Post on 05-Jan-2016
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Chapter 14
Network Security:Firewalls
andVPNs
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
List and distinguish between the four conditions of security.List and distinguish between the four conditions of security.
Understand how privacy can be achieved through encryption/Understand how privacy can be achieved through encryption/decryption.decryption.
Understand the digital signature concept and how it can beUnderstand the digital signature concept and how it can beused to provide authentication, integrity, and nonrepudiation.used to provide authentication, integrity, and nonrepudiation.
Understanding firewalls and their use in isolating an Understanding firewalls and their use in isolating an organization from intruders. organization from intruders.
After reading this chapter, the reader should After reading this chapter, the reader should be able to:be able to:
OOBJECTIVESBJECTIVES
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
OOBJECTIVES (continued)BJECTIVES (continued)
Understand the different access control methods. Understand the different access control methods.
Be familiar with VPN technology and how it provides privacy.Be familiar with VPN technology and how it provides privacy.
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
INTRODUCTIONINTRODUCTIONINTRODUCTIONINTRODUCTION14.114.1
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-1
Aspects of security
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
PRIVACYPRIVACYPRIVACYPRIVACY14.214.2
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-2
Secret-key encryption
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
In secret-key encryption, the same keyIn secret-key encryption, the same keyis used by the sender (for encryption)is used by the sender (for encryption)
and the receiver (for decryption). and the receiver (for decryption). The key is shared.The key is shared.
Note:Note:
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Business Focus:Business Focus: DESDES
One common method of secret-key encryption is the data encryption standard (DES). DES was designed by IBM and adopted by the U.S. government as the standard encryption method for nonmilitary and nonclassified use. The algorithm manipulates a 64-bit plaintext with a 56-bit key. The text is put through 19 different and very complex procedures to create a 64-bit ciphertext.
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-3
Public-key encryption
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Technical Focus:Technical Focus: RSARSA
One popular public-key encryption technique is called RSA . The technique uses number theory and the fact that it is easy to create two large numbers and multiply them, but difficult to find the original numbers when the product is given. The public key is made of two large numbers (n and e). The private key ismade of two numbers (n and d). The encryption algorithm is
C P e mod n
The receiver uses the same procedure but with the private key numbers as shown:
C P d mod n
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
DIGITALDIGITALSIGNATURESIGNATURE
DIGITALDIGITALSIGNATURESIGNATURE
14.314.3
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-4 Signing the whole document
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Digital signature cannot be achievedDigital signature cannot be achievedusing secret-key encryption.using secret-key encryption.
Note:Note:
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Digital signature does not provide Digital signature does not provide privacy. If there is a need for privacy, privacy. If there is a need for privacy, another layer of encryption/decryption another layer of encryption/decryption
must be applied. must be applied.
Note:Note:
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-5
Signing the digest
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-6
Sender site
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-7
Receiver site
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
SECURITY SECURITY IN THEIN THE
INTERNETINTERNET
SECURITY SECURITY IN THEIN THE
INTERNETINTERNET
14.414.4
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Technical Focus:Technical Focus: Pretty Good Privacy (PGP)Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP), invented by Phil Zimmermann, is an example of a security scheme designed to provide all four aspects of security (privacy, integrity, authentication, and nonrepudiation) in the sending of email. PGP uses digital signature to provide integrity, authentication, and non-repudiation. It uses a combination of secret-key and public-key encryption to provide privacy. Specifically, it uses one hash function, one secret key, and two private-public key pairs.
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Technical Focus:Technical Focus: AH and ESPAH and ESP
IPSec uses two protocols: authentication header (AH) and encapsulating security payload (ESP) to achieve security. The authentication header (AH) protocol is designed to provideintegrity. The method involves a digital signature using a hashing function. The message digest created by applying the hashing function is included in a header (AH header), and inserted between the IP header and transport-layer data and header. The AH protocol does not provide privacy, only integrity and message authentication (digital signature). IPSec defines another protocol that provides privacy as well as a combination of integrity and message authentication. This protocol is called encapsulating security payload (ESP).
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
FIREWALLSFIREWALLSFIREWALLSFIREWALLS
14.514.5
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-8
Firewall
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
A proxy firewall filters at the A proxy firewall filters at the application layer. application layer.
Note:Note:
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
VIRTUALVIRTUALPRIVATEPRIVATE
NETWORKSNETWORKS
VIRTUALVIRTUALPRIVATEPRIVATE
NETWORKSNETWORKS
14.614.6
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-9
Private network
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-10
Hybrid network
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-11
Virtual private network
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
ACCESSACCESSCONTROLCONTROLACCESSACCESS
CONTROLCONTROL
14.414.4
McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000
Figure 14-12
Access control methods