Monday, December 14, 2009

Network Security

It is possible to divide network security into two general classes:
1)Methods used to protect data as it transits a network
2)Methods which control which packets may transit the network

While both drastically affect the traffic going to and from a site but their aims are quite different.

1) Transit Security:
There are no systems in use, which keep data secure as it transits a public network. Number of methods is available to encrypt traffic between sites. Two general approaches are as follows:

Virtual Private Networks:
It constructs a private network by using TCP/IP to support the lower levels of a second TCP/IP stack. In a encapsulate form IP traffic is sent across various forms of physical networks. Each system that attaches to the physical network implements a standard for sending IP messages over that link. Standards for IP packet transmission across various types of links exist and the most common are Ethernet and Point-to-Point links. Once an IP packet is received it is given to higher layers of the TCP/IP stack for processing.

When a virtual private network is designed, the lowest levels of the TCP/IP protocol are developed using an existing TCP/IP connection. There are a variety of ways to achieve this which tradeoff between abstraction and efficiency. This provides a benefit in terms of secure data transfer is only a single step further away as VPN allows complete control over the physical layer. It is completely within the network designer’s power to encrypt the connection at the physical layer. By allowing this all traffic of any type over the VPN will be encrypted whether it is at the application layer or at the lowest layers of the stack. The primary benefits of VPNs are: they offer private address space and they also provide the packet encryption or translation overhead to be done on dedicated systems reducing the load placed on production machines.

Packet Level Encryption:
Another way is to encrypt traffic at a higher layer in the TCP/IP stack is Packet Level Encryption. Numbers of methods present for the secure authentication and encryption of telnet and rlogin sessions which are examples of encryption at the highest level of the stack (the application layer). The benefits of encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is reduced, compatibility with current applications is not affected and it is much easier to compile a client program that supports application layer encryption than to build a VPN.
Above methods have performance impacts on the hosts, which implement the protocols and on the networks that connect those hosts. The easiest way of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption is a CPU-intensive process and encrypted packets need to be padded to uniform length to warranty the robustness of some algorithms. Further, both methods have impacts on other areas that require to be considered before any choice is made as to which is best for a particular case.

2) Traffic Regulation
The most common form of network security on the Internet is traffic regulation. If packets, which do something malicious to a remote host never get over there, the remote host will remain unaffected. Traffic regulation offers screen between hosts and remote sites. This happens at three basic areas: routers, firewalls and hosts. Each offers similar service at different points in the network.

a) Router traffic regulation:
Any traffic regulation that takes place on a router or terminal server is based on packet characteristics. This does not contain application gateways but does contain address translation.
b) Firewall traffic regulation:
By application gateways traffic regulation or filtering is performed
c) Host traffic regulation:
At the destination of a packet traffic regulation is performed. In traffic regulation, hosts are playing a smaller role with the advent of filtering routers and firewalls.

Filters and access lists
Regulating packets flow between two sites is a fairly simple concept on the surface. For any router or firewall, it isn’t difficult to decide simply not to forward all packets from a particular site. A few basic techniques are

i)Restricting access in but not out:
All packets are sent to destination UDP or TCP sockets. From remote hosts packets will attempt to reach one of the well-known ports. These ports are observed by applications, which offer services such as Mail Transfer, Delivery, Usenet News, the time, Domain Name Service and various login protocols. It is unimportant for modern routers or firewalls only to permit these types of packets through to the specific machine that offers a given service. Attempts to send any other type of packet will not be allowed. This protects the internal hosts but still permits all packets to get out.

ii) the problem of returning packets :

Unless remote user uses a secure, encrypting application such as S/Key Remote users do not log into your systems. By using telnet or ftp users can connect to remote sites. Restrict remote connections to one type of packet and permit any type of outgoing connection. Due to the nature of interactive protocols, they must consult a unique port number to use once a connection is established.

New modern routers and firewalls support the ability to dynamically open a small window for these packets to pass through if packets have been recently transmitted from an internal host to the external host on the same port. This permits connections that are initiated internally to connect and denies external connection attempts unless they are desired.

iii) Dynamic route filters :

When a particular set of circumstances occur, a new recent technique offer the ability to dynamically add entire sets of route filters for a remote site. By using these techniques, it is possible that routers automatically detects suspicious activity and deny a machine or entire site access for a short time. In many cases this will prevent any sort of automated attack on a site.
Filters and access lists took place on all three types of systems although they are most common on routers.

Conclusion
There are two types of network security transit security and traffic regulation which when combined can help warranty that the right information is securely transported to the right place. It should be clear that there is a requirement for ensuring that the hosts that receive the information will properly process it, this lifts up the entire specter of host security: a wide area which varies tremendously for each system. With the growth in business use of the Internet, network security is rapidly becoming vital to the development of the Internet. Security will become integral part of our day-to-day use of the Internet and other networks.

Internet

The Internet is a global system of interconnected computer networks that use the standard Internet Protocol Suite (TCP/IP) to serve billions of users worldwide. It is a network of networks that consists of millions of private and public, academic, business, and government networks of local to global scope that are linked by a broad array of electronic and optical networking technologies. The Internet carries a vast array of information resources and services, most notably the inter-linked hypertext documents of the World Wide Web (WWW) and the infrastructure to support electronic mail.

Most traditional communications media, such as telephone and television services, are reshaped or redefined using the technologies of the Internet, giving rise to services such as Voice over Internet Protocol (VoIP) and IPTV. Newspaper publishing has been reshaped into Web sites, blogging, and web feeds. The Internet has enabled or accelerated the creation of new forms of human interactions through instant messaging, Internet forums, and social networking sites.

The Internet has no centralized governance in either technological implementation or policies for access and usage; each constituent network sets its own standards. Only the overreaching definitions of the two principal name spaces in the Internet, the Internet Protocol address space and the Domain Name System, are directed by a maintainer organization, the Internet Corporation for Assigned Names and Numbers (ICANN). The technical underpinning and standardization of the core protocols (IPv4 and IPv6) is an activity of the Internet Engineering Task Force (IETF), a non-profit organization of loosely-affiliated international participants that anyone may associate with by contributing technical expertise.

Network topology

The network topology defines the way in which computers, printers, and other devices are connected, physically and logically. A network topology describes the layout of the wire and devices as well as the paths used by data transmissions.

Network topology has two types:

Physical
logical
Commonly used topologies include:

Bus
Star
Tree (hierarchical)
Linear
Ring
Mesh
partially connected
fully connected (sometimes known as fully redundant)
The network topologies mentioned above are only a general representation of the kinds of topologies used in computer network and are considered basic topologies.

As a matter of fact networking is defined by the standard of OSI (Open Systems Interconnection) reference for communications. The OSI model consists of seven layers. Each layer has its own function. The OSI model layers are Application, Presentation, Session, Transport, Network, Data Link, and Physical. The upper layers (Application, Presentation, Session) of the OSI model concentrate on the application while the lower layers (transport, network, data link, and physical) focus on signal flow of data from origin to destination. The Application layer defines the medium that communications software and any applications need to communicate to other computers. Layer 6 which is the presentation layer focuses on defining data formats such as text, jpeg, gif, and binary. An example of this layer would be displaying a picture that was received in an e-mail. The 5th Layer is the session layer which establishes how to start, control, and end links or conversations.

The transport layer includes protocols that allow it to provide functions in many different areas such as: error recovery, segmentation, and reassembly. The network layers primary job is the end to end delivery of data packets. To do this, the network layer relies on logical addressing so that the origin and destination point can both be recognized. An example of this would be, ip running in a router’s job is to examine the destination address, compare the address to the ip routing table, separate the packet into smaller chunks for transporting purposes, and then deliver the packet to the correct receiver. Layer 2 is the data link layer, which sets the standards for data being delivered across a link or medium. The 1st layer is the physical layer which deals with the physical characteristics of the transmission of data such as the network card and network cable type.

Networking methods

One way to categorize computer networks is by their geographic scope, although many real-world networks interconnect Local Area Networks (LAN) via Wide Area Networks (WAN) and wireless networks (WWAN). These three (broad) types are:

Local area network (LAN)

A local area network is a network that spans a relatively small space and provides services to a small number of people.

A peer-to-peer or client-server method of networking may be used. A peer-to-peer network is where each client shares their resources with other workstations in the network. Examples of peer-to-peer networks are: Small office networks where resource use is minimal and a home network. A client-server network is where every client is connected to the server and each other. Client-server networks use servers in different capacities. These can be classified into two types:

1. Single-service servers
2. Print server

The server performs one task such as file server, while other servers can not only perform in the capacity of file servers and print servers, but also can conduct calculations and use them to provide information to clients (Web/Intranet Server). Computers may be connected in many different ways, including Ethernet cables, Wireless networks, or other types of wires such as power lines or phone lines.

The ITU-T G.hn standard is an example of a technology that provides high-speed (up to 1 Gbit/s) local area networking over existing home wiring (power lines, phone lines and coaxial cables).

Wide area network (WAN)

A wide area network is a network where a wide variety of resources are deployed across a large domestic area or internationally. An example of this is a multinational business that uses a WAN to interconnect their offices in different countries. The largest and best example of a WAN is the Internet, which is a network composed of many smaller networks. The Internet is considered the largest network in the world. The PSTN (Public Switched Telephone Network) also is an extremely large network that is converging to use Internet technologies, although not necessarily through the public Internet.

A Wide Area Network involves communication through the use of a wide range of different technologies. These technologies include Point-to-Point WANs such as Point-to-Point Protocol (PPP) and High-Level Data Link Control (HDLC), Frame Relay, ATM (Asynchronous Transfer Mode) and Sonet (Synchronous Optical Network). The difference between the WAN technologies is based on the switching capabilities they perform and the speed at which sending and receiving bits of information (data) occur.

Metropolitan area network (MAN)

A metropolitan network is a network that is too large for even the largest of LAN's but is not on the scale of a WAN. It also integrates two or more LAN networks over a specific geographical area ( usually a city ) so as to increase the network and the flow of communications. The LAN's in question would usually be connected via " backbone " lines.

For more information on WANs, see Frame Relay, ATM and Sonet.

Wireless networks (WLAN, WWAN)

A wireless network is basically the same as a LAN or a WAN but there are no wires between hosts and servers. The data is transferred over sets of radio transceivers. These types of networks are beneficial when it is too costly or inconvenient to run the necessary cables. For more information, see Wireless LAN and Wireless wide area network. The media access protocols for LANs come from the IEEE.

The most common IEEE 802.11 WLANs cover, depending on antennas, ranges from hundreds of meters to a few kilometers. For larger areas, either communications satellites of various types, cellular radio, or wireless local loop all have advantages and disadvantages. Depending on the type of mobility needed, the relevant standards may come from the IETF or the ITU.

Computer networking

Computer networking is the engineering discipline anxious with communication between computer systems or devices. Networking, routers, routing protocols, and networking over the public Internet have their provision defined in documents called RFCs. Computer networking is sometimes careful a sub-discipline of telecommunications, computer science, information technology and/or computer engineering. Computer networks rely heavily upon the academic and practical application of these scientific and engineering disciplines. There are three types of networks: 1.Internet. 2.Intranet. 3.Extranet. A computer network is any set of computers or devices connected to each other with the ability to exchange data.Examples of different networks are:


Local area network (LAN), which is usually a small network constrained to a small geographic area. An example of a LAN would be a computer network within a building.

Metropolitan area network (MAN), which is used for medium size area. examples for a city or a state.

Wide area network (WAN) that is usually a larger network that covers a large geographic area.

Wireless LANs and WANs (WLAN & WWAN) are the wireless equivalent of the LAN and WAN.

All networks are interconnected to allow communication with a variety of different kinds of media, including twisted-pair copper wire cable, coaxial cable, optical fiber, power lines and various wireless technologies. The devices can be separated by a few meters or nearly unlimited distances (e.g. via the interconnections of the Internet.


Views of networks
Users and network administrators often have different views of their networks. Often, users who share printers and some servers form a workgroup, which usually means they are in the same geographic location and are on the same LAN. A community of interest has less of a connection of being in a local area, and should be thought of as a set of arbitrarily located users who share a set of servers, and possibly also communicate via peer-to-peer technologies.

Network administrators see networks from both physical and logical perspectives. The physical perspective involves geographic locations, physical cabling, and the network elements (e.g., routers, bridges and application layer gateways that interconnect the physical media. Logical networks, called, in the TCP/IP architecture, subnets, map onto one or more physical media. For example, a common practice in a campus of buildings is to make a set of LAN cables in each building appear to be a common subnet, using virtual LAN (VLAN) technology.

Both users and administrators will be aware, to varying extents, of the trust and scope characteristics of a network. Again using TCP/IP architectural terminology, an intranet is a community of interest under private administration usually by an enterprise, and is only accessible by authorized users (e.g. employees). Intranets do not have to be connected to the Internet, but generally have a limited connection. An extranet is an extension of an intranet that allows secure communications to users outside of the intranet (e.g. business partners, customers).

Informally, the Internet is the set of users, enterprises,and content providers that are interconnected by Internet Service Providers (ISP). From an engineering standpoint, the Internet is the set of subnets, and aggregates of subnets, which share the registered IP address space and exchange information about the reachability of those IP addresses using the Border Gateway Protocol. Typically, the human-readable names of servers are translated to IP addresses, transparently to users, via the directory function of the Domain Name System (DNS).

Over the Internet, there can be business-to-business (B2B), business-to-consumer (B2C) and consumer-to-consumer (C2C) communications. Especially when money or sensitive information is exchanged, the communications are apt to be secured by some form of communications security mechanism. Intranets and extranets can be securely superimposed onto the Internet, without any access by general Internet users, using secure Virtual Private Network (VPN) technology.

When used for gaming one computer will have to be the server while the others play through it.