SlideShare a Scribd company logo

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

Download as PPTX, PDF
Gopal Sakarkar
Gopal Sakarkar

The document provides information on firewalls and IP security: - A firewall acts as a choke point, allowing only authorized traffic between networks. It implements access controls, auditing, and can enable VPNs and detect abnormal behavior. - IP security (IPSec) provides encryption, authentication, and access controls for IP packets. It uses security associations and algorithms like ESP and AH to validate traffic and ensure confidentiality. - The document discusses firewall types including packet filters, application gateways, and circuit gateways, and covers concepts like security associations, the IPSec architecture, and header formats.

Education
1 of 79
Security Concept Part-3 Mr.Gopal Sakarkar Mr. Gopal Sakarkar
What is a Firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions on network services – only authorized traffic is allowed auditing and controlling access – can implement alarms for abnormal behavior implement VPNs using IPSec must be immune to penetration Mr. Gopal Sakarkar
Firewall Design Principles Centralized data processing system , with a central mainframe supporting number of directly connected terminals. LAN’s interconnected PCs and terminals to each other and the mainframe. Premises network that consisting of a number of LANs, interconnecting PCs , servers . Enterprise –wide network consisting of multiple , geographical distributed premises network interconnected by private WAN. Mr. Gopal Sakarkar
Characteristics of Firewall  All traffic from inside to outside and vice versa must pass through the firewall. Only authorize traffic as defined by the local security policy will be allowed to pass. Firewall itself is immune to penetration . Mr. Gopal Sakarkar
Firewall Techniques for control Access  Service control : the firewall may filter traffic on the basis of IP address. It determines the types of Internet services that can be accessed inbound or outbound. Direction Control: It determiner the direction in which particular service request may be initiated and allowed to flow through the firewall.  User Control : Controls access to a service according to which user is attempting to access it. It is typically applied to local user only. Behavior control : Controls how particular service are used. The firewall may filter e-mail to eliminated spam or it may enable external access to specific portion of the infromation. Mr. Gopal Sakarkar
Firewall Limitations cannot protect from attacks bypassing it cannot protect against internal threats – eg unhappy or plan employees cannot protect against transfer of all virus infected programs or files – because of huge range of O/S & file types Mr. Gopal Sakarkar
Types of Firewalls 1.Packet filtering router 2.Application level gateways 3.Circuit- level gateways Mr. Gopal Sakarkar
Firewalls – Packet Filters Mr. Gopal Sakarkar
Firewalls – Packet Filters simplest, fastest firewall component It applies a set of rule to each incoming and outgoing IP packet Examine each IP packet and permit or deny according to rules Filtering rules are for 1. Source IP address : the IP address of the system that originated the IP packet. 2. Destination IP address : the IP address of the systems that the IP packet is trying to reach Mr. Gopal Sakarkar
Firewalls – 2. Application Level Gateway (or Proxy) have application specific gateway also called a proxy server has a full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user – can log / audit traffic at application level need separate proxies for each service – some services naturally support proxying Eg. Feedback Application, online examination Application ,MIS etc Mr. Gopal Sakarkar
Firewalls – 2. Application Level Gateway (or Proxy) Application level gateways tend to be more secure than packet filters because it scrutinize a few allowable applications. Mr. Gopal Sakarkar
Firewalls – 3.Circuit Level Gateway This is for a stand-alone system. Imposes security by limiting which such connections are allowed. once created, usually relays traffic without examining contents. Typically used by trust internal users for allowing general outbound Mr. Gopal Sakarkar connections
Firewalls – 3.Circuit Level Gateway It has two TCP connection , one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Mr. Gopal Sakarkar
Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • There can be a profile that specifies permissible operations and file accesses • The operating system can enforce rules based on the user profile. Mr. Gopal Sakarkar
Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Mr. Gopal Sakarkar
Data Access Control Mr. Gopal Sakarkar • Access Matrix
Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject associate with that of process (e.g. Application soft.) – Object: Anything to which access is controlled (e.g. files, Mr. Gopal Sakarkar programs) – Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
Data Access Control • Access Control List: Decomposition of the matrix by columns. • One process , many program. E.g. CD Writer is one process in which writing is one program and data verification of write data is second program. Mr. Gopal Sakarkar
Data Access Control • Access Control List – An access control list, lists users and their permitted access right – The list may contain a default or public entry Mr. Gopal Sakarkar
Data Access Control • Capability list: Decomposition of the matrix by rows A capability list specifies authorized objects and operations for a user. Mr. Gopal Sakarkar
Trusted Systems Mr. Gopal Sakarkar • Trusted Systems – Protection of data and resources on the basis of levels of security (e.g. military) – In military, information is categorize as unclassified , confidential , secret , top secret . – Users can be granted clearances to access certain categories of data.
Trusted Systems Mr. Gopal Sakarkar • Multilevel security – In which a subject at high level may not convey information to a subject at low level • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (*-Property)
Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Mr. Gopal Sakarkar
The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The Reference monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Mr. Gopal Sakarkar
Trusted Systems • Properties of the Reference Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) – i.e. it is possible to demonstrate mathematically that the reference monitor enforce the security rules and provides complete mediation and isolation. Mr. Gopal Sakarkar
Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Mr. Gopal Sakarkar
Summary  Data Access Control is use to control procedure by which user can be identified to the system.  Trusted Systems is a computer and operating system that can br verified to implement a given security policy. Mr. Gopal Sakarkar
Mr. Gopal Sakarkar
Outline • IP Security Overview • IP Security Architecture • Authentication Header • Encapsulating Security Payload • Combinations of Security Associations • Key Management Mr. Gopal Sakarkar
IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. Mr. Gopal Sakarkar
IP Security Overview • Applications of IPSec – Secure branch office connectivity over the Internet – Secure remote access over the Internet – Establsihing extranet and intranet connectivity with partners – Enhancing electronic commerce security Mr. Gopal Sakarkar
IP Security Scenario Mr. Gopal Sakarkar
IP Security Overview Mr. Gopal Sakarkar • Benefits of IPSec – When IP Sec is implemented in a firewall , it provide strong security that can be applied to all traffic crossing the perimeter. – IPSec in a firewall is resistant to bypass, if all traffic from the outside must use IP. – IPSec can be transparent to end user. No need to trian user on security mechanisms. – IPSec can provide security for individual users if needed.
IP Security Architecture Mr. Gopal Sakarkar
IPSec Architecture Overview • Architecture : Cover the general concept , security requirements, definitions and mechanisms defining IPSec technology. • Encapsulating Security Payload (ESP) :Cover the packet format and general issues related to the use of the ESP. • Authentication Header (AH): Cover the packet format and general issues related to the use of AH for packet authentication. • Key management : A set of documents that describe how various authentication algorithms are used for AH. • Domain of Interpretation (DOI): Contains values needed for the document to relate to each other. Mr. Gopal Sakarkar
IPSec Services • Access Control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality (encryption) • Limited traffic flow confidentiallity Mr. Gopal Sakarkar
Security Associations (SA) • It is a one way relationsship between a sender and a receiver that provide security services to a traffic. • Identified by three parameters: – Security Parameter Index (SPI) – Destination IP address – Security Protocol Identifier : – This indicate whether the association is an AH or ESP security Mr. Gopal Sakarkar association (SPI) is an identification tag added to the header while using IPsec for tunnelling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
Authentication Header • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks. Mr. Gopal Sakarkar Conti…
What are replay attacks? • Replay attacks are the network attacks in which an attacker spies the conversation between the sender and receiver and takes the authenticated information e.g. sharing key and then contact to the receiver with that key. In Replay attack the attacker gives the proof of his identity and authenticity. Example: Suppose in the communication of two parties A and B; A is sharing his key to B to prove his identity but in the meanwhile Attacker C eavesdrop the conversation between them and keeps the information which are needed to prove his identity to B. Later C contacts to B and prove its authenticity. Mr. Gopal Sakarkar
Authentication Header • Next header (8bits): identifies the type of header immediately following this header. • Payload length (8bits): it is a length of Authentication Header in 32 bits words minus 2. • Reserved (16bits) : For future use. • Security parameter index(SPI) (32 bits): Identifies a security association. • Sequence Number(32bits): It is used to increase counter value. • Authentication data (Variable) : A variable length field that contain the Integrity Check Value. Mr. Gopal Sakarkar
End-to-end VS End-to-Intermediate Authentication Mr. Gopal Sakarkar
Encapsulating Security Payload • ESP provides confidentiality services • ESP provides confidentiality of message contens • ESP provide limited traffic flow confidentiality Mr. Gopal Sakarkar
Encapsulating Security Payload • Designed to provide both confidentiality and integrity protection • Everything after the IP header is encrypted • The ESP header is inserted after the IP header Mr. Gopal Sakarkar
Encryption and Authentication Algorithms Mr. Gopal Sakarkar • Encryption: – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish • Authentication: – HMAC-MD5-96 – HMAC-SHA-1-96
TCP/IP Example Mr. Gopal Sakarkar
Basics: OSI 7-Layer RM
Congratulation for selecting papers in National Conference, Pune Mr. Gopal Sakarkar
IPv4 Header Mr. Gopal Sakarkar
IPv4 Header • Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. • It is one of the core protocols of standards-based internetworking methods of the Internet, and routes most traffic in the Internet. • IPv4 is a connectionless protocol for use on packet-switched networks. • A connectionless protocol describes the communication between two network end points where a message is sent from one end point to another without a prior arrangement. • At one end, the device transmits data to the other before ensuring that the device on the other end is ready to use. Mr. Gopal Sakarkar
60 IPv4 Header Fields • Version: IP Version – 4 for IPv4 – 6 for IPv6 • HLen: Header Length – 32-bit words • TOS: Type of Service – Priority information 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data • Length: Packet Length – Bytes (including header) • Header format can change with versions – First byte identifies version – IPv6 header are very different – will see later • Length field limits packets to 65,535 bytes – In practice, break into much smaller packets for network performance considerations
61 IPv4 Header Fields • Identifier, flags, fragment offset  used primarily for fragmentation • Time to live – Must be decremented at each router – Packets with TTL=0 are thrown away – Ensure packets exit the network • Protocol – Demultiplexing to higher layer protocols – TCP = 6, ICMP = 1, UDP = 17… • Header checksum – Ensures some degree of header integrity – Relatively weak – only 16 bits • Options – E.g. Source routing, record route, etc. – Performance issues at routers • Poorly supported or not at all 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
62 IPv4 Header Fields • Source Address – 32-bit IP address of sender • Destination Address – 32-bit IP address of destination 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
Why IPv6? • Deficiency of IPv4 • Address space exhaustion • New types of service  Integration – Multicast – Quality of Service – Security – Mobility (MIPv6) • Header and format limitations
Advantages of IPv6 over IPv4 • Larger address space • Better header format • New options • Allowance for extension • Support for resource allocation • Support for more security • Support for mobility
IPv6 Header Avoid Checksum Redundancy Fragmentation at end-to-end Mr. Gopal Sakarkar
The following list describes the function of each header field. • Version – 4-bit Version number of Internet Protocol = 6. • Traffic Class – 8-bit traffic class field. • Flow Label – 20-bit field. • Payload Length – 16-bit unsigned integer, which is the rest of the packet that follows the IPv6 header, in octets. • Next Header – 8-bit selector. Identifies the type of header that immediately follows the IPv6 header. Uses the same values as the IPv4 protocol field. • Hop Limit – 8-bit unsigned integer. Decremented by one by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero. • Source Address – 128 bits. The address of the initial sender of the packet. • Destination Address – 128 bits. The address of the intended recipient of the packet. The intended recipient is not necessarily the recipient if an optional Routing Header is present. Mr. Gopal Sakarkar Video OSI-7 Layer
Video Lectures • Complete working of Internet • OSI Model with packets, IPs, Firewalls ect. Mr. Gopal Sakarkar
WEB Security Mr. Gopal Sakarkar
Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) • Recommended Reading and WEB Sites Mr. Gopal Sakarkar
Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. Mr. Gopal Sakarkar
Security facilities in the TCP/IP protocol stack Mr. Gopal Sakarkar
SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 Mr. Gopal Sakarkar
SSL Architecture Mr. Gopal Sakarkar
SSL Record Protocol Operation Mr. Gopal Sakarkar
SSL Record Format Mr. Gopal Sakarkar
SSL Record Protocol Payload Mr. Gopal Sakarkar
Handshake Protocol • The most complex part of SSL. • Allows the server and client to authenticate each other. • Negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data are transmitted. Mr. Gopal Sakarkar
Handshake Protocol Action Mr. Gopal Sakarkar
Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the: – version number – message authentication code – pseudorandom function – alert codes – cipher suites – client certificate types – certificate_verify and finished message – cryptographic computations – padding Mr. Gopal Sakarkar
Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved: – MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Not a payment system. • Set of security protocols and formats. Mr. Gopal Sakarkar
SET Services • Provides a secure communication channel in a transaction. • Provides trust by the use of X.509v3 digital certificates. • Ensures privacy. Mr. Gopal Sakarkar
SET Overview • Key Features of SET: – Confidentiality of information – Integrity of data – Cardholder account authentication – Merchant authentication Mr. Gopal Sakarkar
SET Participants Mr. Gopal Sakarkar
Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. Mr. Gopal Sakarkar
Dual Signature DS E [H(H(PI ) || H(OI))] KRc  Mr. Gopal Sakarkar
Payment processing Cardholder sends Purchase Request Mr. Gopal Sakarkar
Payment processing Merchant Verifies Customer Purchase Request Mr. Gopal Sakarkar
Payment processing • Payment Authorization: – Authorization Request – Authorization Response • Payment Capture: – Capture Request – Capture Response Mr. Gopal Sakarkar
Recommended Reading and WEB sites • Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 • Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 • MasterCard SET site • Visa Electronic Commerce Site • SETCo (documents and glossary of terms) Mr. Gopal Sakarkar

Recommended

Rotor machine,subsitution technique
Rotor machine,subsitution techniqueRotor machine,subsitution technique
Rotor machine,subsitution technique
kirupasuchi1996
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
Sunita Kharayat
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanisms
Vaibhav Khanna
 
Protection models
Protection modelsProtection models
Protection models
G Prachi
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Pgp smime
Pgp smimePgp smime
Pgp smime
Tania Agni
 

Recommended

Rotor machine,subsitution technique
Rotor machine,subsitution techniqueRotor machine,subsitution technique
Rotor machine,subsitution technique
kirupasuchi1996
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
Sunita Kharayat
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
Information and network security 8 security mechanisms
Information and network security 8 security mechanismsInformation and network security 8 security mechanisms
Information and network security 8 security mechanisms
Vaibhav Khanna
 
Protection models
Protection modelsProtection models
Protection models
G Prachi
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Pgp smime
Pgp smimePgp smime
Pgp smime
Tania Agni
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
Prince Rachit
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
Sou Jana
 
IP Security
IP SecurityIP Security
IP Security
Dr.Florence Dayana
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
ahmad abdelhafeez
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithm
Computer_ at_home
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)
ArthyR3
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
Sahil Kureel
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information Security
Dr Naim R Kidwai
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric keyTriad Square InfoSec
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
Arp and rarp
Arp and rarpArp and rarp
Arp and rarpMohd Arif
 
V5I3_IJERTV5IS031157
V5I3_IJERTV5IS031157V5I3_IJERTV5IS031157
V5I3_IJERTV5IS031157ahmad abdelhafeez
 

More Related Content

What's hot

Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
Prince Rachit
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
Sou Jana
 
IP Security
IP SecurityIP Security
IP Security
Dr.Florence Dayana
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
ahmad abdelhafeez
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithm
Computer_ at_home
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)
ArthyR3
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
Sahil Kureel
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information Security
Dr Naim R Kidwai
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
Jyothishmathi Institute of Technology and Science Karimnagar
 

What's hot (20)

IP Security
IP SecurityIP Security
IP Security
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
 
Message authentication
Message authenticationMessage authentication
Message authentication
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
 
IP Security
IP SecurityIP Security
IP Security
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
 
Diffie-hellman algorithm
Diffie-hellman algorithmDiffie-hellman algorithm
Diffie-hellman algorithm
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Cryptography and Information Security
Cryptography and Information SecurityCryptography and Information Security
Cryptography and Information Security
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
 
Hash Function
Hash FunctionHash Function
Hash Function
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 

Viewers also liked

Arp and rarp
Arp and rarpArp and rarp
Arp and rarpMohd Arif
 
Bootp and dhcp
Bootp and dhcpBootp and dhcp
Bootp and dhcpMohd Arif
 
KNIME tutorial
KNIME tutorialKNIME tutorial
KNIME tutorial
George Papadatos
 
Smart Card Security
Smart Card SecuritySmart Card Security
Smart Card Security
Prav_Kalyan
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
Prof. (Dr.) Tabrez Ahmad
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Smart card system ppt
Smart card system ppt Smart card system ppt
Smart card system ppt
Dewanshu Haswani
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Smart card
Smart cardSmart card
Smart card
Santosh Khadsare
 
Computer Virus powerpoint presentation
Computer Virus powerpoint presentationComputer Virus powerpoint presentation
Computer Virus powerpoint presentation
shohrabkhan
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentation
abhijit chintamani
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
Somya Johri
 

Viewers also liked (16)

Arp and rarp
Arp and rarpArp and rarp
Arp and rarp
 
V5I3_IJERTV5IS031157
V5I3_IJERTV5IS031157V5I3_IJERTV5IS031157
V5I3_IJERTV5IS031157
 
Bootp and dhcp
Bootp and dhcpBootp and dhcp
Bootp and dhcp
 
KNIME tutorial
KNIME tutorialKNIME tutorial
KNIME tutorial
 
Cyber crime and forensic
Cyber crime and forensicCyber crime and forensic
Cyber crime and forensic
 
Smart Card Security
Smart Card SecuritySmart Card Security
Smart Card Security
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Web Security
Web SecurityWeb Security
Web Security
 
Smart card system ppt
Smart card system ppt Smart card system ppt
Smart card system ppt
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Smart card
Smart cardSmart card
Smart card
 
Computer Virus powerpoint presentation
Computer Virus powerpoint presentationComputer Virus powerpoint presentation
Computer Virus powerpoint presentation
 
Network management
Network managementNetwork management
Network management
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
ANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentationANTIVIRUS AND VIRUS Powerpoint presentation
ANTIVIRUS AND VIRUS Powerpoint presentation
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 

Similar to Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
Divya Jyoti
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
Radhika Talaviya
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
ssuser530a07
 
firewall
firewallfirewall
firewall
Chirag Patel
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5
Alain Charpentier
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
Zara Nawaz
 
Firewalls
FirewallsFirewalls
Firewalls
Dr.Florence Dayana
 
Firewall
FirewallFirewall
Firewall
Tapan Khilar
 
Seminar
SeminarSeminar
Seminar
Abhinav Kushwah
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
Anne Starr
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
Ali Kapucu
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
AVEVA
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
Cristian Garcia G.
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
Christine MacDonald
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Inductive Automation
 

Similar to Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication (20)

Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
firewall
firewallfirewall
firewall
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall
FirewallFirewall
Firewall
 
Seminar
SeminarSeminar
Seminar
 
Firewall
FirewallFirewall
Firewall
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
 
Datasheet over privileged_users
Datasheet over privileged_usersDatasheet over privileged_users
Datasheet over privileged_users
 
Firewall
FirewallFirewall
Firewall
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 

Recently uploaded

Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
Kartik Tiwari
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
gb193092
 

Recently uploaded (20)

Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
Chapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdfChapter -12, Antibiotics (One Page Notes).pdf
Chapter -12, Antibiotics (One Page Notes).pdf
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
Marketing internship report file for MBA
Marketing internship report file for MBAMarketing internship report file for MBA
Marketing internship report file for MBA
 

Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication

  • 1. Security Concept Part-3 Mr.Gopal Sakarkar Mr. Gopal Sakarkar
  • 2. What is a Firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions on network services – only authorized traffic is allowed auditing and controlling access – can implement alarms for abnormal behavior implement VPNs using IPSec must be immune to penetration Mr. Gopal Sakarkar
  • 3. Firewall Design Principles Centralized data processing system , with a central mainframe supporting number of directly connected terminals. LAN’s interconnected PCs and terminals to each other and the mainframe. Premises network that consisting of a number of LANs, interconnecting PCs , servers . Enterprise –wide network consisting of multiple , geographical distributed premises network interconnected by private WAN. Mr. Gopal Sakarkar
  • 4. Characteristics of Firewall  All traffic from inside to outside and vice versa must pass through the firewall. Only authorize traffic as defined by the local security policy will be allowed to pass. Firewall itself is immune to penetration . Mr. Gopal Sakarkar
  • 5. Firewall Techniques for control Access  Service control : the firewall may filter traffic on the basis of IP address. It determines the types of Internet services that can be accessed inbound or outbound. Direction Control: It determiner the direction in which particular service request may be initiated and allowed to flow through the firewall.  User Control : Controls access to a service according to which user is attempting to access it. It is typically applied to local user only. Behavior control : Controls how particular service are used. The firewall may filter e-mail to eliminated spam or it may enable external access to specific portion of the infromation. Mr. Gopal Sakarkar
  • 6. Firewall Limitations cannot protect from attacks bypassing it cannot protect against internal threats – eg unhappy or plan employees cannot protect against transfer of all virus infected programs or files – because of huge range of O/S & file types Mr. Gopal Sakarkar
  • 7. Types of Firewalls 1.Packet filtering router 2.Application level gateways 3.Circuit- level gateways Mr. Gopal Sakarkar
  • 8. Firewalls – Packet Filters Mr. Gopal Sakarkar
  • 9. Firewalls – Packet Filters simplest, fastest firewall component It applies a set of rule to each incoming and outgoing IP packet Examine each IP packet and permit or deny according to rules Filtering rules are for 1. Source IP address : the IP address of the system that originated the IP packet. 2. Destination IP address : the IP address of the systems that the IP packet is trying to reach Mr. Gopal Sakarkar
  • 10. Firewalls – 2. Application Level Gateway (or Proxy) have application specific gateway also called a proxy server has a full access to protocol – user requests service from proxy – proxy validates request as legal – then actions request and returns result to user – can log / audit traffic at application level need separate proxies for each service – some services naturally support proxying Eg. Feedback Application, online examination Application ,MIS etc Mr. Gopal Sakarkar
  • 11. Firewalls – 2. Application Level Gateway (or Proxy) Application level gateways tend to be more secure than packet filters because it scrutinize a few allowable applications. Mr. Gopal Sakarkar
  • 12. Firewalls – 3.Circuit Level Gateway This is for a stand-alone system. Imposes security by limiting which such connections are allowed. once created, usually relays traffic without examining contents. Typically used by trust internal users for allowing general outbound Mr. Gopal Sakarkar connections
  • 13. Firewalls – 3.Circuit Level Gateway It has two TCP connection , one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Mr. Gopal Sakarkar
  • 14. Data Access Control • Through the user access control procedure (log on), a user can be identified to the system • There can be a profile that specifies permissible operations and file accesses • The operating system can enforce rules based on the user profile. Mr. Gopal Sakarkar
  • 15. Data Access Control • General models of access control: – Access matrix – Access control list – Capability list Mr. Gopal Sakarkar
  • 16. Data Access Control Mr. Gopal Sakarkar • Access Matrix
  • 17. Data Access Control • Access Matrix: Basic elements of the model – Subject: An entity capable of accessing objects, the concept of subject associate with that of process (e.g. Application soft.) – Object: Anything to which access is controlled (e.g. files, Mr. Gopal Sakarkar programs) – Access right: The way in which an object is accessed by a subject (e.g. read, write, execute)
  • 18. Data Access Control • Access Control List: Decomposition of the matrix by columns. • One process , many program. E.g. CD Writer is one process in which writing is one program and data verification of write data is second program. Mr. Gopal Sakarkar
  • 19. Data Access Control • Access Control List – An access control list, lists users and their permitted access right – The list may contain a default or public entry Mr. Gopal Sakarkar
  • 20. Data Access Control • Capability list: Decomposition of the matrix by rows A capability list specifies authorized objects and operations for a user. Mr. Gopal Sakarkar
  • 21. Trusted Systems Mr. Gopal Sakarkar • Trusted Systems – Protection of data and resources on the basis of levels of security (e.g. military) – In military, information is categorize as unclassified , confidential , secret , top secret . – Users can be granted clearances to access certain categories of data.
  • 22. Trusted Systems Mr. Gopal Sakarkar • Multilevel security – In which a subject at high level may not convey information to a subject at low level • A multilevel secure system must enforce: – No read up: A subject can only read an object of less or equal security level (Simple Security Property) – No write down: A subject can only write into an object of greater or equal security level (*-Property)
  • 23. Trusted Systems • Reference Monitor Concept: Multilevel security for a data processing system Mr. Gopal Sakarkar
  • 24. The Concept of Trusted Systems • Reference Monitor – Controlling element in the hardware and operating system of a computer that regulates the access of subjects to objects on basis of security parameters – The Reference monitor has access to a file (security kernel database) – The monitor enforces the security rules (no read up, no write down) Mr. Gopal Sakarkar
  • 25. Trusted Systems • Properties of the Reference Monitor – Complete mediation: Security rules are enforced on every access – Isolation: The reference monitor and database are protected from unauthorized modification – Verifiability: The reference monitor’s correctness must be provable (mathematically) – i.e. it is possible to demonstrate mathematically that the reference monitor enforce the security rules and provides complete mediation and isolation. Mr. Gopal Sakarkar
  • 26. Trusted Systems • A system that can provide such verifications (properties) is referred to as a trusted system Mr. Gopal Sakarkar
  • 27. Summary  Data Access Control is use to control procedure by which user can be identified to the system.  Trusted Systems is a computer and operating system that can br verified to implement a given security policy. Mr. Gopal Sakarkar
  • 29. Outline • IP Security Overview • IP Security Architecture • Authentication Header • Encapsulating Security Payload • Combinations of Security Associations • Key Management Mr. Gopal Sakarkar
  • 30. IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. Mr. Gopal Sakarkar
  • 31. IP Security Overview • Applications of IPSec – Secure branch office connectivity over the Internet – Secure remote access over the Internet – Establsihing extranet and intranet connectivity with partners – Enhancing electronic commerce security Mr. Gopal Sakarkar
  • 32. IP Security Scenario Mr. Gopal Sakarkar
  • 33. IP Security Overview Mr. Gopal Sakarkar • Benefits of IPSec – When IP Sec is implemented in a firewall , it provide strong security that can be applied to all traffic crossing the perimeter. – IPSec in a firewall is resistant to bypass, if all traffic from the outside must use IP. – IPSec can be transparent to end user. No need to trian user on security mechanisms. – IPSec can provide security for individual users if needed.
  • 34. IP Security Architecture Mr. Gopal Sakarkar
  • 35. IPSec Architecture Overview • Architecture : Cover the general concept , security requirements, definitions and mechanisms defining IPSec technology. • Encapsulating Security Payload (ESP) :Cover the packet format and general issues related to the use of the ESP. • Authentication Header (AH): Cover the packet format and general issues related to the use of AH for packet authentication. • Key management : A set of documents that describe how various authentication algorithms are used for AH. • Domain of Interpretation (DOI): Contains values needed for the document to relate to each other. Mr. Gopal Sakarkar
  • 36. IPSec Services • Access Control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality (encryption) • Limited traffic flow confidentiallity Mr. Gopal Sakarkar
  • 37. Security Associations (SA) • It is a one way relationsship between a sender and a receiver that provide security services to a traffic. • Identified by three parameters: – Security Parameter Index (SPI) – Destination IP address – Security Protocol Identifier : – This indicate whether the association is an AH or ESP security Mr. Gopal Sakarkar association (SPI) is an identification tag added to the header while using IPsec for tunnelling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use
  • 38. Authentication Header • Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks. Mr. Gopal Sakarkar Conti…
  • 39. What are replay attacks? • Replay attacks are the network attacks in which an attacker spies the conversation between the sender and receiver and takes the authenticated information e.g. sharing key and then contact to the receiver with that key. In Replay attack the attacker gives the proof of his identity and authenticity. Example: Suppose in the communication of two parties A and B; A is sharing his key to B to prove his identity but in the meanwhile Attacker C eavesdrop the conversation between them and keeps the information which are needed to prove his identity to B. Later C contacts to B and prove its authenticity. Mr. Gopal Sakarkar
  • 40. Authentication Header • Next header (8bits): identifies the type of header immediately following this header. • Payload length (8bits): it is a length of Authentication Header in 32 bits words minus 2. • Reserved (16bits) : For future use. • Security parameter index(SPI) (32 bits): Identifies a security association. • Sequence Number(32bits): It is used to increase counter value. • Authentication data (Variable) : A variable length field that contain the Integrity Check Value. Mr. Gopal Sakarkar
  • 41. End-to-end VS End-to-Intermediate Authentication Mr. Gopal Sakarkar
  • 42. Encapsulating Security Payload • ESP provides confidentiality services • ESP provides confidentiality of message contens • ESP provide limited traffic flow confidentiality Mr. Gopal Sakarkar
  • 43. Encapsulating Security Payload • Designed to provide both confidentiality and integrity protection • Everything after the IP header is encrypted • The ESP header is inserted after the IP header Mr. Gopal Sakarkar
  • 44. Encryption and Authentication Algorithms Mr. Gopal Sakarkar • Encryption: – Three-key triple DES – RC5 – IDEA – Three-key triple IDEA – CAST – Blowfish • Authentication: – HMAC-MD5-96 – HMAC-SHA-1-96
  • 45. TCP/IP Example Mr. Gopal Sakarkar
  • 47. Congratulation for selecting papers in National Conference, Pune Mr. Gopal Sakarkar
  • 48. IPv4 Header Mr. Gopal Sakarkar
  • 49. IPv4 Header • Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. • It is one of the core protocols of standards-based internetworking methods of the Internet, and routes most traffic in the Internet. • IPv4 is a connectionless protocol for use on packet-switched networks. • A connectionless protocol describes the communication between two network end points where a message is sent from one end point to another without a prior arrangement. • At one end, the device transmits data to the other before ensuring that the device on the other end is ready to use. Mr. Gopal Sakarkar
  • 50. 60 IPv4 Header Fields • Version: IP Version – 4 for IPv4 – 6 for IPv6 • HLen: Header Length – 32-bit words • TOS: Type of Service – Priority information 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data • Length: Packet Length – Bytes (including header) • Header format can change with versions – First byte identifies version – IPv6 header are very different – will see later • Length field limits packets to 65,535 bytes – In practice, break into much smaller packets for network performance considerations
  • 51. 61 IPv4 Header Fields • Identifier, flags, fragment offset  used primarily for fragmentation • Time to live – Must be decremented at each router – Packets with TTL=0 are thrown away – Ensure packets exit the network • Protocol – Demultiplexing to higher layer protocols – TCP = 6, ICMP = 1, UDP = 17… • Header checksum – Ensures some degree of header integrity – Relatively weak – only 16 bits • Options – E.g. Source routing, record route, etc. – Performance issues at routers • Poorly supported or not at all 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
  • 52. 62 IPv4 Header Fields • Source Address – 32-bit IP address of sender • Destination Address – 32-bit IP address of destination 0 4 8 12 16 19 24 28 31 version HLen TOS Length Identifier Flags Offset TTL Protocol Checksum Source Address Destination Address Options (if any) Data
  • 53. Why IPv6? • Deficiency of IPv4 • Address space exhaustion • New types of service  Integration – Multicast – Quality of Service – Security – Mobility (MIPv6) • Header and format limitations
  • 54. Advantages of IPv6 over IPv4 • Larger address space • Better header format • New options • Allowance for extension • Support for resource allocation • Support for more security • Support for mobility
  • 55. IPv6 Header Avoid Checksum Redundancy Fragmentation at end-to-end Mr. Gopal Sakarkar
  • 56. The following list describes the function of each header field. • Version – 4-bit Version number of Internet Protocol = 6. • Traffic Class – 8-bit traffic class field. • Flow Label – 20-bit field. • Payload Length – 16-bit unsigned integer, which is the rest of the packet that follows the IPv6 header, in octets. • Next Header – 8-bit selector. Identifies the type of header that immediately follows the IPv6 header. Uses the same values as the IPv4 protocol field. • Hop Limit – 8-bit unsigned integer. Decremented by one by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero. • Source Address – 128 bits. The address of the initial sender of the packet. • Destination Address – 128 bits. The address of the intended recipient of the packet. The intended recipient is not necessarily the recipient if an optional Routing Header is present. Mr. Gopal Sakarkar Video OSI-7 Layer
  • 57. Video Lectures • Complete working of Internet • OSI Model with packets, IPs, Firewalls ect. Mr. Gopal Sakarkar
  • 58. WEB Security Mr. Gopal Sakarkar
  • 59. Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) • Recommended Reading and WEB Sites Mr. Gopal Sakarkar
  • 60. Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. Mr. Gopal Sakarkar
  • 61. Security facilities in the TCP/IP protocol stack Mr. Gopal Sakarkar
  • 62. SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 Mr. Gopal Sakarkar
  • 63. SSL Architecture Mr. Gopal Sakarkar
  • 64. SSL Record Protocol Operation Mr. Gopal Sakarkar
  • 65. SSL Record Format Mr. Gopal Sakarkar
  • 66. SSL Record Protocol Payload Mr. Gopal Sakarkar
  • 67. Handshake Protocol • The most complex part of SSL. • Allows the server and client to authenticate each other. • Negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data are transmitted. Mr. Gopal Sakarkar
  • 68. Handshake Protocol Action Mr. Gopal Sakarkar
  • 69. Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the: – version number – message authentication code – pseudorandom function – alert codes – cipher suites – client certificate types – certificate_verify and finished message – cryptographic computations – padding Mr. Gopal Sakarkar
  • 70. Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved: – MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Not a payment system. • Set of security protocols and formats. Mr. Gopal Sakarkar
  • 71. SET Services • Provides a secure communication channel in a transaction. • Provides trust by the use of X.509v3 digital certificates. • Ensures privacy. Mr. Gopal Sakarkar
  • 72. SET Overview • Key Features of SET: – Confidentiality of information – Integrity of data – Cardholder account authentication – Merchant authentication Mr. Gopal Sakarkar
  • 73. SET Participants Mr. Gopal Sakarkar
  • 74. Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. Mr. Gopal Sakarkar
  • 75. Dual Signature DS E [H(H(PI ) || H(OI))] KRc  Mr. Gopal Sakarkar
  • 76. Payment processing Cardholder sends Purchase Request Mr. Gopal Sakarkar
  • 77. Payment processing Merchant Verifies Customer Purchase Request Mr. Gopal Sakarkar
  • 78. Payment processing • Payment Authorization: – Authorization Request – Authorization Response • Payment Capture: – Capture Request – Capture Response Mr. Gopal Sakarkar
  • 79. Recommended Reading and WEB sites • Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 • Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 • MasterCard SET site • Visa Electronic Commerce Site • SETCo (documents and glossary of terms) Mr. Gopal Sakarkar