a 64-bit processor.

Component Minimum Requirement Microsoft Recommended

Processor 1.4 GHz 2 GHz or faster

Memory 512 MB RAM 2 GB RAM or greater

Available Disk Space 32 GB 40 GB or greater

Optical Drive DVD-ROM drive DVD-ROM drive

Display Super VGA (800x600) monitor XGA (1024x768) monitor

In addition, you must have the usual I/O peripherals, including a keyboard and mouse or compatible pointing
device and a wired or wireless network interface card (NIC). If you can connect to a network location on
which you have copied the contents of the Windows Server 2012 R2 DVD-ROM, you are not required to have
a DVD-ROM drive on your computer.

Microsoft recommends that you also perform the following actions before installing Windows Server 2012
R2:
1) Disconnect uninterruptible power supply (UPS) devices
2) Back up data
3) Disable antivirus software
4) Provide mass storage drivers if needed
5) Note that Windows Firewall is on by default
6) Prepare your Active Directory environment for Windows Server 2012 R2

Steps to install Windows Server 2012:

1. Insert the Windows Server 2012 R2 DVD-ROM and turn on your computer. You should see a message
informing you that Windows is copying temporary files; if not, you should access the BIOS setup
program included with your computer and modify the boot sequence so that the computer boots from
the DVD.
 NETWORK SECURITY & MANAGEMENT

2. Once booted, you should see Windows loading the necessary setup files.

3. In the Windows Setup dialog, set the language, time and currency format, keyboard and input method
then press Next.

4. Click on Install now

 NETWORK SECURITY & MANAGEMENT

5. Select the operating system that you wish to install. Regardless if you install the Server 2012 R2
Datacenter or the 2012 R2 Standard version, you want the installing package that includes the GUI.
Otherwise, you end up with just the Server 2012 Core and no GUI.

6. Accept the license agreement.

 NETWORK SECURITY & MANAGEMENT

7. Select Custom Install Windows only (advanced).

8. Click Next.
 NETWORK SECURITY & MANAGEMENT

9. Server 2012 R2 beings the file copy process.

10. The server will restart automatically and installation will continue further.

11. Before Server 2012 will allow you to log in, you must configure the password for the administrator
account.
12. Click Finish. Welcome to Windows Server 2012 R2!
 NETWORK SECURITY & MANAGEMENT

The steps to Change the Server Name are:

1. Open Server manager

2. Click on Configure this local server

 NETWORK SECURITY & MANAGEMENT

3. Click on default Computer name which was given while server 2012 was installed.

4. Click Change in System Properties window

 NETWORK SECURITY & MANAGEMENT

5. Give a new Computer name which is easy to remember.

6. Click OK and Restart your computer.

 NETWORK SECURITY & MANAGEMENT

7. After Restarting your computer server name will be changed

5.3 STEPS TO CREATE DOMAIN CONTROLLER

Set a static IP address
To start, you’ll want to ensure your domain controller has a static IP address (that isn’t in a DHCP range either)
to ensure it cannot change automatically.
Install the Role
From the Server Manager click Manage > Add Roles and Features this will open up the Add Roles and Features
Wizard.
Once open, click next until you reach the Server Roles section.
Once there click the check box next to Active Directory Domain Services.
Another window should open asking if you want to install Active Directory Administrative Center and the
AD DS Snap-in and Command Line Tools.
We recommend you accept this and click the Add Features button with the Include Management tools (if
applicable) box checked as well.
That will be the only role to include this time so you can click next and you can also click next through the
features section as well.
 NETWORK SECURITY & MANAGEMENT

Once you reach the confirmation section it will display the list of roles and features to be installed; it should
match the image below.
Click install and now we wait!

Promoting Server 2012 R2 to a Domain Controller

Once the Active Directory Domain Services role has been installed, we can promote our server to a Domain
Controller by following the below steps.
1. When we return to Server Manager, there is an information message waiting for us. This is the second
part of the role installation that converts the server to a domain controller.

2. Click on Notification you will see the option “Promote this server to a domain controller.” Click on
this link for role promotion.
If we click on the message, “Promote this server to a domain controller” the second wizard will start.
 NETWORK SECURITY & MANAGEMENT

3. Click on the “Add a new forest” radio button and enter the name of the new root domain. Click Next

4. If we did not have DNS installed, the option to install DNS would be provided. Check the box to install
DNS as it is a requirement for Active Directory. If it is grayed out, you already have it installed and
running. Leave the function for Server 2012 R2 as is. If we had server 2008 running on the network,
we downgrade the function to accommodate the need for a backward capability. Type the Directory
Services Restore Mode (DSRM) password in the Domain Controller Options window.
 NETWORK SECURITY & MANAGEMENT

5. Uncheck the box DNS delegation if authoritative zone is available. Click next.
 NETWORK SECURITY & MANAGEMENT

6. Setup will find the NetBIOS domain name. Once found, click on Next.

7. Confirm the location of the database, log files and SYSVOL folders.
 NETWORK SECURITY & MANAGEMENT

8. Review the summary and click Next to promote the server to Domain Controller.

9. Once prerequisites have passed successfully, click on Install.

10. The system may restart once the installation is completed. Be patient! When the machine restarts and
comes back up, you will have an Active Directory Domain controller. To verify if Active Directory
tools have been installed, click on the start button, and the Administrative Tools tile. Check out your
 NETWORK SECURITY & MANAGEMENT

Active Directory tools! The main snap-in for managing users and computers is the Active Directory
Users and Computers snap-in.

5.3 ADDING FILE SERVER AND PRINTER SERVER

Printer Server
1. Go to Server Manager → Manage → Add Roles and Features → Next → Check on the Role-
based or feature-based installation box and → Check on Select a server from the server pool and then
→ Next. Once it is done then, at the list of the roles find Print and Document Services → A popup
window will open.
 NETWORK SECURITY & MANAGEMENT

2. Click on Add features and then → Next → Next → Next.

3. Check on the Print Server box and → Next.

 NETWORK SECURITY & MANAGEMENT

4. Click Install.

File Server
1. Go to Server Manager → Manage → Add Roles and Features → Next → Check on the Role-based
or feature-based installation box → Check on the Select a server from the server pool box → Next.
Then, at the list of the roles find File and Storage Services and expand it. After this, expand the Files
and iSCSI Services → Check on the File Server Resource Manager box and then a pop-up window
will open.
 NETWORK SECURITY & MANAGEMENT

2. Click on Add features and then → Next.

3. Click the Next button.

 NETWORK SECURITY & MANAGEMENT

4. Click the Install button.

Now that we installed the File Server Resource Manager, let us open it by following the path given below.

1. Click on Server Manager → Tools → File Server Resource Manager.

To set quota to a folder, we should follow the steps as below.

 NETWORK SECURITY & MANAGEMENT

2. On the left panel click on Quota Management → expand Quota Templates → click on Create Quota
Template… on the right-hand side panel as shown in the screenshot given below.

3. A new table will be opened, where the most important aspect to put is Space Limit depending on the
need. Here, we will put 2GB and then → OK.

4. You must put the threshold for it and once the folder reaches the capacity, it will send you a
notification where you will have an option to put the email.
 NETWORK SECURITY & MANAGEMENT

5. Click OK.
 NETWORK SECURITY & MANAGEMENT

6. Then to attach this quota to a folder – Right Click on the template → click on Create Quota from
Template.

7. Click on Browse… and then select your folder → Create.

 NETWORK SECURITY & MANAGEMENT

8. To put a file restriction to your folders, you can go to the left pane File Screening Management → File
screening templates → Click on the left panel Create File Screen Template.
 NETWORK SECURITY & MANAGEMENT

9. Click on Browse… and find the folder that you want → Create.