Page 151 - DCAP516_COMPUTER_SECURITY
P. 151
Unit 12: Network Security Controls
12.4 Network Security Controls Notes
In the last unit you have already read about various threats in networks such as viruses, bombs,
phishing attacks etc. In this unit we will discuss briefly about various types of network security
controls such as firewalls, virtual private networks, encrypted e-mail, etc.
1. Encryption: Encryption is probably the most important and versatile tool for a network
security expert. We have seen in earlier units that encryption is powerful for providing
privacy, authenticity, integrity, and limited access to data. Because networks often involve
even greater risks, they often secure data with encryption, perhaps in combination with
other controls.
In network applications, encryption can be applied either between two hosts (called link
encryption) or between two applications (called end-to-end encryption). We consider
each below. With either form of encryption, key distribution is always a problem.
Encryption keys must be delivered to the sender and receiver in a secure manner. In this
section, we also investigate techniques for safe key distribution in networks. Finally, we
study a cryptographic facility for a network computing environment.
2. Virtual Private Networks: Link encryption can be used to give a network’s users the sense
that they are on a private network, even when it is part of a public network. For this
reason, the approach is called a virtual private network (or VPN).
Notes Typically, physical security and administrative security are strong enough to protect
transmission inside the perimeter of a network. Thus, the greatest exposure for a user is
between the user’s workstation or client and the perimeter of the host network or server.
A firewall is an access control device that sits between two networks or two network
segments. It filters all traffic between the protected or “inside” network and a less
trustworthy or “outside” network or segment. (We examine firewalls in detail later in this
unit.)
Many firewalls can be used to implement a VPN. When a user first establishes a
communication with the firewall, the user can request a VPN session with the firewall.
The user’s client and the firewall negotiate a session encryption key, and the firewall and
the client subsequently use that key to encrypt all traffic between the two. In this way, the
larger network is restricted only to those given special access by the VPN. In other words,
it feels to the user that the network is private, even though it is not. With the VPN, we say
that the communication passes through an encrypted tunnel or tunnel.
3. PKI and Certificates: A public key infrastructure, or PKI, is a process created to enable
users to implement public key cryptography, usually in a large (and frequently, distributed)
setting. PKI offers each user a set of services, related to identification and access control, as
follows:
(i) create certificates associating a user’s identity with a (public) cryptographic key
(ii) give out certificates from its database
(iii) sign certificates, adding its credibility to the authenticity of the certificate
(iv) confirm (or deny) that a certificate is valid
(v) invalidate certificates for users who no longer are allowed access or whose private
key has been exposed
LOVELY PROFESSIONAL UNIVERSITY 145
