International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 www. ijsret.org ISSN 2278 - 0882

Network Security
Satya Prakash, Faculty of MCA Department, TERI,Ghazipur (India), Aradhana Jyotsana Faculty of Physics Department, Allahabad University (India)
2 1

ABSTRACT
Our goal is here to give you the terminology, the words that your customers are going to want to know and want to be able to converse with. The Internet is a wonderful tool but security is very important for it. Meteoric growths like that of Cisco from now here to a multi-billion dollar company in a decade would not be possible without leveraging the tools available with the internet and intranet. But without well defined security, the Internet can be a dangerous place. The good news is that the tools are available to make the Internet a safe place for your business. Some people think that only large sites are hacked. In reality, even small company sites are hacked. Theres a false impression from many small company owners that, "Hey, who would want to break into my company? Im nobody. Im not a big corporation like IBM or the Pentagon or something like that, so why would somebody want to break into my company?" The reality is that even small companies are hacked into very, very often.

Control Lists that allow in people that shouldnt really have access into your corporation? Last are technology vulnerabilities. This is where somebody actually exploits a hole that they know about in a firewall, a server, etc. There are people that are willing and eager to take advantage of these vulnerabilities.

II.

SECURITY THREATS

Keywords: Username/Password, PAP and CHAP

Authentication, AAA server, RADIUS Server, TACACS Server, Kerberos, Caller ID, Public Key, Digital Signatures, NAT.

I.

INTRODUCTION

Why network security? There are three primary reasons to explore network security. One is policy vulnerabilities. Is the security policy that you created one thats appropriate for your organization? Another is configuration vulnerabilities. When you took that security policy, did you configure it into the tools that you have appropriately? Are there Access

These are some different things that we need to protect against: Loss of privacy: Without encryption, every message sent may be read by an unauthorized party. This is probably the largest inhibitor of business-to-business communications today. Impersonation: You must also be careful to protect your identity on the Internet. Many security systems today rely on IP addresses to uniquely identify users. Unfortunately this system is quite easy to fool and has led to numerous break-ins. Denial of service: You must ensure that your systems are available. Over the last several years, attackers have found deficiencies in the TCP/IP protocol suite that allows them to arbitrarily cause computer systems to crash. Loss of integrity: Even for data that is confidential, one must still take measures to ensure data integrity. For example, if you were able to securely identify yourself to your bank using digital certificates, you would still want to ensure that the transaction itself is not modified in some way, such as by changing the amount of the deposit. Objectives for security need to balance the risks of providing access with the need to protect network resources. Creating a security policy involves evaluating the risks, defining whats valuable, and determining whom you can trust. The security policy

IJSRET @ 2012

International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 plays three roles to help you specify what must be done to secure company assets. It specifies what is being protected and why, and the responsibility for that protection. It provides grounds for interpreting and resolving conflicts in implementation, without listing specific threats, machines, or individuals. A well-designed policy does not change much over time. It addresses scalability issues Employees expect access but an enterprise requires security. It is important to plan with scalability and deployment of layered technologies in mind. Security policies that inhibit productivity may be too restrictive. www. ijsret.org ISSN 2278 - 0882

and scan the network for security vulnerabilities.

IV.

IDENTITY TECHNOLOGIES

Fig 1: Security Threats

III.

SECURITY TECHNOLOGIES

Lets start by looking at some Identity technologies. Again, identity is the recognition of each individual user, and mapping of their identity, location and the time to policy; authorization of their network services and what they can do on the network. Why is identity important? With IP addresses no longer being static (because of exhaustion of address space) and with solutions such as NAT and DHCP, etc., people are no longer tied to addresses. Ideally, we should be able to gain appropriate access based on who we are. Identity can be determined by a number of technologies user name and password, token card, digital certificateeach can be configured for a policy setting that indicates the degree of trust. Administrators can also configure access by time of dayidentity authorizations can also include a time metric for future time-based access capability. The key to centralized identity and security policy management is the combination of all key authentication mechanisms, from Secure ID and DES Dial cards to MS Login, and their internetworking with one common identity repository. To truly be centralized and configured once only, the identity mechanism must also be media independent; equally applicable to dial-users and campus users for example. Lets look at some of these technologies. A. Username/Password For basic security, user ids and passwords can be used to authenticate remote users. First, a remote user dials into the network access server. The NAS, or network access server, negotiates data link setup with the user using PPP. As part of this negotiation, the user must send a password to the NAS. This is usually handled by either the PAP or CHAP protocols. Next, the NAS forwards the users password to an AAA server to verify that it is legitimate. The protocol used between the NAS and AAA server is (most likely) either TACACS+ or RADIUS. Ill be covering these protocols in more detail in a minute. When the AAA server gets the user id and password, it checks its database of legitimate users and looks for a

Security technology typically falls into one of three categories. Identity-Links user authentication and authorization on the network infrastructure; verifies the identity of those requesting access and prescribe what users are allowed to do. Integrity-Provides data confidentiality through firewalls, management control, routing, privacy and encryption, and access control. Active Audit-Provides data on network activities and assist network administrators to account for network usage, discover unauthorized activities,

IJSRET @ 2012

International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 match. If a match is found, the AAA server sends the NAS a call accept message. If not, the AAA server sends the NAS a call reject message. If the call is accepted, the user is connected to the campus network. www. ijsret.org ISSN 2278 - 0882

single attack. Password is sent encrypted. Both sides can use the challenge/response mechanism supported by CHAP to authenticate the device at the other end.

Fig 3: PAP and CHAP Authentication

C. One-Time Password
Fig 2: Username/Password B. PAP and CHAP Authentication Now lets back up for a minute and explain a little more about the process of dial in connections. Many of you have probably heard of PPP (Point-toPoint Protocol) before. PPP is used primarily on dial-in connections since it provides a standard mechanism for passing authentication information such as a password from a remote user to the NAS. Two protocols are supported to carry the authentication information: PAP (Password Authentication Protocol) and CHAP (Challenge/Handshake Authentication Protocol). These protocols are well documented in IETF RFCs and widely implemented in vendor products. PAP provides a simple password protocol. User ID and password are sent at the beginning of the call, and then validated by the access server using a central PAP database. The PAP password database is encrypted, but the password is sent in clear text through the public network. A AAA server may be used to hold the password database. The problem with PAP is that it is subject to sniffing and replay attacks. Hacker could intercept communication and use information to spoof a legitimate user. CHAP provides an improved authentication protocol. The Access Server periodically challenges remote access devices such as a router to provide a proper password. The initial CHAP authentication is performed during login; network administration can specify the rate of subsequent authentication. These repeated challenges limit the time of exposure of any For a more restrictive security policy, a onetime password would be used. One-time passwords are a unique combination of something a person knows (like a PIN or password) and something a person possesses (like a token card). A one-time password is more secure than a simple password since it changes every time the user tries to login and it can only be used oncetherefore, it is safe against spoofing and replay attacks. There are three commonly used ways to create onetime passwords: Token cards are the most common way. The 2 most common token cards are the Secure ID card by Security Dynamics and the DES Gold card by Enigma Logic. In one, the user enters a PIN into the card and the card displays the one-time password, which the user types in at their terminal. In the other, the user appends a PIN to the random number displayed on the token card, and enters this new password at their terminal. Soft tokens are the same as token cards except the user doesnt have to carry around a physical card. Software runs on the users PC that performs the same function as the token card, and the user need only enter a PIN. S-key is a PC application that presents a dialog box to the user upon login into which the user must enter the correct combination of six key words.

IJSRET @ 2012

International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 The process used to send the one-time password to the NAS is virtually the same as that used for the password example described in the previous slide. When the NAS receives the one-time password, it forwards it to the AAA server using either TACACS+ or RADIUS protocol. When the AAA server receives the one-time password, it forwards it to a token server for authentication. Accept or reject message flows back to the NAS through the AAA server. www. ijsret.org ISSN 2278 - 0882 user

Per-User access-lists - load per access list after authentication Per-User static routes Lock& Key Auto Command - links user to profile, so preferences take effect efficiency and provides limits to access/use.

user adds their

Fig 4: One-Time Password

Fig 5: AAA Services

D. Authentication, Authorization, Accounting (AAA)

and

Weve mentioned AAA servers. What does this means? AAA stands for Authentication, authorization, and accounting. Authentication is to provide exact end user verification. I need to know exactly who this person is, and how they prove it to me Authorization is the second step. Now that I know who you are, what can you do? I need to assign IP addresses, provide routes, and block access to certain resources. All the things I can do to a local user, I should be able to control with a remote user. Accounting is the last step. I need to create an accurate record of the transactions of this user. How long were they connected? How much data did they FTP? What was the cause of their disconnection? This allows me to not only bill my customers accurately, but understand my user base. AAA server provides a centralized security database that offers per-user access control. It supports services such as TACACS+ and RADIUS that well discuss in a minute as well as service such as:

E. RADIUS Server RADIUS is an access server authentication and accounting protocol that has gained wide support. The RADIUS authentication server maintains user authentication and network access information. RADIUS clients run on access servers and send authentication requests to the RADIUS authentication server.

F. TACACS Server
With TACACS authentication, when a user requests to log in to a terminal server or a router, the device will ask for a user login name and password. The device will then send a request for validation to the TACACS server in its configuration. The server will validate the login and password pair with a TACACS password file. If the name and the password are validated, the login is successful. There are two flavors of TACACS: an original TACACS and extended TACACS or TACACS+. The primary difference between the two is that TACACS+ provides more information when a user logs in, thus allowing more control than the original TACACS.

IJSRET @ 2012

International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 www. ijsret.org ISSN 2278 - 0882

G. Lock and Key Security Lock and Key challenges users to respond to a login and password prompt before loading a unique access list into the local or remote router. In this example, Lock and Key security allows only authorized users to access services beyond the firewall at the corporate site.

is going to ensure that I have access to that system. So the tickets or credentials are issued by a trusted Kerberos server that you allow on with some specific ID that you have.

Fig 8: User Authentication with Kerberos Fig 6: Lock and Key Security

J. Public Key
A Public Key works in conjunction with something called a Private Key. This is technology that was actually developed back in the 70s. The Private Key is going to be something that youre going to keep to yourself. The Private Key is going to be something that exists perhaps on your PC or perhaps as a piece of code that you have. A Public Key is going to be something that you publish to the outside world. What youll do is take your document and send it out with your Public Key thats going to be able to be accessed by a user thats going to receive your document, but youre going to encrypt it using your Private Key. So by using these two things together, another user thats going to receive your document can utilize your Public Key to ensure that, in fact, the document that you send is the document that you thought it was. So the two keys together, in essence, create a unique key, something thats uniquely known by the combination of the private and the Public Key.

H. Caller ID
Caller ID is another security mechanism for dial-in access. It allows routers to look at the ISDN number of a calling device and compare it with a list of known callers. If the number is not in the list, the call is rejected and no charges are incurred by the calling party.

Fig 7: Caller ID

I. Kerberos
Kerberos is another technology. It is one that has been broken into historically; however, it provides a good level of security. With Kerberos you create a ticket thats going to have a specific time allocated to it. So with Kerberos, once a ticket is issued to me, the knowledge that that ticket was sent plus my login itself IJSRET @ 2012

International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 www. ijsret.org ISSN 2278 - 0882

Fig 9: How Public Key Works

K. Digital Signatures
With Digital Signatures what were going to do is take the original document and run it along with the Private Key and were going to create something called the Hash. This is going to be another unique document thats created with a Digital Signature. Now, that unique document is going to be sent along, and your Public Key is going to be able to be used in conjunction with that new smaller document. If that Public Key winds up with that document, then you know the confidentiality of the original document is in place. So here weve ensured both the user thats sending the document as well as the document itself as being something thats truthful and, in fact, the document that we thought was sent out. So in this way, we know that the document hasnt been altered.

Lets explore another methodology of making sure that your system is safe. This is different than the other ones weve been touching on. Network Address Translation means security through obscurity. It means by not advertising my IP address to the outside world, I can ensure that nobody can come in and pretend that theyre me or pretend that theyre somebody trusted to me. So the way that that would work is your device, it might be a firewall, might be a router, is going to have a pool of IP addresses that you want to utilize to go to the outside world. So whatever the address is on the inside, its never seen. Its always changed when it gets to whatever your perimeter device is. So through Network Address Translation we can provide increased security. In addition to Network Address Translation, theres another technology youll hear about called port address translation. With port address translation, that particular device, be it a router or a firewall, thats issuing that IP address to the outside world, the IP address that the outside world is going to see, is going to put all its requests out along one single IP address. The way it does that is by putting the different requests on a different port number, keeping track of that information, and changing the port number when it comes back. The reason that you might want to implement port address translation is if you have difficulty getting enough IP addresses for all of the users on your network. There can be some limitations. For an example, many multimedia applications require multiple ports on a single IP address. So it may not be appropriate for every installation.

Fig 11: Network Address Translation Fig 10: Digital Signatures V. CONCLUSION Information Security is very often described as a very complicated, very technology driven environment.

L. Network Address Translation (NAT)

IJSRET @ 2012

International Journal of Scientific Research Engineering &Technology (IJSRET)

Volume 1 Issue1 pp 001-007 March 2012 I hope that you agree, that even though (new) technologies are an important part, security is much more., Its about people, policy and management and control, just as any of our businesses. Technology solutions are enablers that facilitate you the task and should leave you time and money to spend on the non-technology related issues. The biggest error Internet Security managers in the past made is buying a firewall and feel secure, a single point product cannot secure such an important and multifaceted environment as your business! www. ijsret.org ISSN 2278 - 0882

VI.

REFERENCES

[1] Gralla, Preston (2007). How the Internet Works. Que Pub, Indianapolis. ISBN 0789721325. [2] Rhee, M. Y. (2003). Internet Security: Cryptographic Principles,Algorithms and Protocols. Chichester: Wiley. ISBN 0470852852. [3] Rebbapragada, Narasu. All-in-one Security. Retrieved 19 November 2010. [4] Practically Networked, Securing Your Wireless Network (http://www.practicallynetworked.com/ support/wireless_secure.htm) [5] Practically Networked, Mixing WEP Encryption Levels (http://www.practicallynetworked.com/ support/mixed_wep.htm) [6] National Institute of Standards and Technology Publications, NIST Computer Security Division Resource Center Web site, http://csrc.nist.gov [7] Internet Engineering Task Force (IETF), http://www.ietf.org [8] Microsoft Hardware Developer Central, Glossary of Acronyms for PC and Server Technologies, http://www.microsoft.com/whdc/resources/sup port/glossary.mspx [9] Organization for the Advancement of Structured Information Standards (OASIS), http://www.oasis-open.org/home/index.php

IJSRET @ 2012