Award: Module Title: Assignment Title: Examination C cle: Candidate Name: NCC Education Candidate No: Su*mission Date:

Postgraduate Diploma in Strategic Business IT Computer Networking and Management Computer Networking and Management !une "##$ Da%id Tan Aik C&uan "'()(#

Marker+s comments: Moderator+s comments: Mark: Moderated Mark ,inal Mark

Statement and Con-irmation o- .wn /ork

Programme01uali-ication name:

Student declaration
I &a%e read and understood NCC Education+s polic on Academic Dis&onest and Plagiarism2 I can con-irm t&e -ollowing details: Student ID03egistration num*er: Name: Centre Name: Module Name: Module 6eader:

"'()(#

Da%id Tan Aik C&uan 3a--les Education Corp2 4Singapore5 Computer Networking and Management I%an

Num*er o- words: '788# I con-irm t&at t&is is m own work and t&at I &a%e not plagiari9ed an part o- it2 I &a%e also noted t&e assessment criteria and pass mark -or assignments2 Due date: Student Signature: Su*mitted Date:

ii

Computer Networking and Management Table of Contents

TABLE OF CONTENTS........................................................................................................

iii

TASK 1. THE INTERNET INFRASTRUCTURE AT OPUS IT SERVICES PTE., LTD.

a. Undertake an investigation of an Internet infrastructure in your workplace or college. Produce a report of your findings, including appropriate screen dumps, with reference to the following: i. Networking server and client operating system environment ii. Hardware, NIC, HU !"!#I$CH%! and other network appliances iii. $H&%% internet ena'led client applications availa'le at the organisation '. (or the networked server and clients investigated in a) a'ove, report in detail with a specially created diagram using *!+,isio or any -pen source diagramming software, the following: i. Connectivity to the outside world ./0N, #0N, ,PN, 01!/, #I(I etc.) ii. IP addressing logic for the networked machines c. 1efine the hardware"software components compulsorily re2uired for ma3imum security in a typical internet setup. Investigate the components availa'le"not availa'le from a real scenario and produce an e3ecutive report with your comments and recommendations.

8282 Introduction
T&is task descri*es t&e internet in-rastructure at .pus IT Ser%ices PTE27 6td2 4.pus57 an IT ser%ice compan in Singapore2 T&is section descri*es t&e ser%ers7 operating s stems7 and &ardware maintained in t&e compan : and &ow t&e in-rastructure connects to t&e outside world7 including securit measures adopted to make t&e entire s stem -ree -rom malicious attacks2 .pus pro%ides its clients wit& t&e -ollowing ser%ices:

!atabase

SOL"T ONS CO#E$ !ATABASE

NF$AST$"CT"$E TO TS CL ENTS.
%ro&ess'met(odolog)

S A SE$# CE T*AT A!# SES CL ENTS

TO ENS"$E T*AT %$OCESSES A!*E$E TO STAN!A$! AN! CONS STENT %$OCESSES.

Outsour&ing

IS A &elpdesk7 call centre and on;site support ser%ice pro%ided to

clients2

Fle+i, T SE$# CES is a telep&one and onsite ser%ice support plan o--ered
to clients to assist t&em in maintaining IT &ardware and so-tware on a need;to; acti%ate *asis2
.P<S ,lexi;IT Ser%ices is a token;*ased7 multi;usage ser%ice plan w&ere clients can call -or &elp in answering suc& =uestions as: > ?ow;to+s on desktops7 ser%er and network7 > @irus eradication and protection7 > Tec&nical and usage =uestions7 > .perating s stems =uestions7 and > Isolating pro*lems related to computer &ardware7 perip&erals7 local area network media0connection and so-tware

82"2 T&e internet in-rastructure at .pus IT Ser%ices

To *e a*le to pro%ide all its ser%ices7 .pus maintains ser%ers t&at are reser%ed -or satis- ing t&e computing needs o- its clients2 Attac&ed to t&ese ser%ers are de%ices t&at are speci-icall con-igured to per-orm t&e ser%ices o--ered * .pus2 T&e networking ser%er and client operating s stem en%ironment is grap&icall descri*ed in Figure -.- *elow2 ,igure 8282 Networking ser%er and client operating s stem en%ironment

!e.i&es used in t(e Opus s)stem T&e .pus s stem is composed o- a CCS C)AB# #8 core switc&7 a CCS C"$A# #8 edge switc& and a @6AN "8# ITE agent2 T&e Cisco Catal st )AB# #8 core switc& is a -ixed;con-iguration access la er switc& -or *ranc&;o--ice en%ironments7 com*ining *ot& 8#08##08### and PoE con-igurations -or IP telep&on 7 wireless access7 %ideo sur%eillance7 *uilding management s stems7 and remote %ideo2 Customers are a*le to deplo network;wide intelligent ser%ices suc& as ad%anced =ualit oser%ice 41oS57 rate limiting7 access control lists 4AC6s57 multicast management7 and &ig&; per-ormance IP routing2 T&e Cisco Catal st "$A# #8 edge switc&7 on t&e ot&er &and7 pro%ides -ast et&ernet and giga*it et&ernet connecti%it 2 T&is &as two sets o- so-tware and con-iguration t&at allows small7 mid;si9ed7 and enterprise *ranc& o--ices7 and industrial en%ironments to select t&e rig&t com*ination -or t&e network edge2 It uses t&e Standard Image 4SI5 So-tware -or *asic data7 %ideo and %oice ser%ices2 T&e En&anced Image 4EI5 So-tware is used -or rate limiting and securit -iltering2 T&e Cisco Cluster Management Suite 4CMS5 So-tware7 allows users to simultaneousl con-igure and trou*les&oot multiple desktop switc&es using a standard we* *rowser2

nternet,enabled &lient appli&ations a.ailable at Opus T&ree Internet;ena*led client applications t&at is o--ered * .pus include &elpdesk7 call centre and on;site support ser%ice2

82)2 Connecti%it Approac&

T&e connecti%it o- t&e .pus s stem to t&e outside world is t&roug& 6ANs and gatewa s7 s&own grap&icall in Figure -./7 as -ollows:

,igure 82"2 Connecti%it o- .pus s stem

% addressing logi& for t(e networked ma&(ines T&e IP addressing logic used in t&e .pus s stem -ollows su*netting to allow t&e creation omultiple logical networks t&at exist wit&in t&e Class A network2 T&is approac& ena*les .pus to use more t&an one network in t&e s stem2 T&e s stem also uses Classless Interdomain 3outing 4CID35 to impro%e address space utili9ation and routing scala*ilit in t&e Internet2

82(2 3e=uired securit s stems in a t pical internet setup

T&e internet set up at .pus complies wit& t&e -ollowing conditions re=uired -or computer securit :

82 3egulator Compliance To pre%ent data securit *reac&es7 .pus conducts periodic gap anal ses o- t&e current status o- securit measures in place and compares t&em to *est practices2 T&en7 impro%ements are designed and implemented2 "2 Network A%aila*ilit and Per-ormance .pus continuousl optimi9es network per-ormance t&roug& continuing polic re-inements and s stem design impro%ements7 and using products t&at *lock *andwidt&;&ugging tra--ic2 )2 Attack Pre%ention Internet attacks suc& as unaut&ori9ed access7 alteration or t&e-t o- data7 worm and %irus in-iltrations7 and denial;o-;ser%ice attacks continuousl plague t&e s stem Also common are unaut&ori9ed grade c&anges7 data tampering7 persistent pro*lems wit& critical s stems and t&e-t o- sensiti%e in-ormation2 .pus &as implemented measures to stops t&ese attacks2 T&ese measures include use o- %irus protection so-tware7 and periodic c&anges in passwords2 Et&ical &acking is also conducted periodicall to identi- weak areas in t&e s stem and ena*le t&e design and implementation o- remedial measures2 (2 Securit .pus uses a met&odolog to anal 9e and prioriti9e risks2 T&is met&odolog allows t&e sc&eduling o- implementation o- securit measures in order o- importance2 .pus &as adopted t&e -ollowing measures to minimi9e t&e risk o- attacks: Met&od oattack 82 Network packet sni--ers 3isk Can get critical s stem in-ormation7 suc& as user account in-ormation and passwords2 /&en an attacker /a s o- minimi9ing risk <se o- trusted networks /&en setting up t&e -irewall ser%er7 .pus &as identi-ied t&e t pe o- networks t&at are attac&ed to t&e -irewall ser%er t&roug& network adapter cards2 T&e trusted networks co%er t&e -irewall ser%er and

o*tains t&e correct account in-ormation7 an attacker gains access to a s stem;le%el user account7 w&ic& t&e attacker uses to create a new account t&at can *e used at an time as a *ack door to get into a network and its resources2

all networks a-ter it2 @irtual pri%ate networks 4@PNs5 &owe%er7 are also considered as trusted networks2 T&e packets t&at start on a @PN are considered to -rom t&e internal perimeter network2 ,or communications t&at originate on a @PN7 securit mec&anisms allow t&e -irewall ser%er to aut&enticate t&e origin7 data integrit 7 and ot&er securit measures en-orced on trusted networks2 <ntrusted Networks <ntrusted networks are networks t&at are known to *e outside .pus+ securit perimeter2 /&en setting up t&e .pus -irewall ser%er7 we identi-ied t&e untrusted networks -rom w&ic& t&at -irewall can accept re=uests2 <nknown Networks <nknown networks are unknown to t&e -irewall *ecause we cannot tell t&e -irewall ser%er t&at t&e network is a trusted or an untrusted network2 T&e -irewall t&ere-ore applies its set securit polic 2 Esta*lis&ing a Securit Perimeter A critical part o- .pus+ o%erall securit solution is a network firewall7 w&ic& monitors tra--ic crossing network perimeters and imposes restrictions according to securit polic 2 Perimeter routers are -ound at t&e network *oundar 7 suc& as *etween pri%ate networks7 intranets7 extranets7 or t&e Internet2 ,irewalls separate internal and external networks2 T&e .pus network securit polic -ocuses on controlling t&e network tra--ic and usage2 It identi-ies its resources and t&reats7 de-ines use and responsi*ilities7 and executes actions w&en t&e securit polic is %iolated2

Perimeter Networks .pus &as designated t&e networks o- computers t&at are to *e protected and de-ined t&e network securit mec&anisms t&at protect t&em2 T&us t&e -irewall ser%er ser%es as t&e gatewa -or communications *etween trusted networks and untrusted and unknown networks2 T&e -ollowing measures &a%e *een done: Filtering at t(e $outer ; Implementing ingress and egress -iltering on routers2 An access control list *locks unwanted pri%ate IP addresses2 T&e -ilter &as *een designed not to accept addresses -rom wit&in t&e network .n t&e upstream inter-ace7 source addresses outside t&e network are restricted t&ere* pre%enting someone on .pus network -rom sending spoo-ed tra--ic to t&e Internet2 En&r)ption and Aut(enti&ation C <se oencr ption and aut&entication reduces spoo-ing2 T&is is done in a secure c&annel2 4Matt&ew Tanase, March 11, 2003) .pus &as adopted t&e -ollowing measures to minimi9e t&e risk o- password attacks: "se of passp(rases Passp&rases are somet&ing t&at one alwa s remem*er7 eit&er a =uote7 -a%orite sentence or a com*ination o- *ot& num*ers and special c&aracters2 Bot& passwords and passp&rases are logged t&roug& t&e use o- a ke logger2 "se of biometri&s T&e *iometric s stems applied co%er -ingerprint s stem and %oice recognition2 4Danc&o Danc&e%0 !anuar '7 "##A5

"2 IP spoo-ing

Can pro%ide access to user accounts and passwords2 An attacker can t&en emulate one internal user to send e; mail messages to *usiness partners t&at appear to &a%e originated -rom someone wit&in our organi9ation2

)2 Password attacks

Can pro%ide access to accounts t&at can *e used to modi- critical network -iles and ser%ices2 An example is an attacker modi- ing t&e routing ta*les -or our network2 B doing so7 t&e attacker ensures t&at all network packets are routed to &is computer *e-ore t&e are transmitted to t&eir -inal destination2

(2 Denial;o-; ser%ice attacks

T&ese attacks make a ser%ice una%aila*le -or normal use7 w&ic& is accomplis&ed * ex&austing some resource limitation on t&e network or wit&in an operating s stem or application2

T&e moti%ation -or DoS attacks is not to *reak into a s stem2 Instead7 it is to den t&e use o- t&e s stem to ot&ers w&o need its ser%ices2 DoS attacks do t&e -ollowing: ; Cras& t&e s stem2 ; Den communication2 ; Bring t&e s stem down or &a%e it operate at a reduced speed2 ; ?ang t&e s stem2 %rote&tion measures against atta&ks Amplifier Configuration. T&e routers are con-igured so t&at it does not -orward directed *roadcasts onto networks2 All *roadcast are disa*led on all routers2 T&is ensures t&at emplo ees on t&e internal network wonDt *e a*le to launc& attacks2 A -irewall gi%es additional securit 2 Configuration of ser.er operating s)stems2 Ser%ers are con-igured so t&at t&e will not respond to a directed *roadcast re=uest2 Network &onne&ti.it) atta&ks T&ese attacks o%erload t&e %ictim so t&at its TCP0IP stack is not a*le to &andle an -urt&er connections7 and processing =ueues are completel -ull wit& nonsense malicious packets2 6egitimate connections are t&us denied2 To protect t&e network against connecti%it attacks7 t&e -ollowing &as *een done: ; Decreased t&e TCP Connection Timeout on t&e .pus ser%er2 ; <sed a -irewall at t&e perimeter w&ic& works as an intermediar in -orwarding t&e connections to t&e ser%er2 4A*&is&ek Sing&7 CISSP Decem*er 8(7 "##A5

TASE "2 NET/.3E MANAFEMENT TEC?N.6.FIES

a. %3plain the function of the following in the conte3t of network management: 4 4 4 4 4 0 managing entity 0 managed device 0 managed o'5ect 0 management information 'ase 0 network management protocol

'. -utline two e3amples of network faults which might 'e detected using network management technologies.

"282 Introduction
T&ere are tec&nologies and tools a%aila*le -or network management -unctions2 T&ere is7 &owe%er7 no single solution a%aila*le to address all t&e -ollowing network management areas: 82 network de%ice and application -ault management7 "2 network de%ice and application con-iguration management7 )2 network utili9ation and accounting management7 (2 network per-ormance management7 and A2 securit management2 4Networkdictionar 2com7 Network Management Tec&nologies7 accessed April "#7 "##$5 &ttp:00www2networkdictionar 2com0networking0NetworkManagementTec&nologies2p&p T&is task descri*es t&e %arious network management -unctions7 and examples o- network -aults w&ic& mig&t *e detected * network management tec&nologies2

"2"2 ,unctions
T&e -ollowing are t&e -unctions o- a managing entit 7 a managed de%ice7 a managed o*Gect7 a management in-ormation *ase 4MI@57 and a network management protocol2 82 Managing entit A network managing entit re-ers to t&e &ardware t&at monitors t&e operation o- networked s stems2 T&is entit 7 usuall a ser%er7 keeps t&e network 4and t&e ser%ices t&at t&e network pro%ides5 operating smoot&l 2 It also monitors t&e network to spot pro*lems ideall

*e-ore users are a--ected2 4A2 Clemm7 A27 Network Management ,undamentals7 CiscoPress7 "##B5 "2 Managed de%ice A managed de%ice is a network node t&at contains an simple network protocol 4SNMP5 agent and t&at resides on a managed network2 Managed de%ices gat&er and sa%e in-ormation and make t&is a%aila*le to network management s stems 4NMSs5 using SNMP2 Managed de%ices7 sometimes called network elements7 can *e an t pe o- de%ice suc& as routers7 access ser%ers7 switc&es7 *ridges7 &u*s7 IP telep&ones7 computer &osts7 and printers 4/ikepedia7 Simple Network management Protocol7 accessed April "#7 "##$52 Centrali9ed management s stems running on ser%ers gat&er in-ormation -rom managed de%ices and store t&ese in-ormation in a data*ase called management in-ormation *ase2 T&e data*ase can *e accessed to pro%ide statistics on t&e per-ormance o- t&e network2 Earlier %ersions o- SNMP agents &ad to *e polled -or in-ormation7 increasing tra--ic * Gust getting tra--ic -low in-ormation2 Because o- t&is7 SMNP" was de%eloped to allow t&e management o- de%ices across networks t&at did not run TCP0IP7 to automaticall report alarms and pro%ide securit -or its transmissions2 SNMP" o--ers management s stem aut&entication7 encr ption o- management in-ormation and t&e a*ilit to allow more t&an one agent per de%ice2 Because it is more secure7 de%ices can *e monitored and con-igured remotel 2

Protocol

Ad%antages Part o- TCP0IP Alread implemented

SNMP

Disad%antages Too muc& network tra--ic due to polling Supports onl TCP0IP

SNMP"

Supports ot&er protocols Secure

No securit Ne%er -ull implemented

Allows remote con-iguration

Protocol <pdated SNMP

Ad%antages

Disad%antages No securit -eatures No remote con-iguration Not supported * standards Manu-acturers are o--ering t&eir own solutions

Easier to implement t&an SNMP" due to t&e remo%al o- securit -eatures ?as t&e securit o- SNMP"

SNMP)

)2 Managed o*Gect In a network7 a managed o*Gect is an a*stract representation o- network resources t&at are managed2 A managed o*Gect represents a p& sical entit 7 a network ser%ice7 or an a*straction o- a resource t&at exists independentl o- its use in management 4/ikipedia7 managed .*Gect7 accessed April "#7 "##$52 (2 Management in-ormation *ase A management in-ormation *ase 4MIB5 is t&e data*ase used to manage t&e de%ices in a network2 It is a collection o- o*Gects in a data*ase used to manage entities suc& as routers and switc&es2 Data*ases are &ierarc&ical 4tree;structured5 and entries are addressed t&roug& o*Gect identi-iers2 SNMP uses MIBs2 Components controlled * t&e management console need an SNMP agent ; a so-tware module t&at can communicate wit& t&e SNMP manager2 Examples o- MIB o*Gects include:

output =ueue lengt&7 w&ic& &as t&e name i-.ut16en7 Address Translation ta*le 4like A3P ta*les5 called atTa*le 4/ikipedia7 Management In-ormation Base7 accessed April "#7 "##$5

A2 Network management protocol T&e Internet Protocol Suite7 also known as TCP0IP is t&e set o- communications protocols used -or t&e Internet and ot&er similar networks2 T&e Internet Protocol ma *e %iewed as a set o- la ers2 Eac& la er sol%es pro*lems in t&e transmission o- data7 and pro%ides ser%es t&e upper la er protocols *ased on using ser%ices -rom some lower la ers2 <pper la er protocols are logicall closer to t&e user and deal wit& more a*stract data7 rel ing on lower la er protocols to translate data into -orms t&at can e%entuall *e p& sicall transmitted2 In general7 an application uses a set o- protocols to send its data down t&e la ers7 *eing -urt&er encapsulated at eac& le%el 4/ikipedia7 Internet Protocol Suite7 accessed April "#7 "##$52 Figures /.- and /./ are examples s&owing two Internet &ost computers communicating across local network *oundaries constituted * t&eir internetworking gatewa s 4routers52

,igure "282 TCP0IP stack on two &osts connected %ia two routers and t&e la ers used at eac& &op

,igure "2"2 Encapsulation o- application data mo%ing t&roug& t&e protocol stack2

"2)2 Examples o- network -aults detected * network management tec&nologies

,aults can occur eit&er in t&e source o- t&e content7 suc& as an encoder or digital media li*rar or distri*ution o- content to client7 suc& as -aults in distri*ution ser%ers or cac&e0prox ser%ers2 To minimi9e t&e risk o- -aults7 t&e s stem s&ould *e made redundant2 I- t&is is not done7 t&e media distri*ution process is %ulnera*le to -ailure2 82 Downstream -aults ,ailure o- one component7 suc& as a distri*ution ser%er7 can pre%ent clients -rom recei%ing t&e content t&e re=uested2 <sing multiple ser%ers to stream t&e same content7 called clustering7 reduces t&e risk o- interrupted ser%ice2 Clustering is a -ault tolerance tec&ni=ue *ecause reduced capacit or -ailure o- an one ser%er is unlikel to interrupt t&e w&ole s stem2 I- one ser%er stops7 t&e workload o- t&e -ailed ser%er can *e trans-erred to t&e ot&er ser%er7 as s&own in Figure /.1 *elow2 ,igure "2)2,ault tolerance using clustering

"2 Securit -aults Access to t&e s stem * unaut&ori9ed persons7 can damage t&e content and t&e s stem2 Some content ma not &a%e %alue *ut ma contain sensiti%e in-ormation t&at must *e

protected against t&e-t2 6ocked doors and network -irewalls ma not *e ade=uate to keep out an intruder2 T&e securit o- a s stem and content is dependent upon two t&ings: 485 t&e p& sical securit o- t&e s stem &ardware and storage and 4"5 t&e %irtual securit o- our network2

%()si&al se&urit)2 All critical media storage and &ardware components s&ould *e &oused in a room t&at &as *een dedicated to t&at purpose2 .nl persons directl in%ol%ed wit& t&e operation o- t&e s stem s&ould &a%e access2 Additional permissions suc& as card ke readers7 com*ination locks7 alarm s stems7 and closed circuit %ideo depend on t&e %alue o- our data and our o%erall securit strateg 2

Network se&urit)2 Network securit considers t&e -ollowing aspects: , Aut(enti&ation2 Persons re=uesting access must &a%e t&eir credentials %eri-ied2 T&is process usuall in%ol%es logging a name and password2 , Aut(ori2ation2 A-ter identit &as *een esta*lis&ed7 it must meet certain criteria *e-ore t&e re=uestor can gain access to t&e restricted content2 , %ermissions2 Eac& permitted user will &a%e a speci-ic set o- permissions w&ic& allow per-orming certain -unctions and ma pro&i*it t&e user -rom per-orming ot&ers2 , Firewalls2 ,irewalls pre%ent access to speci-ic7 closel ;monitored ports2 T&e -irewall can also pre%ent t&e t pe o- in-ormation t&at can pass t&roug& t&e ports2 ,irewalls are used to separate a proprietar network -rom t&e Internet7 *ut t&e can also *e used to pro%ide strict securit wit&in a network 4Microso-t Tec&net7 /indows Media Ser%ices Deplo ment Fuide52

TASE )2 INTE3NET C.NT3.6 TEC?NI1<ES

a. 0ssuming that you have access to 67,777 up+to+date PCs and stating any other reasona'le assumptions you need to make, calculate how long it will take, on average, to derive an 0%! key using a key space search .sometimes referred to as a 'rute force attack). '. %3plain the comparative advantages and disadvantages of pu'lic key and private key cryptography. (or each cryptography type: name and give outline information for -N% common cipher .e3cluding 0%!). c. 1escri'e the se2uence of operations which must 'e undertaken to compute and then verify the digital signature of a long message. d. 1escri'e the se2uence of operations which must 'e undertaken to compute and then verify the message authentication code .*0C) of a long message. e. Compare and contrast digital signatures and *0Cs.

)282 Introduction
T&is task discusses &ow long it takes to deri%e an AES ke using ke space searc&2 It also s&ows t&e ad%antages and disad%antages o- pu*lic ke and pri%ate ke cr ptograp& 7 t&e se=uence o- operations to compute and t&en %eri- t&e digital signature and t&e message aut&entication code o- a long message2

)2"2 Time to deri%e an AES ke using ke space searc&

T&e time it takes to *reak a 8"H;*it AES ke is a*out 8#8) ears2 To c&eck all t&e "8"H 4)(#7"H"7)BB7$"#7$)H7(B)7(B)7)'(7B#'7()87'BH7"887(AB5 possi*ilities7 a de%ice t&at could c&eck a *illion *illion ke s 48#8H5 per second would need a*out 8#8) ears to ex&aust t&e ke space 4/ikipedia7 Brute -orce Attack7 accessed April "#7 "##$52

)2)2 Comparati%e ad%antages and disad%antages o- pu*lic ke and pri%ate ke cr ptograp&

T&e tec&ni=ue used in pu*lic ke ;pri%ate ke cr ptograp& is t&e use o- as mmetric ke algorit&ms *ecause t&e ke used to encr pt a message is not t&e same as t&e ke used to decr pt it2 Eac& user &as a two cr ptograp&ic ke s ; a pu'lic ke and a private ke 2 T&e pri%ate ke is con-idential7 w&ile t&e pu*lic ke is pu*licl known2 T&e recipientDs pu*lic ke is used to encr pt messages and can onl *e decr pted wit& t&e corresponding pri%ate ke 2

In contrast7 s mmetric ke algorit&ms use a single secret ke s&ared * sender and recei%er -or *ot& encr ption and decr ption2 To use s mmetric encr ption7 t&e sender and recei%er must s&are a secret ke in ad%ance2 82 Description T&e two main *ranc&es o- pu*lic ke cr ptograp& are:

Pu*lic ke encr ption I a message encr pted wit& a recipientDs pu*lic ke cannot *e decr pted * an one except a possessor o- t&e matc&ing pri%ate ke 2 T&is is used -or secrec 2

Digital signatures I a message signed wit& a senderDs pri%ate ke can *e %eri-ied * an one w&o knows t&e senderDs pu*lic ke 7 pro%ing t&at t&e sender &ad access to t&e pri%ate ke and t&e message was not tampered2

Pu*lic;ke encr ption can *e likened to a locked mail*ox wit& a mail slot2 T&e mail slot is accessi*le to all: its location 4t&e street address5 is t&e pu*lic ke 2 An one w&o knows t&e address can go to t&e gate and drop a message t&roug& t&e slot2 ?owe%er7 onl t&e person w&o &as a correct ke can open t&e mail*ox and read t&e message2 Digital signatures can *e likened to t&e sealing o- an en%elope wit& a personal wax seal2 T&e message can *e accessed * an one7 *ut t&e seal pro%es its aut&enticit 2 A pro*lem o- t&e use o- pu*lic;ke cr ptograp& is con-idence or proo- t&at a pu*lic ke is correct7 *elongs to t&e person or entit claimed7 and &as not *een tampered or replaced * a t&ird part 2 T&e approac& to t&is pro*lem is to use a pu*lic;ke in-rastructure 4PEI57 w&ere one or more t&ird parties7 known as certi-icate aut&orities7 certi- owners&ip o- ke pairs2 Anot&er approac&7 is t&e Jwe* o- trustJ met&od to ensure aut&enticit o- ke pairs2 All known pu*lic ke tec&ni=ues are more computationall intensi%e t&an t&eir secret;ke counterparts7 *ut can *e made -ast enoug& -or a wide %ariet o- applications2 ,or digital signatures7 t&e sender &as&es t&e message and t&en signs t&e resulting J&as& %alueJ2 To %eri- t&e signature7 t&e recipient computes t&e &as& o- t&e message7 and compares t&is &as& %alue wit& t&e signed &as& %alue to pro%e it was not tampered2

10

"2 Securit T&e application o- a pu*lic ke encr ption s stem is con-identialit : a message w&ic& a sender encr pts using t&e recipientDs pu*lic ke can *e decr pted onl * t&e recipientDs paired pri%ate ke 2 To aut&enticate7 and maintain con-identialit 7 t&e sender -irst signs t&e message using &is pri%ate ke 7 t&en encr pts t&e message and signature using t&e recipientDs pu*lic ke 2 )2 /eaknesses Among s mmetric ke encr ption algorit&ms7 onl t&e one;time pad can *e pro%en to *e secure against an attacker7 no matter &ow muc& computing power is a%aila*le2 <n-ortunatel 7 all pu*lic;ke sc&emes are suscepti*le to *rute -orce ke searc& attack2 T&ese insecurities can *e a%oided * c&oosing large ke si9es so t&at it will takes a long time to *reak t&e code2 Anot&er securit %ulnera*ilit in using as mmetric ke s is t&e possi*ilit o- a man in t&e middle attack7 w&ere communication o- pu*lic ke s is intercepted * a t&ird part and modi-ied to pro%ide di--erent pu*lic ke s instead2 T&is attack ma appear to *e di--icult to implement in practice7 *ut itDs not impossi*le w&en using insecure media suc& as pu*lic networks or wireless communications2 .ne wa to pre%ent suc& attacks is to use o- a certi-icate aut&orit 7 a trusted t&ird part responsi*le -or %eri- ing t&e identit o- a user o- t&e s stem and issuing a tamper resistant and non;spoo-a*le digital certi-icate -or participants 4/ikipedia7 Pu*lic Ee Cr ptograp& 57

)2(2 ?ow to compute and %eri- digital signatures o- long messages

It is important to understand t&e meaning o- %arious terms *e-ore discussing &ow to compute and %eri- digital signatures2 A message digest7 or &as&7 is a %alue o*tained on a message2 T&is message digest %alue is guaranteed to *e t&e same -or t&e same message2 I- t&e message is c&anged t&e message digest would likewise c&ange2 Because o- t&is7 message digests can *e used to c&eck i- a message &as not *een c&anged2 ?owe%er7 t&ere are issues2 T&ese are:

11

82 An attacker can c&ange *ot& t&e original message and t&e computed message digest2 T&ere-ore7 t&e recei%er &as no wa o- knowing i- t&e original message and t&e message digest &a%e not *een c&anged2 "2 A message digest does not pro%e t&at t&e message was sent * t&e sender and not * some*od else2 So7 i- a *ank recei%es an instruction to trans-er <SD87### -rom Account A to Account B7 t&e *ank &as no wa o- knowing i- t&is instruction is genuine2 Two issues need to *e addressed: message integrit and non;repudiation2 To sol%e t&e weakness o- a &as&7 digital signatures can *e used to guarantee t&e %alidit omessage integrit and non;repudiation using t&e computation process s&own in Figure 1.*elow2 ,igure )282 Message digest computation process

/e know t&at t&e main pro*lem in t&is sc&eme is t&at t&e attacker can easil alter t&e original message and rerun t&e same message digest algorit&m on t&e altered message2 T&is can lead to a modi-ied message digest7 t&us making it di--icult to catc& t&e attacker2 To pre%ent ot&ers -rom modi- ing messages7 we can encr pt t&e message digest7 as s&own in Figure 1./ *elow2 ,igure )2"2 Message Digest Encr ption

T&e -igure a*o%e indicates t&at t&e message digest must *e encr pted *e-ore it is sent to t&e recei%er2 T&e recei%er would reGect t&e message i- a message digest recei%ed is not encr pted2 T&e diagram s&ows t&at:

12

a2 A genuine sender is a*le to per-orm t&is encr ption operation7 and a genuine recei%er is a*le to %eri- t&is encr ption: and *2 It would *e di--icult -or an attacker to encr pt2 /&ile an attacker would still *e a*le to compute t&e message digest7 &e must not *e a*le to encr pt t&e message digest2 T&e use o- pu*lic ke cr ptograp& 7 also called as as mmetric ke cr ptograp& 7 is used -or t&is purpose2 T&e idea is -or t&e sender and onl t&e sender knows a pri%ate ke 7 w&ic& can *e used to encr pt t&e message digest to produce t&e output as s&own in t&e earlier diagram2 T&e recei%er and no one else knows t&e sender+s pu*lic ke and use it to decr pt t&e message digest success-ull 2 T&us: a2 T&e sender would encr pt t&e message digest wit& a pri%ate ke 2 T&e sender must keep t&e pri%ate ke secret2 *2 T&e output is called as t&e digital signature -or t&is particular message2 c2 T&e sender sends t&e message and t&e digital signature to t&e recei%er2 d2 T&e recei%er %eri-ies t&e digital signature using t&e sender+s pu*lic ke 7 w&ic& is pu*licl known2 T&is s&ould gi%e t&e recei%er a message digest7 sa MD;82 e2 T&e recei%er also computes a new message digest on t&e original message7 sa MD;"2 I- MD;8 K MD;"7 we ac&ie%e *ot& message integrit 4message &as not *een tampered wit&7 *ecause t&e attacker does not know t&e sender+s pri%ate ke 5 and non;repudiation 4t&e message is pro%en to *e sent * t&e sender7 since onl &e knows t&e pri%ate ke corresponding to t&is pu*lic ke 5 4Indict&reads2com7 /&at are digital signatures5 Figure 1.1 s&ows t&is2

13

,igure )2)2 Digital Signature ; Process at Sender+s and 3ecei%er+s End

T&e -ollowing is a sample program in !a%a7 w&ic& per-orms and %eri-ies digital signatures2

00 Compute and @eri- a Digital Signature00 /ritten * Atul Ea&ate import Ga%a2securit 2L: pu*lic class DigitalSignatureExample M pu*lic static -inal String str K JT&is is t&e message to *e digitall signed2 J: pu*lic static %oid main4StringNO args5 t&rows ExceptionM 00 Fenerate a 3SA ke pair S stem2out2println 4JAttempting to generate a ke pair 222J5: Ee PairFenerator kpg K Ee PairFenerator2getInstance 4J3SAJ5: kpg2initiali9e 48#"(5: Ee Pair kp K kpg2genEe Pair 45: S stem2out2println 4JEe pair generated success-ull 222J5: 00 Sign data * te NO *a K str2getB tes4J<T,HJ5: Signature sig K Signature2getInstance 4JMDAwit&3SAJ5: sig2initSign 4kp2getPri%ate455: sig2update 4*a5: * te NO signedData K sig2sign 45: 00 Displa plain text and signature S stem2out2println 4J.riginal plain text was : J P str5: S stem2out2println 4JSignature is : J P new String 4signedData55: S stem2out2println 4JKKK Now tr ing to %eri- signature KKKJ5:

14

00 Now %eri- t&e signature sig2init@eri- 4kp2getPu*lic455: sig2update 4*a5: *oolean isSign.k K sig2%eri- 4signedData5: S stem2out2println 4JSignature %eri-ication results are: J P isSign.k5: QQ 4Atul Ea&ate7 !ul 887 "##'52

)2A2 ?ow to compute and %eri- MACs o- long messages

In cr ptograp& 7 a message aut(enti&ation &ode 4MAC5 is a s&ort piece o- in-ormation used to aut&enticate a message2 A MAC algorit&m7 sometimes called a ke)ed (as( fun&tion7 accepts a secret ke and a message to *e aut&enticated7 and outputs a MAC7 or called a tag2 T&e MAC %alue ensures integrit and aut&enticit -or messages * allowing %eri-iers to detect an c&anges2 /&ile MACs are similar to &as& -unctions7 t&e &a%e di--erent securit re=uirements2 To *e secure7 a MAC -unction must *e a*le to resist plaintext attacks2 T&is means t&at e%en i- an attacker &as access to a secret ke and generates MACs -or messages7 &e cannot guess t&e MAC -or messages t&at &as not et *een asked2 MACs di--er -rom digital signatures7 as MAC %alues are generated and %eri-ied using t&e same secret ke 2 T&is implies t&at t&e sender and recei%er o- a message must &a%e ke s *e-ore initiating communications7 as in t&e case wit& s mmetric encr ption2 ,urt&ermore7 MACs cannot pro%ide non;repudiation o--ered * signatures2 An user w&o can %eri- a MAC can also generate MACs -or ot&er messages2 .n t&e ot&er &and7 a digital signature is generated using t&e pri%ate ke o- a ke pair7 w&ic& is as mmetric encr ption2 Since t&is pri%ate ke is onl accessi*le to its &older7 a digital signature pro%es t&at a document is in -act signed * t&at &older2 Because o- t&is7 digital signatures o--er non;repudiation 4/ikipedia7 Message Aut&entication Code7 accessed April "#2 "##$52 Example is s&own in Figure 1.3 *elow

15

Figure 1.3. Sending messages using MAB algorit(m

In t&is example7 a sender runs a message t&roug& a MAC algorit&m to produce a MAC data tag2 T&e message and t&e MAC tag are t&en sent to t&e recei%er2 T&e recei%er t&en opens t&e message portion o- t&e transmission t&roug& t&e same MAC algorit&m using t&e same ke 7 producing a second MAC data tag2 T&e recei%er t&en compares t&e -irst MAC tag recei%ed to t&e second MAC tag2 I- t&e are identical7 t&e recei%er can assume t&at t&e message &as integrit 7 and t&e message was not altered2 )2B2 Comparison o- digital signatures and message aut&entication codes A digital signature is generated using t&e pri%ate ke o- a ke pair7 w&ic& is as)mmetri& en&r)ption2 Since t&is pri%ate ke is onl known to its &older7 a digital signature pro%es t&at a document was in -act signed t&at &older2 T&us7 digital signatures pro%ide non;repudiation properties2 Message aut&entication codes 4MAC5 %alues7 on t&e ot&er &and7 are generated and %eri-ied using t&e same secret ke 2 T&is means t&at t&e sender and recei%er o- a message must agree on ke s *e-ore initiating communications7 as in t&e case wit& s mmetric encr ption2

16

Compared to digital signatures7 MACs do not pro%ide t&e propert o- non;repudiation o--ered * digital signatures2 An user w&o can %eri- a MAC is also capa*le o- generating MACs -or ot&er messages 4/ikipedia7 Message Aut&entication Code7 accessed April "#7 "##$52

17

TASE (2 TCP A6F.3IT?MS

In the conte3t of $CP congestion control: a. %3plain the operation of the $H&%% elements which make up the $CP congestion control algorithm. '. #ith the aid of diagrams where appropriate, compare and contrast the $ahoe, &eno and ,egas $CP algorithms.

(282 Introduction
T&is task discusses TCP congestion control and -ocuses on t&ree algorit&ms7 namel TCP Ta&oe7 3eno and @egas2

(2"2 .peration o- t&e elements o- a TCP congestion control algorit&m

Earl TCPs &ad weakness2 A maGor weakness is t&eir ina*ilit to connect data -low rates wit& congestion in t&e network2 T&e issues t&en were &ow to detect congestion7 and &ow to make -low rate relate to congestion le%el2 To address t&ese issues7 @an !aco*son7 -ormer Cisco c&ie- Tec&nical .--icer7 introduced TCP Ta&oe in 8$HH;8$H$2 @an !aco*son -ocused on congestion control as a means -or addressing t&e pro*lem o- congestion in networks2 T&ere are t&ree elements o- congestion control in TCP Ta&oe2 T&ese are: Additi%e increase7 multiplicati%e decrease Slow start ,ast retransmit2

82 Additi%e increase7 multiplicati%e decrease Eac& time a packet drop occurs7 window si9e is slas&ed in &al-2 A multiplicati%e decrease is executed2 Congestion is a%oided using multiplicati%e decrease2

18

/&en no losses are o*ser%ed7 window si9e is increased graduall 2 An additi%e increase is executed2 T&e algorit&m -or additi%e increase and multiplicati%e de crease can *e descri*ed as -ollows: Increment congestion window * one packet per 3TT 4linear increase5 Di%ide congestion window * two w&ene%er a timeout occurs 4multiplicati%e decrease5 In practice7 increment a little -or eac& ACE2 Increment K 4MSSLMSS5 Congestion /indow Congestion /indow PK Increment

"2 Slow Start T&e purpose o- a slow start is to determine t&e a%aila*le capacit =uickl 2 To do t&is7 ; ; ; ; Estimate an optimistic congestion window using congestion t&res&old Congestion window starts wit& 8 packet ,or eac& 3TT7 congestion window is dou*led 4increment * 8 packet -or eac& ACE5 /&en congestion t&res&old is crossed7 additi%e increase is used2

19

Slow start is used w&en: ,irst starting a connection7 and Connection goes dead waiting -or timeout

)2 ,ast retransmit /&en coarse;grain TCP timeouts lead to idle periods7 a -ast retransmit per-orms t&e -ollowing: Send an ACE on e%er packet reception Send duplicate o- last ack w&en a packet is recei%ed out o- order <se duplicate ACEs to trigger retransmission2

In using -ast reco%er in TCP 3eno7 slow start p&ase is skipped2 Instead7 t&e last success-ul congestion window is directl &al%ed2

20

(2)2 Comparison o- %arious TCP algorit&ms

TCPs eit&er control congestion or a%oid congestion2 As discussed a*o%e7 TCP Ta&oe uses congestion control as its approac&2 In contrast7 two ot&er TCP t pes7 TCP 3eno and TCP @egas7 use congestion a%oidance as t&eir approac&2 TCP 3eno and its deri%ati%es toda use congestion a%oidance as -ollows: Tr to a%oid -orcing t&e source to go to slow;start Source goes to slow start initiall and upon timeouts Source cuts congestion window in &al- upon a -ast retransmit Single packet drops can *e caug&t * t&e -ast retransmit0 -ast reco%er algorit&m Multiple consecuti%e packet drops will -orce t&e source into slow start2

C.NFESTI.N A@.IDANCE To a%oid congestion t&e TCP strateg controls congestion once it &appens: and repeatedl increase load in an e--ort to -ind t&e point at w&ic& congestion occurs7 and t&en *ack o--2 An alternati%e strateg -or congestion a%oidance is to predict w&en congestion is a*out to &appen7 t&en reduce rate *e-ore packets start *eing discarded TCP @EFAS TCP @egas adopts congestion a%oidance instead o- congestion control2 It predicts and a%oids congestions e%en *e-ore t&e occur2

21

TCP Ta&oe and 3eno7 on t&e ot&er &and7 adopt congestion control2 It controls congestion a-ter it occurs2 To predict congestion7 TCP @egas permits t&e source to watc& -or some sign t&at t&e router+s =ueue is *uilding up w&ic& could lead to congestion2 In TCP @egas7 congestion can &appen w&en t&e 3TT grows and t&e sending rate -lattens2

Packet accumulation in t&e network can *e in-erred * monitoring 3TT and sending rate as s&own grap&icall *elow:

22

Two %ariations are o--ered * TCP Ta&oe and 3eno2 To a%oid congestion collapse7 TCP Ta&oe and TCP 3eno maintain a congestion window7 limiting t&e total num*er o- unacknowledged packets t&at ma *e in transit end;to;end2 T&is is somew&at similar to TCP+s sliding window used -or -low control2 TCP uses slow start to increase t&e congestion window a-ter a connection is initiali9ed and a-ter a timeout2 It starts wit& a window two times t&e maximum segment si9e 4MSS52 Alt&oug& t&e initial rate is low7 t&e rate o- increase is rapid: -or e%er packet acknowledged7 t&e congestion window increases * 8 MSS so t&at -or e%er round trip time 43TT57 t&e congestion window is dou*led2 /&en t&e congestion window exceeds a t&res&old ssthresh t&e algorit&m per-orms congestion a%oidance 4!aco*son7 @an7 8$$A52 Congestion A%oidance and Control7 ACM SIFC.MM Computer Communication 3e%iew "A 485: 8A'C8H'2 Doi:8#288(A0"#A(('2"#A(B"52 In some implementations7 t&e initial sst&res& is large7 and so t&e -irst slow start usuall ends a-ter a loss2 ?owe%er7 sst&res& is updated at t&e end o- eac& slow start7 and a--ects su*se=uent slow starts triggered * timeouts2 In congestion a%oidance7 t&e congestion window is additi%el increased * one MSS e%er round trip time2 /&en a packet is lost7 duplicate ACEs will *e recei%ed2 T&e *e&a%ior o- Ta&oe and 3eno di--er in &ow t&e detect and react to packet loss2 In TCP Ta&oe7 loss is detected w&en a timeout expires *e-ore an ACE is recei%ed2 Ta&oe t&en reduces t&e congestion window to 8 MSS7 and reset to slow;start2 .n t&e ot&er &and7 in TCP 3eno7 i- t&ree duplicate ACEs are recei%ed 4i2e27 t&ree ACEs acknowledging t&e same packet7 w&ic& are not pigg *acked on data7 and do not c&ange t&e recei%erDs ad%ertised window57 3eno will &al%e t&e congestion window7 per-orm a J-ast retransmitJ7 and enter a p&ase called Slow Start2 I- an ACE times out7 slow start is used in t&e same manner as wit& Ta&oe2 In -ast reco%er 2 4TCP 3eno onl 5 TCP 3eno retransmits t&e missing packet t&at was signaled * ) duplicate ACEs7 and waits -or an acknowledgment o- t&e entire transmit window *e-ore returning to congestion a%oidance2 I- not acknowledged7 TCP 3eno experiences a timeout and enters a slow;start state2

23

In a timeout7 *ot& algorit&ms reduce t&e congestion window to 8 MSS2 TCP @egas <ntil t&e mid;8$$#s7 all TCPs set timeouts and measured round;trip dela s *ased upon t&e last transmitted packet in t&e transmit *u--er2 6arr Peterson and 6awrence Brakmo introduced TCP @egas w&ere timeouts were set and round;trip dela s were measured -or e%er packet in t&e transmit *u--er2 Also7 TCP @egas uses additi%e increases and additi%e decreases in t&e congestion window2

24

TASE A2 T?E /EB CAC?E

a. %3plain the function of an http pro3y .also known as a we' cache) and give an e3ample. '. 1etail three reasons for the recent increase in the deployment of http pro3ies on the Internet. c. %3plain with e3amples why the increased application of data'ase+driven dynamic we' content reduces the effectiveness of http pro3ies.

A282 Introduction
/e* cac&ing is storing we* documents suc& as ?TM6 pages and images in order to reduce *andwidt& usage7 ser%er load7 and percei%ed lag2 It increases processing speed * storing copies o- documents passing t&roug& t&e cac&e and making t&ese stored documents a%aila*le w&en su*se=uent re=uests -or t&e same documents are made wit&out &a%ing to again access t&e source2 T&is task descri*es t&e -unctions o- an ?TTP prox 7 reasons -or t&eir increased use7 and explains w& t&e use o- data*ase;dri%en d namic content reduces t&e e--ecti%eness o- ?TTP proxies 4/ikipedia7 /e* Cac&e7 accessed April "#7 "##$52

A2"2 ,unctions o- an ?TTP prox

?TTP is a re=uest0response standard o- a client and a ser%er2 A client is t&e end;user7 w&ile t&e ser%er is t&e we* site2 T&e client making a ?TTP re=uest is called a user agent2 T&e ser%er w&ic& sa%es or creates resources suc& as ?TM6 -iles and images is called t&e origin ser%er2 In *etween t&e user agent and origin ser%er are intermediaries7 suc& as proxies7 gatewa s7 and tunnels 4,ielding7 et al27 Internet 3,C "B8B7 section 82(7 3etrie%ed on !anuar "87 "##$52 /&en an ?TTP client starts a re=uest it esta*lis&es a Transmission Control Protocol 4TCP5 connection to a port on a &ost 4port H# * de-ault52 An ?TTP ser%er t&at port waits -or t&e client to send a re=uest message2 /&en a re=uest is recei%ed7 t&e ser%er sends *ack a status line7 suc& as J?TTP0828 "## .EJ7 and a message o- its own7 t&e re=uested resource7 or an error message 4/ikipedia7 ?TTP7 accessed April "#7 "##$52

25

A2)2 3easons -or t&e increase in t&e use o- ?TTP proxies

?TTP prox ser%ers are popular *ecause it is used * man *rowsers and download managers2 T&e use o- ?TTP proxies &a%e encouraged t&e de%elopment o- man uses suc& as t&ose used in news media7 -inance organi9ations7 and searc& organi9ations2 An article on ?TTP in Sta in%isi*le2com descri*es ?TTP proxies as allowing working on t&e Internet wit& ?TTP and ,TP protocols2 ?TTP proxies stores in-ormation downloaded -rom t&e Internet t&en uses t&e prox as t&e source w&en su*se=uent searc&es are made2 Some o- t&e a*ilities o- ?TTP proxies t&at encourages its use are as -ollows: 82 Anon mit o- ?TTP Prox ?TTP prox ser%ers &a%e se%eral anon mit le%els2 T&ese are: ; Transparent le%el ; t&ese proxies are not anon mous2 T&e let we* ser%ers know t&at a prox ser%er is used and s&ow t&e IP address o- a client2 T&e task o- suc& proxies is in-ormation cac&ing and support o- Internet access -or se%eral computers %ia a single connection2 ; Anon mous le%el ; t&ese prox ser%ers let a remote computer or a we*;ser%er know t&at a prox ser%er is used *ut does not re%eal t&e IP address o- a client2 ; Distorting le%el ; unlike transparent and anon mous7 distorting prox ser%ers trans-er an IP address to a remote we* ser%er *ut s&ows a randoml generated IP address2 ; ?ig& anon mit le%el C t&e do not let we* ser%ers know t&at a prox ser%er is *eing used7 including t&e IP address2 4&ttp prox ser%ers7 sta in%isi*le2com52 "2 ?TTP Prox C&aining ?TTP proxies can *e organi9ed into a c&ain and t&is impro%es anon mit on t&e Internet2 Ia corporate prox and Internet access is possi*le onl t&roug& it7 ou can *uild a c&ain *ased on t&e corporate prox :

I- t&e corporate prox

is a S.CES prox 7 an c&ains can *e made2

26

i- t&e corporate prox is an ?TTP prox

ou can create a c&ain using onl ?TTP and

CFI proxies 4Sta in%isi*le2com07 ?TTP Prox Ser%ers52

A2(2 E--ecti%eness o- ?TTP proxies

T&e increased use o- data*ase;dri%en d namic we* content reduces t&e e--ecti%eness o- &ttp proxies2 T&e reason -or t&is is t&e trans-er o- proxies -rom t&e client to t&e we*site w&ere in-ormation is coming -rom2 Because t&e data*ase alread includes static in-ormation7 t&ere is %er little need -or a prox to reside in t&e client ser%er2 T&e increase in data*ase;dri%en we* sites in *anking ser%ices7 news organi9ations and similar sites &a%e reduced t&e e--ecti%eness o- t&e use o- ?TTP proxies in client ser%ers *ecause t&is -unction &as *een mo%ed -rom t&e client to t&e source site2 T&is means t&at ou &a%e a we* page t&at gra*s in-ormation -rom a data*ase and inserts t&at in-ormation into t&e we* page eac& time it is loaded2 I- t&e in-ormation in t&e data*ase c&anges7 t&e we* page also c&ange accordingl wit&out &uman inter%ention2 T&is is seen on online *anking sites w&ere ou log in and c&eck our *ank account *alance2 Rour *ank account in-ormation is stored in a data*ase and &as *een connected to t&e we* page wit& programming t&us ena*ling ou to see our *anking in-ormation 4Eillersites2com7 accessed April "#7 "##$52

27

B2 3E,E3ENCES
A*&is&ek Sing&7 CISSP7 Decem*er 8(7 "##A7 Dem sti- ing Denial;.-;Ser%ice Attacks7 Part 8 &ttp:00www2securit -ocus2com0in-ocus08HA) Atul Ea&ate7 !ul 887 "##'7 /&at are Digital SignaturesS Compute and @eri- a Digital Signature <sing !a%a7 &ttp:00www2indict&reads2com08(H#0w&at;are;digital;signatures;compute;and;%eri- ;a;digital; signature;using;Ga%a0 Clemm7 A27 Network Management ,undamentals7 CiscoPress7 "##B &ttp:00en2wikipedia2org0wiki0SimpleTNetworkTManagementTProtocol Danc&o Danc&e%0 !anuar '7 "##A0 Passwords ; Common Attacks and Possi*le Solutions &ttp:00www2windowsecurit 2com0articles0Passwords;Attacks;Solutions2&tml ,ielding7 et al27 Internet 3,C "B8B7 section 82(7 &ttp:00en2wikipedia2org0wiki0?TTP !aco*son7 @an78$$A7 Congestion A%oidance and Control7 ACM SIFC.MM Computer Communication 3e%iew "A 485: 8A'C8H'2 doi:8#288(A0"#A(('2"#A(B"2 &ttp:00ee2l*l2go%0papers0conga%oid2pd-2 Microso-t Tec&net7 /indows Media Ser%ices Deplo ment Fuide7 &ttp:00tec&net2microso-t2com0en;us0li*rar 0cc'"B#)"2aspx Tanase, Matt&ew , IP Spoofing: An Introduction, March 11, 2003 &ttp:00www2securit -ocus2com0in-ocus08B'( &ttp:00www2iss2net0Industr 0educationalTinstitutions0index2&tml &ttp:00*urks2*ton2ac2uk0*urks0pcin-o0&ardware0et&ernet0managed2&tm Networkdictionar 2com7 Network Management Tec&nologies7 &ttp:00www2networkdictionar 2com0networking0NetworkManagementTec&nologies2p&p

28

/ikipedia7 Brute ,orce Attac&7 &ttp:00en2wikipedia2org0wiki0BruteT-orceTattack /ikipedia7 Internet Protocol Suite7 &ttp:00en2wikipedia2org0wiki0InternetTprotocolTsuite /ikipedia7 Managed .*Gects &ttp:00en2wikipedia2org0wiki0ManagedTo*Gect /ikipedia7 Management In-ormation Base7 &ttp:00en2wikipedia2org0wiki0ManagementTIn-ormationTBase /ikipedia7 Network Management7 &ttp:00en2wikipedia2org0wiki0NetworkTmanagement /ikipedia7 Pu*lic Ee Cr ptograp& &ttp:00en2wikipedia2org0wiki0Pu*lic;ke Tcr ptograp& /ikipedia7 Simple Network Management Protocol7 &ttp:00en2wikipedia2org0wiki0SimpleTNetworkTManagementTProtocol /ikipedia7 Management In-ormation Base7 &ttp:00en2wikipedia2org0wiki0ManagementTIn-ormationTBase &ttp:00tec&net2microso-t2com0en;us0li*rar 0cc'"B#)"2aspx /ikipedia7 Message Aut&entication Code &ttp:00en2wikipedia2org0wiki0MessageTaut&enticationTcode /ikipedia7 TCP Congestion A%oidance Algorit&m+ &ttp:00en2wikipedia2org0wiki0TCPTcongestionTa%oidanceTalgorit&m /ikipedia7 /e* Cac&e7 &ttp:00en2wikipedia2org0wiki0/e*Tcac&e &ttp:00www2sta in%isi*le2com0prox Tenc clopedia0&ttpTprox Tser%ers2&tml

29

&ttp:00www2killersites2com0articles0articlesTdata*aseDri%enSites2&tm

'2 BIB6I.F3AP?R
,red B Sc&neider7 ?as&es and Message Digests7 Cornell <ni%ersit ,all7 Ee%in: Sall ,lo d 4!ul 8$$B57 Simulation;*ased Comparisons o- Ta&oe7 3eno and SACE TCPJ 4PostScript57 Computer Communications 3e%iew7 -tp:00-tp2ee2l*l2go%0papers0sacks2ps2U2 !aco*son7 @an 48$$A57 Congestion A%oidance and Control7 ACM SIFC.MM Computer Communication 3e%iew "A 485: 8A'C8H'2 doi:8#288(A0"#A(('2"#A(B"7 &ttp:00ee2l*l2go%0papers0conga%oid2pd-2 Ari 6uotonen7 /e* Prox Ser%ers 4Prentice ?all7 8$$'57 ISBN #;8);BH#B8";#2 Duane /essels7 /e* Cac&ing 4.D3eill and Associates7 "##857 ISBN 8;ABA$";A)B;V2 3a*ino%ic&7 Mic&ael and Spatsc&ak7 .li%er7 /e* Cac&ing and 3eplication 4Addison /esle 7 "##857 ISBN #;"#8;B8A'#;)2

30