Professional Documents
Culture Documents
Postgraduate Diploma in Strategic Business IT Computer Networking and Management Computer Networking and Management !une "##$ Da%id Tan Aik C&uan "'()(#
Student declaration
I &a%e read and understood NCC Education+s polic on Academic Dis&onest and Plagiarism2 I can con-irm t&e -ollowing details: Student ID03egistration num*er: Name: Centre Name: Module Name: Module 6eader:
"'()(#
Da%id Tan Aik C&uan 3a--les Education Corp2 4Singapore5 Computer Networking and Management I%an
Num*er o- words: '788# I con-irm t&at t&is is m own work and t&at I &a%e not plagiari9ed an part o- it2 I &a%e also noted t&e assessment criteria and pass mark -or assignments2 Due date: Student Signature: Su*mitted Date:
ii
iii
8282 Introduction
T&is task descri*es t&e internet in-rastructure at .pus IT Ser%ices PTE27 6td2 4.pus57 an IT ser%ice compan in Singapore2 T&is section descri*es t&e ser%ers7 operating s stems7 and &ardware maintained in t&e compan : and &ow t&e in-rastructure connects to t&e outside world7 including securit measures adopted to make t&e entire s stem -ree -rom malicious attacks2 .pus pro%ides its clients wit& t&e -ollowing ser%ices:
!atabase
NF$AST$"CT"$E TO TS CL ENTS.
%ro&ess'met(odolog)
Outsour&ing
clients2
Fle+i, T SE$# CES is a telep&one and onsite ser%ice support plan o--ered
to clients to assist t&em in maintaining IT &ardware and so-tware on a need;to; acti%ate *asis2
.P<S ,lexi;IT Ser%ices is a token;*ased7 multi;usage ser%ice plan w&ere clients can call -or &elp in answering suc& =uestions as: > ?ow;to+s on desktops7 ser%er and network7 > @irus eradication and protection7 > Tec&nical and usage =uestions7 > .perating s stems =uestions7 and > Isolating pro*lems related to computer &ardware7 perip&erals7 local area network media0connection and so-tware
!e.i&es used in t(e Opus s)stem T&e .pus s stem is composed o- a CCS C)AB# #8 core switc&7 a CCS C"$A# #8 edge switc& and a @6AN "8# ITE agent2 T&e Cisco Catal st )AB# #8 core switc& is a -ixed;con-iguration access la er switc& -or *ranc&;o--ice en%ironments7 com*ining *ot& 8#08##08### and PoE con-igurations -or IP telep&on 7 wireless access7 %ideo sur%eillance7 *uilding management s stems7 and remote %ideo2 Customers are a*le to deplo network;wide intelligent ser%ices suc& as ad%anced =ualit oser%ice 41oS57 rate limiting7 access control lists 4AC6s57 multicast management7 and &ig&; per-ormance IP routing2 T&e Cisco Catal st "$A# #8 edge switc&7 on t&e ot&er &and7 pro%ides -ast et&ernet and giga*it et&ernet connecti%it 2 T&is &as two sets o- so-tware and con-iguration t&at allows small7 mid;si9ed7 and enterprise *ranc& o--ices7 and industrial en%ironments to select t&e rig&t com*ination -or t&e network edge2 It uses t&e Standard Image 4SI5 So-tware -or *asic data7 %ideo and %oice ser%ices2 T&e En&anced Image 4EI5 So-tware is used -or rate limiting and securit -iltering2 T&e Cisco Cluster Management Suite 4CMS5 So-tware7 allows users to simultaneousl con-igure and trou*les&oot multiple desktop switc&es using a standard we* *rowser2
nternet,enabled &lient appli&ations a.ailable at Opus T&ree Internet;ena*led client applications t&at is o--ered * .pus include &elpdesk7 call centre and on;site support ser%ice2
% addressing logi& for t(e networked ma&(ines T&e IP addressing logic used in t&e .pus s stem -ollows su*netting to allow t&e creation omultiple logical networks t&at exist wit&in t&e Class A network2 T&is approac& ena*les .pus to use more t&an one network in t&e s stem2 T&e s stem also uses Classless Interdomain 3outing 4CID35 to impro%e address space utili9ation and routing scala*ilit in t&e Internet2
82 3egulator Compliance To pre%ent data securit *reac&es7 .pus conducts periodic gap anal ses o- t&e current status o- securit measures in place and compares t&em to *est practices2 T&en7 impro%ements are designed and implemented2 "2 Network A%aila*ilit and Per-ormance .pus continuousl optimi9es network per-ormance t&roug& continuing polic re-inements and s stem design impro%ements7 and using products t&at *lock *andwidt&;&ugging tra--ic2 )2 Attack Pre%ention Internet attacks suc& as unaut&ori9ed access7 alteration or t&e-t o- data7 worm and %irus in-iltrations7 and denial;o-;ser%ice attacks continuousl plague t&e s stem Also common are unaut&ori9ed grade c&anges7 data tampering7 persistent pro*lems wit& critical s stems and t&e-t o- sensiti%e in-ormation2 .pus &as implemented measures to stops t&ese attacks2 T&ese measures include use o- %irus protection so-tware7 and periodic c&anges in passwords2 Et&ical &acking is also conducted periodicall to identi- weak areas in t&e s stem and ena*le t&e design and implementation o- remedial measures2 (2 Securit .pus uses a met&odolog to anal 9e and prioriti9e risks2 T&is met&odolog allows t&e sc&eduling o- implementation o- securit measures in order o- importance2 .pus &as adopted t&e -ollowing measures to minimi9e t&e risk o- attacks: Met&od oattack 82 Network packet sni--ers 3isk Can get critical s stem in-ormation7 suc& as user account in-ormation and passwords2 /&en an attacker /a s o- minimi9ing risk <se o- trusted networks /&en setting up t&e -irewall ser%er7 .pus &as identi-ied t&e t pe o- networks t&at are attac&ed to t&e -irewall ser%er t&roug& network adapter cards2 T&e trusted networks co%er t&e -irewall ser%er and
o*tains t&e correct account in-ormation7 an attacker gains access to a s stem;le%el user account7 w&ic& t&e attacker uses to create a new account t&at can *e used at an time as a *ack door to get into a network and its resources2
all networks a-ter it2 @irtual pri%ate networks 4@PNs5 &owe%er7 are also considered as trusted networks2 T&e packets t&at start on a @PN are considered to -rom t&e internal perimeter network2 ,or communications t&at originate on a @PN7 securit mec&anisms allow t&e -irewall ser%er to aut&enticate t&e origin7 data integrit 7 and ot&er securit measures en-orced on trusted networks2 <ntrusted Networks <ntrusted networks are networks t&at are known to *e outside .pus+ securit perimeter2 /&en setting up t&e .pus -irewall ser%er7 we identi-ied t&e untrusted networks -rom w&ic& t&at -irewall can accept re=uests2 <nknown Networks <nknown networks are unknown to t&e -irewall *ecause we cannot tell t&e -irewall ser%er t&at t&e network is a trusted or an untrusted network2 T&e -irewall t&ere-ore applies its set securit polic 2 Esta*lis&ing a Securit Perimeter A critical part o- .pus+ o%erall securit solution is a network firewall7 w&ic& monitors tra--ic crossing network perimeters and imposes restrictions according to securit polic 2 Perimeter routers are -ound at t&e network *oundar 7 suc& as *etween pri%ate networks7 intranets7 extranets7 or t&e Internet2 ,irewalls separate internal and external networks2 T&e .pus network securit polic -ocuses on controlling t&e network tra--ic and usage2 It identi-ies its resources and t&reats7 de-ines use and responsi*ilities7 and executes actions w&en t&e securit polic is %iolated2
Perimeter Networks .pus &as designated t&e networks o- computers t&at are to *e protected and de-ined t&e network securit mec&anisms t&at protect t&em2 T&us t&e -irewall ser%er ser%es as t&e gatewa -or communications *etween trusted networks and untrusted and unknown networks2 T&e -ollowing measures &a%e *een done: Filtering at t(e $outer ; Implementing ingress and egress -iltering on routers2 An access control list *locks unwanted pri%ate IP addresses2 T&e -ilter &as *een designed not to accept addresses -rom wit&in t&e network .n t&e upstream inter-ace7 source addresses outside t&e network are restricted t&ere* pre%enting someone on .pus network -rom sending spoo-ed tra--ic to t&e Internet2 En&r)ption and Aut(enti&ation C <se oencr ption and aut&entication reduces spoo-ing2 T&is is done in a secure c&annel2 4Matt&ew Tanase, March 11, 2003) .pus &as adopted t&e -ollowing measures to minimi9e t&e risk o- password attacks: "se of passp(rases Passp&rases are somet&ing t&at one alwa s remem*er7 eit&er a =uote7 -a%orite sentence or a com*ination o- *ot& num*ers and special c&aracters2 Bot& passwords and passp&rases are logged t&roug& t&e use o- a ke logger2 "se of biometri&s T&e *iometric s stems applied co%er -ingerprint s stem and %oice recognition2 4Danc&o Danc&e%0 !anuar '7 "##A5
"2 IP spoo-ing
Can pro%ide access to user accounts and passwords2 An attacker can t&en emulate one internal user to send e; mail messages to *usiness partners t&at appear to &a%e originated -rom someone wit&in our organi9ation2
)2 Password attacks
Can pro%ide access to accounts t&at can *e used to modi- critical network -iles and ser%ices2 An example is an attacker modi- ing t&e routing ta*les -or our network2 B doing so7 t&e attacker ensures t&at all network packets are routed to &is computer *e-ore t&e are transmitted to t&eir -inal destination2
T&ese attacks make a ser%ice una%aila*le -or normal use7 w&ic& is accomplis&ed * ex&austing some resource limitation on t&e network or wit&in an operating s stem or application2
T&e moti%ation -or DoS attacks is not to *reak into a s stem2 Instead7 it is to den t&e use o- t&e s stem to ot&ers w&o need its ser%ices2 DoS attacks do t&e -ollowing: ; Cras& t&e s stem2 ; Den communication2 ; Bring t&e s stem down or &a%e it operate at a reduced speed2 ; ?ang t&e s stem2 %rote&tion measures against atta&ks Amplifier Configuration. T&e routers are con-igured so t&at it does not -orward directed *roadcasts onto networks2 All *roadcast are disa*led on all routers2 T&is ensures t&at emplo ees on t&e internal network wonDt *e a*le to launc& attacks2 A -irewall gi%es additional securit 2 Configuration of ser.er operating s)stems2 Ser%ers are con-igured so t&at t&e will not respond to a directed *roadcast re=uest2 Network &onne&ti.it) atta&ks T&ese attacks o%erload t&e %ictim so t&at its TCP0IP stack is not a*le to &andle an -urt&er connections7 and processing =ueues are completel -ull wit& nonsense malicious packets2 6egitimate connections are t&us denied2 To protect t&e network against connecti%it attacks7 t&e -ollowing &as *een done: ; Decreased t&e TCP Connection Timeout on t&e .pus ser%er2 ; <sed a -irewall at t&e perimeter w&ic& works as an intermediar in -orwarding t&e connections to t&e ser%er2 4A*&is&ek Sing&7 CISSP Decem*er 8(7 "##A5
'. -utline two e3amples of network faults which might 'e detected using network management technologies.
"282 Introduction
T&ere are tec&nologies and tools a%aila*le -or network management -unctions2 T&ere is7 &owe%er7 no single solution a%aila*le to address all t&e -ollowing network management areas: 82 network de%ice and application -ault management7 "2 network de%ice and application con-iguration management7 )2 network utili9ation and accounting management7 (2 network per-ormance management7 and A2 securit management2 4Networkdictionar 2com7 Network Management Tec&nologies7 accessed April "#7 "##$5 &ttp:00www2networkdictionar 2com0networking0NetworkManagementTec&nologies2p&p T&is task descri*es t&e %arious network management -unctions7 and examples o- network -aults w&ic& mig&t *e detected * network management tec&nologies2
"2"2 ,unctions
T&e -ollowing are t&e -unctions o- a managing entit 7 a managed de%ice7 a managed o*Gect7 a management in-ormation *ase 4MI@57 and a network management protocol2 82 Managing entit A network managing entit re-ers to t&e &ardware t&at monitors t&e operation o- networked s stems2 T&is entit 7 usuall a ser%er7 keeps t&e network 4and t&e ser%ices t&at t&e network pro%ides5 operating smoot&l 2 It also monitors t&e network to spot pro*lems ideall
*e-ore users are a--ected2 4A2 Clemm7 A27 Network Management ,undamentals7 CiscoPress7 "##B5 "2 Managed de%ice A managed de%ice is a network node t&at contains an simple network protocol 4SNMP5 agent and t&at resides on a managed network2 Managed de%ices gat&er and sa%e in-ormation and make t&is a%aila*le to network management s stems 4NMSs5 using SNMP2 Managed de%ices7 sometimes called network elements7 can *e an t pe o- de%ice suc& as routers7 access ser%ers7 switc&es7 *ridges7 &u*s7 IP telep&ones7 computer &osts7 and printers 4/ikepedia7 Simple Network management Protocol7 accessed April "#7 "##$52 Centrali9ed management s stems running on ser%ers gat&er in-ormation -rom managed de%ices and store t&ese in-ormation in a data*ase called management in-ormation *ase2 T&e data*ase can *e accessed to pro%ide statistics on t&e per-ormance o- t&e network2 Earlier %ersions o- SNMP agents &ad to *e polled -or in-ormation7 increasing tra--ic * Gust getting tra--ic -low in-ormation2 Because o- t&is7 SMNP" was de%eloped to allow t&e management o- de%ices across networks t&at did not run TCP0IP7 to automaticall report alarms and pro%ide securit -or its transmissions2 SNMP" o--ers management s stem aut&entication7 encr ption o- management in-ormation and t&e a*ilit to allow more t&an one agent per de%ice2 Because it is more secure7 de%ices can *e monitored and con-igured remotel 2
Protocol
SNMP
Disad%antages Too muc& network tra--ic due to polling Supports onl TCP0IP
SNMP"
Ad%antages
Disad%antages No securit -eatures No remote con-iguration Not supported * standards Manu-acturers are o--ering t&eir own solutions
Easier to implement t&an SNMP" due to t&e remo%al o- securit -eatures ?as t&e securit o- SNMP"
SNMP)
)2 Managed o*Gect In a network7 a managed o*Gect is an a*stract representation o- network resources t&at are managed2 A managed o*Gect represents a p& sical entit 7 a network ser%ice7 or an a*straction o- a resource t&at exists independentl o- its use in management 4/ikipedia7 managed .*Gect7 accessed April "#7 "##$52 (2 Management in-ormation *ase A management in-ormation *ase 4MIB5 is t&e data*ase used to manage t&e de%ices in a network2 It is a collection o- o*Gects in a data*ase used to manage entities suc& as routers and switc&es2 Data*ases are &ierarc&ical 4tree;structured5 and entries are addressed t&roug& o*Gect identi-iers2 SNMP uses MIBs2 Components controlled * t&e management console need an SNMP agent ; a so-tware module t&at can communicate wit& t&e SNMP manager2 Examples o- MIB o*Gects include:
output =ueue lengt&7 w&ic& &as t&e name i-.ut16en7 Address Translation ta*le 4like A3P ta*les5 called atTa*le 4/ikipedia7 Management In-ormation Base7 accessed April "#7 "##$5
A2 Network management protocol T&e Internet Protocol Suite7 also known as TCP0IP is t&e set o- communications protocols used -or t&e Internet and ot&er similar networks2 T&e Internet Protocol ma *e %iewed as a set o- la ers2 Eac& la er sol%es pro*lems in t&e transmission o- data7 and pro%ides ser%es t&e upper la er protocols *ased on using ser%ices -rom some lower la ers2 <pper la er protocols are logicall closer to t&e user and deal wit& more a*stract data7 rel ing on lower la er protocols to translate data into -orms t&at can e%entuall *e p& sicall transmitted2 In general7 an application uses a set o- protocols to send its data down t&e la ers7 *eing -urt&er encapsulated at eac& le%el 4/ikipedia7 Internet Protocol Suite7 accessed April "#7 "##$52 Figures /.- and /./ are examples s&owing two Internet &ost computers communicating across local network *oundaries constituted * t&eir internetworking gatewa s 4routers52
,igure "282 TCP0IP stack on two &osts connected %ia two routers and t&e la ers used at eac& &op
,igure "2"2 Encapsulation o- application data mo%ing t&roug& t&e protocol stack2
"2 Securit -aults Access to t&e s stem * unaut&ori9ed persons7 can damage t&e content and t&e s stem2 Some content ma not &a%e %alue *ut ma contain sensiti%e in-ormation t&at must *e
protected against t&e-t2 6ocked doors and network -irewalls ma not *e ade=uate to keep out an intruder2 T&e securit o- a s stem and content is dependent upon two t&ings: 485 t&e p& sical securit o- t&e s stem &ardware and storage and 4"5 t&e %irtual securit o- our network2
%()si&al se&urit)2 All critical media storage and &ardware components s&ould *e &oused in a room t&at &as *een dedicated to t&at purpose2 .nl persons directl in%ol%ed wit& t&e operation o- t&e s stem s&ould &a%e access2 Additional permissions suc& as card ke readers7 com*ination locks7 alarm s stems7 and closed circuit %ideo depend on t&e %alue o- our data and our o%erall securit strateg 2
Network se&urit)2 Network securit considers t&e -ollowing aspects: , Aut(enti&ation2 Persons re=uesting access must &a%e t&eir credentials %eri-ied2 T&is process usuall in%ol%es logging a name and password2 , Aut(ori2ation2 A-ter identit &as *een esta*lis&ed7 it must meet certain criteria *e-ore t&e re=uestor can gain access to t&e restricted content2 , %ermissions2 Eac& permitted user will &a%e a speci-ic set o- permissions w&ic& allow per-orming certain -unctions and ma pro&i*it t&e user -rom per-orming ot&ers2 , Firewalls2 ,irewalls pre%ent access to speci-ic7 closel ;monitored ports2 T&e -irewall can also pre%ent t&e t pe o- in-ormation t&at can pass t&roug& t&e ports2 ,irewalls are used to separate a proprietar network -rom t&e Internet7 *ut t&e can also *e used to pro%ide strict securit wit&in a network 4Microso-t Tec&net7 /indows Media Ser%ices Deplo ment Fuide52
)282 Introduction
T&is task discusses &ow long it takes to deri%e an AES ke using ke space searc&2 It also s&ows t&e ad%antages and disad%antages o- pu*lic ke and pri%ate ke cr ptograp& 7 t&e se=uence o- operations to compute and t&en %eri- t&e digital signature and t&e message aut&entication code o- a long message2
In contrast7 s mmetric ke algorit&ms use a single secret ke s&ared * sender and recei%er -or *ot& encr ption and decr ption2 To use s mmetric encr ption7 t&e sender and recei%er must s&are a secret ke in ad%ance2 82 Description T&e two main *ranc&es o- pu*lic ke cr ptograp& are:
Pu*lic ke encr ption I a message encr pted wit& a recipientDs pu*lic ke cannot *e decr pted * an one except a possessor o- t&e matc&ing pri%ate ke 2 T&is is used -or secrec 2
Digital signatures I a message signed wit& a senderDs pri%ate ke can *e %eri-ied * an one w&o knows t&e senderDs pu*lic ke 7 pro%ing t&at t&e sender &ad access to t&e pri%ate ke and t&e message was not tampered2
Pu*lic;ke encr ption can *e likened to a locked mail*ox wit& a mail slot2 T&e mail slot is accessi*le to all: its location 4t&e street address5 is t&e pu*lic ke 2 An one w&o knows t&e address can go to t&e gate and drop a message t&roug& t&e slot2 ?owe%er7 onl t&e person w&o &as a correct ke can open t&e mail*ox and read t&e message2 Digital signatures can *e likened to t&e sealing o- an en%elope wit& a personal wax seal2 T&e message can *e accessed * an one7 *ut t&e seal pro%es its aut&enticit 2 A pro*lem o- t&e use o- pu*lic;ke cr ptograp& is con-idence or proo- t&at a pu*lic ke is correct7 *elongs to t&e person or entit claimed7 and &as not *een tampered or replaced * a t&ird part 2 T&e approac& to t&is pro*lem is to use a pu*lic;ke in-rastructure 4PEI57 w&ere one or more t&ird parties7 known as certi-icate aut&orities7 certi- owners&ip o- ke pairs2 Anot&er approac&7 is t&e Jwe* o- trustJ met&od to ensure aut&enticit o- ke pairs2 All known pu*lic ke tec&ni=ues are more computationall intensi%e t&an t&eir secret;ke counterparts7 *ut can *e made -ast enoug& -or a wide %ariet o- applications2 ,or digital signatures7 t&e sender &as&es t&e message and t&en signs t&e resulting J&as& %alueJ2 To %eri- t&e signature7 t&e recipient computes t&e &as& o- t&e message7 and compares t&is &as& %alue wit& t&e signed &as& %alue to pro%e it was not tampered2
10
"2 Securit T&e application o- a pu*lic ke encr ption s stem is con-identialit : a message w&ic& a sender encr pts using t&e recipientDs pu*lic ke can *e decr pted onl * t&e recipientDs paired pri%ate ke 2 To aut&enticate7 and maintain con-identialit 7 t&e sender -irst signs t&e message using &is pri%ate ke 7 t&en encr pts t&e message and signature using t&e recipientDs pu*lic ke 2 )2 /eaknesses Among s mmetric ke encr ption algorit&ms7 onl t&e one;time pad can *e pro%en to *e secure against an attacker7 no matter &ow muc& computing power is a%aila*le2 <n-ortunatel 7 all pu*lic;ke sc&emes are suscepti*le to *rute -orce ke searc& attack2 T&ese insecurities can *e a%oided * c&oosing large ke si9es so t&at it will takes a long time to *reak t&e code2 Anot&er securit %ulnera*ilit in using as mmetric ke s is t&e possi*ilit o- a man in t&e middle attack7 w&ere communication o- pu*lic ke s is intercepted * a t&ird part and modi-ied to pro%ide di--erent pu*lic ke s instead2 T&is attack ma appear to *e di--icult to implement in practice7 *ut itDs not impossi*le w&en using insecure media suc& as pu*lic networks or wireless communications2 .ne wa to pre%ent suc& attacks is to use o- a certi-icate aut&orit 7 a trusted t&ird part responsi*le -or %eri- ing t&e identit o- a user o- t&e s stem and issuing a tamper resistant and non;spoo-a*le digital certi-icate -or participants 4/ikipedia7 Pu*lic Ee Cr ptograp& 57
11
82 An attacker can c&ange *ot& t&e original message and t&e computed message digest2 T&ere-ore7 t&e recei%er &as no wa o- knowing i- t&e original message and t&e message digest &a%e not *een c&anged2 "2 A message digest does not pro%e t&at t&e message was sent * t&e sender and not * some*od else2 So7 i- a *ank recei%es an instruction to trans-er <SD87### -rom Account A to Account B7 t&e *ank &as no wa o- knowing i- t&is instruction is genuine2 Two issues need to *e addressed: message integrit and non;repudiation2 To sol%e t&e weakness o- a &as&7 digital signatures can *e used to guarantee t&e %alidit omessage integrit and non;repudiation using t&e computation process s&own in Figure 1.*elow2 ,igure )282 Message digest computation process
/e know t&at t&e main pro*lem in t&is sc&eme is t&at t&e attacker can easil alter t&e original message and rerun t&e same message digest algorit&m on t&e altered message2 T&is can lead to a modi-ied message digest7 t&us making it di--icult to catc& t&e attacker2 To pre%ent ot&ers -rom modi- ing messages7 we can encr pt t&e message digest7 as s&own in Figure 1./ *elow2 ,igure )2"2 Message Digest Encr ption
T&e -igure a*o%e indicates t&at t&e message digest must *e encr pted *e-ore it is sent to t&e recei%er2 T&e recei%er would reGect t&e message i- a message digest recei%ed is not encr pted2 T&e diagram s&ows t&at:
12
a2 A genuine sender is a*le to per-orm t&is encr ption operation7 and a genuine recei%er is a*le to %eri- t&is encr ption: and *2 It would *e di--icult -or an attacker to encr pt2 /&ile an attacker would still *e a*le to compute t&e message digest7 &e must not *e a*le to encr pt t&e message digest2 T&e use o- pu*lic ke cr ptograp& 7 also called as as mmetric ke cr ptograp& 7 is used -or t&is purpose2 T&e idea is -or t&e sender and onl t&e sender knows a pri%ate ke 7 w&ic& can *e used to encr pt t&e message digest to produce t&e output as s&own in t&e earlier diagram2 T&e recei%er and no one else knows t&e sender+s pu*lic ke and use it to decr pt t&e message digest success-ull 2 T&us: a2 T&e sender would encr pt t&e message digest wit& a pri%ate ke 2 T&e sender must keep t&e pri%ate ke secret2 *2 T&e output is called as t&e digital signature -or t&is particular message2 c2 T&e sender sends t&e message and t&e digital signature to t&e recei%er2 d2 T&e recei%er %eri-ies t&e digital signature using t&e sender+s pu*lic ke 7 w&ic& is pu*licl known2 T&is s&ould gi%e t&e recei%er a message digest7 sa MD;82 e2 T&e recei%er also computes a new message digest on t&e original message7 sa MD;"2 I- MD;8 K MD;"7 we ac&ie%e *ot& message integrit 4message &as not *een tampered wit&7 *ecause t&e attacker does not know t&e sender+s pri%ate ke 5 and non;repudiation 4t&e message is pro%en to *e sent * t&e sender7 since onl &e knows t&e pri%ate ke corresponding to t&is pu*lic ke 5 4Indict&reads2com7 /&at are digital signatures5 Figure 1.1 s&ows t&is2
13
T&e -ollowing is a sample program in !a%a7 w&ic& per-orms and %eri-ies digital signatures2
00 Compute and @eri- a Digital Signature00 /ritten * Atul Ea&ate import Ga%a2securit 2L: pu*lic class DigitalSignatureExample M pu*lic static -inal String str K JT&is is t&e message to *e digitall signed2 J: pu*lic static %oid main4StringNO args5 t&rows ExceptionM 00 Fenerate a 3SA ke pair S stem2out2println 4JAttempting to generate a ke pair 222J5: Ee PairFenerator kpg K Ee PairFenerator2getInstance 4J3SAJ5: kpg2initiali9e 48#"(5: Ee Pair kp K kpg2genEe Pair 45: S stem2out2println 4JEe pair generated success-ull 222J5: 00 Sign data * te NO *a K str2getB tes4J<T,HJ5: Signature sig K Signature2getInstance 4JMDAwit&3SAJ5: sig2initSign 4kp2getPri%ate455: sig2update 4*a5: * te NO signedData K sig2sign 45: 00 Displa plain text and signature S stem2out2println 4J.riginal plain text was : J P str5: S stem2out2println 4JSignature is : J P new String 4signedData55: S stem2out2println 4JKKK Now tr ing to %eri- signature KKKJ5:
14
00 Now %eri- t&e signature sig2init@eri- 4kp2getPu*lic455: sig2update 4*a5: *oolean isSign.k K sig2%eri- 4signedData5: S stem2out2println 4JSignature %eri-ication results are: J P isSign.k5: QQ 4Atul Ea&ate7 !ul 887 "##'52
15
In t&is example7 a sender runs a message t&roug& a MAC algorit&m to produce a MAC data tag2 T&e message and t&e MAC tag are t&en sent to t&e recei%er2 T&e recei%er t&en opens t&e message portion o- t&e transmission t&roug& t&e same MAC algorit&m using t&e same ke 7 producing a second MAC data tag2 T&e recei%er t&en compares t&e -irst MAC tag recei%ed to t&e second MAC tag2 I- t&e are identical7 t&e recei%er can assume t&at t&e message &as integrit 7 and t&e message was not altered2 )2B2 Comparison o- digital signatures and message aut&entication codes A digital signature is generated using t&e pri%ate ke o- a ke pair7 w&ic& is as)mmetri& en&r)ption2 Since t&is pri%ate ke is onl known to its &older7 a digital signature pro%es t&at a document was in -act signed t&at &older2 T&us7 digital signatures pro%ide non;repudiation properties2 Message aut&entication codes 4MAC5 %alues7 on t&e ot&er &and7 are generated and %eri-ied using t&e same secret ke 2 T&is means t&at t&e sender and recei%er o- a message must agree on ke s *e-ore initiating communications7 as in t&e case wit& s mmetric encr ption2
16
Compared to digital signatures7 MACs do not pro%ide t&e propert o- non;repudiation o--ered * digital signatures2 An user w&o can %eri- a MAC is also capa*le o- generating MACs -or ot&er messages 4/ikipedia7 Message Aut&entication Code7 accessed April "#7 "##$52
17
(282 Introduction
T&is task discusses TCP congestion control and -ocuses on t&ree algorit&ms7 namel TCP Ta&oe7 3eno and @egas2
82 Additi%e increase7 multiplicati%e decrease Eac& time a packet drop occurs7 window si9e is slas&ed in &al-2 A multiplicati%e decrease is executed2 Congestion is a%oided using multiplicati%e decrease2
18
/&en no losses are o*ser%ed7 window si9e is increased graduall 2 An additi%e increase is executed2 T&e algorit&m -or additi%e increase and multiplicati%e de crease can *e descri*ed as -ollows: Increment congestion window * one packet per 3TT 4linear increase5 Di%ide congestion window * two w&ene%er a timeout occurs 4multiplicati%e decrease5 In practice7 increment a little -or eac& ACE2 Increment K 4MSSLMSS5 Congestion /indow Congestion /indow PK Increment
"2 Slow Start T&e purpose o- a slow start is to determine t&e a%aila*le capacit =uickl 2 To do t&is7 ; ; ; ; Estimate an optimistic congestion window using congestion t&res&old Congestion window starts wit& 8 packet ,or eac& 3TT7 congestion window is dou*led 4increment * 8 packet -or eac& ACE5 /&en congestion t&res&old is crossed7 additi%e increase is used2
19
Slow start is used w&en: ,irst starting a connection7 and Connection goes dead waiting -or timeout
)2 ,ast retransmit /&en coarse;grain TCP timeouts lead to idle periods7 a -ast retransmit per-orms t&e -ollowing: Send an ACE on e%er packet reception Send duplicate o- last ack w&en a packet is recei%ed out o- order <se duplicate ACEs to trigger retransmission2
In using -ast reco%er in TCP 3eno7 slow start p&ase is skipped2 Instead7 t&e last success-ul congestion window is directl &al%ed2
20
C.NFESTI.N A@.IDANCE To a%oid congestion t&e TCP strateg controls congestion once it &appens: and repeatedl increase load in an e--ort to -ind t&e point at w&ic& congestion occurs7 and t&en *ack o--2 An alternati%e strateg -or congestion a%oidance is to predict w&en congestion is a*out to &appen7 t&en reduce rate *e-ore packets start *eing discarded TCP @EFAS TCP @egas adopts congestion a%oidance instead o- congestion control2 It predicts and a%oids congestions e%en *e-ore t&e occur2
21
TCP Ta&oe and 3eno7 on t&e ot&er &and7 adopt congestion control2 It controls congestion a-ter it occurs2 To predict congestion7 TCP @egas permits t&e source to watc& -or some sign t&at t&e router+s =ueue is *uilding up w&ic& could lead to congestion2 In TCP @egas7 congestion can &appen w&en t&e 3TT grows and t&e sending rate -lattens2
Packet accumulation in t&e network can *e in-erred * monitoring 3TT and sending rate as s&own grap&icall *elow:
22
Two %ariations are o--ered * TCP Ta&oe and 3eno2 To a%oid congestion collapse7 TCP Ta&oe and TCP 3eno maintain a congestion window7 limiting t&e total num*er o- unacknowledged packets t&at ma *e in transit end;to;end2 T&is is somew&at similar to TCP+s sliding window used -or -low control2 TCP uses slow start to increase t&e congestion window a-ter a connection is initiali9ed and a-ter a timeout2 It starts wit& a window two times t&e maximum segment si9e 4MSS52 Alt&oug& t&e initial rate is low7 t&e rate o- increase is rapid: -or e%er packet acknowledged7 t&e congestion window increases * 8 MSS so t&at -or e%er round trip time 43TT57 t&e congestion window is dou*led2 /&en t&e congestion window exceeds a t&res&old ssthresh t&e algorit&m per-orms congestion a%oidance 4!aco*son7 @an7 8$$A52 Congestion A%oidance and Control7 ACM SIFC.MM Computer Communication 3e%iew "A 485: 8A'C8H'2 Doi:8#288(A0"#A(('2"#A(B"52 In some implementations7 t&e initial sst&res& is large7 and so t&e -irst slow start usuall ends a-ter a loss2 ?owe%er7 sst&res& is updated at t&e end o- eac& slow start7 and a--ects su*se=uent slow starts triggered * timeouts2 In congestion a%oidance7 t&e congestion window is additi%el increased * one MSS e%er round trip time2 /&en a packet is lost7 duplicate ACEs will *e recei%ed2 T&e *e&a%ior o- Ta&oe and 3eno di--er in &ow t&e detect and react to packet loss2 In TCP Ta&oe7 loss is detected w&en a timeout expires *e-ore an ACE is recei%ed2 Ta&oe t&en reduces t&e congestion window to 8 MSS7 and reset to slow;start2 .n t&e ot&er &and7 in TCP 3eno7 i- t&ree duplicate ACEs are recei%ed 4i2e27 t&ree ACEs acknowledging t&e same packet7 w&ic& are not pigg *acked on data7 and do not c&ange t&e recei%erDs ad%ertised window57 3eno will &al%e t&e congestion window7 per-orm a J-ast retransmitJ7 and enter a p&ase called Slow Start2 I- an ACE times out7 slow start is used in t&e same manner as wit& Ta&oe2 In -ast reco%er 2 4TCP 3eno onl 5 TCP 3eno retransmits t&e missing packet t&at was signaled * ) duplicate ACEs7 and waits -or an acknowledgment o- t&e entire transmit window *e-ore returning to congestion a%oidance2 I- not acknowledged7 TCP 3eno experiences a timeout and enters a slow;start state2
23
In a timeout7 *ot& algorit&ms reduce t&e congestion window to 8 MSS2 TCP @egas <ntil t&e mid;8$$#s7 all TCPs set timeouts and measured round;trip dela s *ased upon t&e last transmitted packet in t&e transmit *u--er2 6arr Peterson and 6awrence Brakmo introduced TCP @egas w&ere timeouts were set and round;trip dela s were measured -or e%er packet in t&e transmit *u--er2 Also7 TCP @egas uses additi%e increases and additi%e decreases in t&e congestion window2
24
A282 Introduction
/e* cac&ing is storing we* documents suc& as ?TM6 pages and images in order to reduce *andwidt& usage7 ser%er load7 and percei%ed lag2 It increases processing speed * storing copies o- documents passing t&roug& t&e cac&e and making t&ese stored documents a%aila*le w&en su*se=uent re=uests -or t&e same documents are made wit&out &a%ing to again access t&e source2 T&is task descri*es t&e -unctions o- an ?TTP prox 7 reasons -or t&eir increased use7 and explains w& t&e use o- data*ase;dri%en d namic content reduces t&e e--ecti%eness o- ?TTP proxies 4/ikipedia7 /e* Cac&e7 accessed April "#7 "##$52
25
26
27
B2 3E,E3ENCES
A*&is&ek Sing&7 CISSP7 Decem*er 8(7 "##A7 Dem sti- ing Denial;.-;Ser%ice Attacks7 Part 8 &ttp:00www2securit -ocus2com0in-ocus08HA) Atul Ea&ate7 !ul 887 "##'7 /&at are Digital SignaturesS Compute and @eri- a Digital Signature <sing !a%a7 &ttp:00www2indict&reads2com08(H#0w&at;are;digital;signatures;compute;and;%eri- ;a;digital; signature;using;Ga%a0 Clemm7 A27 Network Management ,undamentals7 CiscoPress7 "##B &ttp:00en2wikipedia2org0wiki0SimpleTNetworkTManagementTProtocol Danc&o Danc&e%0 !anuar '7 "##A0 Passwords ; Common Attacks and Possi*le Solutions &ttp:00www2windowsecurit 2com0articles0Passwords;Attacks;Solutions2&tml ,ielding7 et al27 Internet 3,C "B8B7 section 82(7 &ttp:00en2wikipedia2org0wiki0?TTP !aco*son7 @an78$$A7 Congestion A%oidance and Control7 ACM SIFC.MM Computer Communication 3e%iew "A 485: 8A'C8H'2 doi:8#288(A0"#A(('2"#A(B"2 &ttp:00ee2l*l2go%0papers0conga%oid2pd-2 Microso-t Tec&net7 /indows Media Ser%ices Deplo ment Fuide7 &ttp:00tec&net2microso-t2com0en;us0li*rar 0cc'"B#)"2aspx Tanase, Matt&ew , IP Spoofing: An Introduction, March 11, 2003 &ttp:00www2securit -ocus2com0in-ocus08B'( &ttp:00www2iss2net0Industr 0educationalTinstitutions0index2&tml &ttp:00*urks2*ton2ac2uk0*urks0pcin-o0&ardware0et&ernet0managed2&tm Networkdictionar 2com7 Network Management Tec&nologies7 &ttp:00www2networkdictionar 2com0networking0NetworkManagementTec&nologies2p&p
28
/ikipedia7 Brute ,orce Attac&7 &ttp:00en2wikipedia2org0wiki0BruteT-orceTattack /ikipedia7 Internet Protocol Suite7 &ttp:00en2wikipedia2org0wiki0InternetTprotocolTsuite /ikipedia7 Managed .*Gects &ttp:00en2wikipedia2org0wiki0ManagedTo*Gect /ikipedia7 Management In-ormation Base7 &ttp:00en2wikipedia2org0wiki0ManagementTIn-ormationTBase /ikipedia7 Network Management7 &ttp:00en2wikipedia2org0wiki0NetworkTmanagement /ikipedia7 Pu*lic Ee Cr ptograp& &ttp:00en2wikipedia2org0wiki0Pu*lic;ke Tcr ptograp& /ikipedia7 Simple Network Management Protocol7 &ttp:00en2wikipedia2org0wiki0SimpleTNetworkTManagementTProtocol /ikipedia7 Management In-ormation Base7 &ttp:00en2wikipedia2org0wiki0ManagementTIn-ormationTBase &ttp:00tec&net2microso-t2com0en;us0li*rar 0cc'"B#)"2aspx /ikipedia7 Message Aut&entication Code &ttp:00en2wikipedia2org0wiki0MessageTaut&enticationTcode /ikipedia7 TCP Congestion A%oidance Algorit&m+ &ttp:00en2wikipedia2org0wiki0TCPTcongestionTa%oidanceTalgorit&m /ikipedia7 /e* Cac&e7 &ttp:00en2wikipedia2org0wiki0/e*Tcac&e &ttp:00www2sta in%isi*le2com0prox Tenc clopedia0&ttpTprox Tser%ers2&tml
29
&ttp:00www2killersites2com0articles0articlesTdata*aseDri%enSites2&tm
'2 BIB6I.F3AP?R
,red B Sc&neider7 ?as&es and Message Digests7 Cornell <ni%ersit ,all7 Ee%in: Sall ,lo d 4!ul 8$$B57 Simulation;*ased Comparisons o- Ta&oe7 3eno and SACE TCPJ 4PostScript57 Computer Communications 3e%iew7 -tp:00-tp2ee2l*l2go%0papers0sacks2ps2U2 !aco*son7 @an 48$$A57 Congestion A%oidance and Control7 ACM SIFC.MM Computer Communication 3e%iew "A 485: 8A'C8H'2 doi:8#288(A0"#A(('2"#A(B"7 &ttp:00ee2l*l2go%0papers0conga%oid2pd-2 Ari 6uotonen7 /e* Prox Ser%ers 4Prentice ?all7 8$$'57 ISBN #;8);BH#B8";#2 Duane /essels7 /e* Cac&ing 4.D3eill and Associates7 "##857 ISBN 8;ABA$";A)B;V2 3a*ino%ic&7 Mic&ael and Spatsc&ak7 .li%er7 /e* Cac&ing and 3eplication 4Addison /esle 7 "##857 ISBN #;"#8;B8A'#;)2
30