Questions?

1. What is a protocol? It is the special set of rules that end points in a

telecommunication connection use when they communicate.

2. What is TCP/IP?

TCP - which uses a set of rules to exchange messages with other Internet points at the information packet level

IP - which uses a set of rules to send and receive messages at the Internet address level

Questions?

3. What is SMTP used for? Simple mail transport protocol is used to deliver the

messages4. What are the two types of protocols that the

incoming and outgoing mail servers use? POP and SMTP5. What does the MIME standard provide? Multipurpose Internet Mail Extensions provide

definitions for content types such as applications, images, and other multimedia files

Question?6. What is IMAP? Internet Message Access Protocol IMAP provides direct access to the messages that

are stored on the server

Image files Web browsers accept two types of image files:

- .GIF and .JPG (or JPEG)

GIF – Graphics Interchange Format

JPEG – Joint Photographic Experts Group

Sound files Three types of sound files are popular

on the Web - .WAV - .MID - .MP3 - .AVI

Voice Over IP Voice-over-IP (VoIP) is a method for

sending voice data using the IP protocol VoIP interfaces with the public switched

telephone network (PSTN) and attempts to provide the same quality of service

Protocols used in VoIP are: - RTP (Real-Time Transfer Protocol) - RTCP (Real-Time Control Protocol) - RSVP ( Resources Reservation

Protocol)

Video The problems associated with network video

are worse than for network audio Greater bandwidth is required and it is easy to

visually spot problems with the video stream Same sets of protocols (as audio) are used to

manage the information It is now affordable for any PC owner to

purchase an expensive colour camera that connects to the printer port or USB port and allow real-time capture of video

RTP handles reliable delivery of real-time data

RTCP monitors the VoIP session to maintain the quality of service (QoS)

RSVP manages network resources during the connection

The voice processing and gateway/terminal operation are specified by the H.323 standard

Virtual Private Networks (VPN)

A virtual private network allows for remote private LANs to communicate securely through an un-trusted public network such as the Internet

Internet

Citibank private LAN

Washington D.C

Citibank private LAN New York

Citibank private LAN network Boston

VPNs Using VPNs, only authorized members of the network are

allowed access to the data A VPN uses an IP tunneling protocol and security services

that are transparent to the private network users Using a VPN, a private LAN connected to the Internet can be

connected to other LANs using a combination of tunneling, encryption and authentication

Tunneling means that data that is transferred through the public network in an encapsulated form

All of the data, including the addresses of the sender and destination, are enclosed within a packet

Packets that are protected by tunneling, encryption, and authentication offer the highest level of security

VPNs The IP Security (IPSec) standards provide a security

protocol for tunneling as well as for data privacy, integrity, and authentication, creating a truly secure VPN

IPSec is a set of protocols developed by the Internet Engineering Task Force that adds additional security solutions to TCP/IP networking

IPSec offers a solution to data privacy, integrity, and authentication that is network independent, application independent, and supports all IP services (e.g HTTP, FTP, etc.)

Setting up a Web server One of the most popular Web server programs is

the Apache Server from the Apache Software Foundation

Two of the reasons why the Apache Server is the most popular are because it is free and fully featured

To download an Apache Server free!! go to http://www.apache.org After the Web server is installed, it is necessary to

update the configuration file to provide a server name, e-mail contact, and several other items

Hypertext Transfer Protocol The protocol used for communication between a browser and

a Web server or between intermediate machines and Web servers is known as HTTP

Characteristics of HTTP: - Application Level: HTTP operates at the application level.

It assumes a reliable connection-oriented transport protocol such as TCP but does not provide retransmission

- Request/Response: Once a transport session has been established, one side (usually a browser) must send an HTTP request to which the other side responds

- Stateless: Each HTTP request is self-contained; the server does not keep a history of previous requests or previous sessions

HTTP characteristics Bi-directional transfer: In most cases, a browser

requests a Web page, and the server transfers a copy to the browser

Capability Negotiation: HTTP allows browsers and servers to negotiate details such as the character set to be used during transfers

Support for Caching: To improve response time, a browser caches a copy of each Web page it retrieves

Support for intermediaries: HTTP allows a machine along the path between a browser and a server to act as proxy server that caches Web pages and answers a browser’s request from its cache

Internet Security and Firewall Design

Internet Firewall A configuration of routers and networks placed

between an organization’s internal Internet and a connection to an external Internet to provide security

Internet Organization’s net

Firewall used to protect organization

Firewall If an organization has multiple Internet connections, a firewall

must be placed at each, and all the organization’s firewalls must be configured to enforce the organization’s security policy

A firewall must be secure. That is: - All traffic entering the organization passes through the

firewall - All traffic leaving the organization passes through the firewall - The firewall implements the security policy and rejects any

traffic that does not adhere to the policy - The firewall itself is immune to security attacks

Firewall Firewalls are the most important security tool used

to handle network connections between two organizations that do not trust each other

By limiting access to a small set of computers, a firewall can prevent outsiders from probing all computers in an organization with unwanted traffic

With a firewall a manager can restrict incoming packets to a small set of computers

It is less expensive to install a firewall than to make all computer systems secure

Internet Cookies An Internet cookie is a message given to a Web browser by

a Web server The browsers stores the message in a text file called

cookie.txt The saved message is sent back to the server each time the

browser requests a page from the server (This allows the server to track the user access to pages on the web server)

Cookies are also called persistent cookies because they typically stay in the browser for a long periods of time

Having identified the client computer with a persistent name stored in the cookie file, server side applications(such as CGI scripts) can be used to both store and retrieve information from the client side of the connection

Network Security Like the locks used to keep tangible property

secure, computers and data networks need provision to keep information secure

Security is required in every computer and protocol

There are two fundamental internet security mechanisms

- Perimeter security - Information Security

Security Perimeter security allows an organization to determine the

services and networks it will make available to outsiders and the extent to which outsiders can use internal resources

Information security encompasses many aspects of protection:

- Data integrity: A secure system must protect information from unauthorized change

- Data availability: The system must guarantee that outsiders cannot prevent legitimate access to data

- Privacy or confidentiality: The system must prevent outsiders from making copies of data as it passes across a network or understanding the contents of copies are available

- Authorization: Although physical security often classifies people and resources into broad categories, security for information usually needs to be more restrictive

- Authentication: The system must allow two communicating entities to validate each other’s identity

- Replay avoidance: To prevent outsiders from capturing copies of packets and using them later, the system must prevent a retained copy of a packet from being accepted

Encryption This ensures that your data was unable to be read

or utilised by any party while in transit Your message is encrypted into an

incomprehensible state before it leaves your computer

It maintains its state during its transmission over the Internet

It is not decrypted until the recipient receives it Because of the public key cryptography used

only the recipient can decipher the received message, no one else can.

Public Key Public Key is available to others for use when encrypting information that will be sent to an

individuale.g people can use a person’s public key to encrypt

information they want to send to that person. Similarly people can decrypt information sent by the person using his public key

Private Key Private key is accessible only to the individual The individual can use the private key to decrypt any

messages encrypted with the public key. Similarly, the individual can use the private key to encrypt messages, so that the messages can be decrypted with the corresponding public key

Exchanging key is no longer a security concern. I have my public key and private key. I send my public key to anyone on the Internet. With that public key, they encrypt their email. Since the email was encrypted with public key, ONLY, I can decrypt that email with my private key

If I want to encrypt my email to anyone else on the Internet, I need their public key

Each individual involved needs their own public/private key combination

How do you verify someone’s public key ?

How do you TRUST the user is really who he says he is? - You use your digital certificate A digital certificate is a digital document that checks for the

identity and key ownership of an individual, a computer system or an organization

e.g A users certificate verifies that the user owns a particular public key

Certificates are issued by certificate authorities These authorities are responsible for verifying the identity

and key ownership of the individual before issuing the certificate

e.g http://www.verisign.com

Authentication This is digital verification of who you are,

much in the same way your driver’s license proves your identity

Using standard email, there is no way to verify who the sender is. With digital signatures and certificates, you digitally encode verifiable proof of your identity into the mail

Integrity

This is the verification that the data you sent has not been altered

When information travels across the Internet, it is routed through various gateway (way stations)

It is possible for people to capture, alter, then resend the message

With digital certificates, your email cannot be altered without the recipient knowing

Creating Digital Signatures When you email someone, your public/private key combination

creates the digital signature Format: - The sender uses a message-digest algorithm to generate a short

version (message digest) of the message that can be encrypted - The sender uses their private key to encrypt the message digest.

- The sender transmits the message and the encrypted message

digest to the recipient - Upon receiving the message the recipient decrypts the message

digest - The recipient uses the hash function on the message to

generate the message digest

Creating Digital Signatures - The recipient compares the decrypted message digest against

the newly generated message digest - If the message digests are identical, the recipient knows the

message is from the correct source - If the message is wrong then the recipient knows that the

message is from someone else or the message was modified during transmission

- The encrypted message digest serves as a digital signature for the message

The signature verifies the identity of the sender and the contents of the message

If the message was modified during transmission the hash function will generate a different message digest when applied after the transmission

Proxy Server A server that sits between the client

application, such as a Web browser, and a real server

It intercepts all requests to the real server to see if it can fulfil the requests itself. If not, it forwards the request to the real server

Proxy servers have two main purposes - Improve Performance - Filter Requests

Improve Performance Proxy servers can improve performance for groups of users Proxy servers saves the results of all requests for a certain

amount of time Consider for example x and y access the WWW through a proxy

server First user X requests a certain Web page 1. Sometime later user

Y requests the same page. Instead of forwarding the request to the Web server where page 1 resides the proxy server returns the page 1

Since the proxy server is on the same network as the user, this is a much faster operation

Real proxy servers support hundreds or thousands of users Major online services such as Compuserve and America Online

employ an array of proxy servers

Filter Requests Companies can use proxy servers to prevent its employees

from accessing a specific set of Web sites Proxy server can be used to limit access to some of these

undesirable sites A Proxy Server is a WWW server that acts as the sole web

server for your entire domain or whatever clients you place behind the firewall, a logical block between your clients and the rest of the Internet

The Proxy server usually sits on your firewall and intercepts all web requests coming from clients within the firewall

If the requested URL is on the Proxy control list then the message “URL is not accessible” will appear

Internet Security Internet security is difficult because datagrams

travelling from source to destination often pass across many intermediate networks and through routers that are not owned or controlled by either the sender or the recipient

Source authentication requires the server to examine the source IP address on each incoming datagram, and only accept requests from computers on an authorized list

Source authentication is weak because it can be broken easily

Secure Sockets The Secure Socket Layer (SSL) technology was

originally developed by Netscape When a client uses SSL to contact a server, the

SSL protocol allows each side to authenticate itself to the other

The two sides then negotiate to select an encryption algorithm that they both support

Finally SSL allows the two sides to establish an encrypted connection (i.e a connection that uses the chosen encryption algorithm to guarantee privacy)

Monitoring and Logging Monitoring is the most important aspect of a firewall Unless a firewall reports incidents, a manager may

be unaware of problems Monitoring can be active or passive In active monitoring, a firewall notifies a manager

whenever an incident occurs The chief advantage of active monitoring is speed-

a manager finds out about a potential problem immediately

But the main disadvantage is that active monitoring produces so much information it is difficult for the manager to focus on major issues

Monitoring In passive monitoring, a firewall logs a

record of each incident in a file on disk A passive monitoring usually records

information about normal traffic as well as datagrams that are filtered

A chief advantage of passive monitoring arises from its record of events – a manager can consult the log to observe trends and when a security problem occur, review the history of events that led to the problem

Internet Architecture How are networks interconnected to form an internet

work ? Physically, two networks can only be connected by a

computer that attaches to both of them. A physical attachment does not provide the

interconnection we have in mind, however, because such a connection does not guarantee that the computer will cooperate with other machines that wish to communicate

Computers that interconnect two networks and pass packets from one to the other are called internet gateways or internet routers

Net 1 Net 2

R

Router R connects to both network 1 and network 2

Each network can be LAN or WAN, and each may have many computers attached to them

Interconnection through IP routers

In an actual internet that includes many networks and routers, each router needs to know about the topology of the internet beyond the networks to which it connects

Net 1 Net 2 Net 3R1

R2

R1 must transfer from network 1 to 2 all packets destined for computers on either network 2 or network 3

Routers used with TCP/IP Internets are usually small computers

They often have little disk storage and modest main memories

If packet forwarding is based on networks, the amount of information that a router needs to keep is proportional to the number of networks in the Internet, not the number of computers

The Users View A user views an internet as a single, virtual network to

which all machines connect despite their physical connections

Since application programs that communicate over the Internet do not know the details of underlying connections they can be run without change on any computer

Because the details of each machine’s physical network connections are hidden in the Internet software, only the Internet software needs to change when new physical connections are added or existing software needs to change when new physical connections are added or existing connections are removed

A second advantage of having communication at the network level is users do not have to understand, remember, or specify how networks connect or what traffic they carry

Application programs can be written that communicate independent of underlying physical connectivity

Network managers are free to change interior parts of the underlying internet architecture without changing application software in most computers attached to the Internet