Module 5: Network Security and Applications (20MCA13) 1 Module 5a Network Seem Syllabus Network Security and Applications: Cryptographic Building Blocks, Key Predistribution, Firewalls, Traditional Applications, Infrastructure Services. Text book: Chapter 8.1,8.2,8.5, Chapter 9.1,9.3 Computer networks are typically a shared resource used by many appli tions representing different interests. The Internet is particularly widely shared, being used by competing businesses, mutually antagonistic govemments, and opportunistic criminals. Unless security measures are taken, a network conversation or a distributed application may be compromised by an adversary. Consider some threats to secure use of, for example, the World Wide Web. Suppose you are a customer using a credit card to order an item from a website. An obvious threat is that an adversary would eavesdrop on your network communication, reading your messages to obtain your credit card information. How might that eavesdropping be accomplished? Itis trivial ona broadcast network such as an Ethernet, where any node can be configured to receive all the message traffic on that network. Wireless communication can be monitored without any physical connection. More elaborate approaches include wiretapping and planting spy software on any of the chain of nodes involved. Only in the most extreme cases (¢.g., national security) are serious measures taken to prevent such monitoring, and the Internet is not one of those cases. The encrypt the messages so as to prevent an adversary from understanding the message contents. A protocol that does so is said to provide confidentiality. Taking the concept a step farther, concealing the quantity or destination of communication is called traffic confidentiality—because merely knowing how much communication is going where can be useful to an adversary in some situations. With the use of traffic patterns a covert channel can be established. + A covert channel is a means of communication which transfers information unintended by the designers of the communication facility. + The channel is used to transfer information in a way that violates a security policy. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20V(CA13) 2 + An employee may wish to communicate information to an outsider through a secured channel evading detection by the management. Even with confidentiality there still remains threats for the website customer. An adversary who can’t read the contents of your encrypted message might still be able to change a few bits in it, resulting in a valid order for, say, a completely different item or perhaps 1000 units of the item. A. protocol that detects such message tampering provides data integrity. The adversary could alternatively transmit an extra copy of your message in a replay attack. A. protocol that detects such delaying tactics is said to provide timeliness. Data integrity, originality, and timeliness are considered aspects of the more general property of integrity Another threat to the customer is unknowingly being directed to a false website. This can result from a Domain Name System (DNS) attack, in which false information is entered in a DNS server or the name service cache of the customer’s computer. This leads to translating a correct URL into an incorrect IP address—the address of a false website. A protocol that ensures that you really are talking to whom you think you're talking is said to provide authentication, Authentication entails integrity, since it is meaningless to say that a message came from a certain participant if it is no longer the same message. ‘The owner of the website can be attacked as well. Some websites have been defaced; the files that make up the website content have been remotely accessed and modified without authorization. That is an issue of access control: enforcing the rules regarding who is allowed to do what Websites have also been subject to denial of service (DoS) attacks, during which would-be customers are unable to access the website because it is being overwhelmed by bogus requests, Ensuring a degree of access is called availability In addition to these issues, the Internet has notably been used as a means for deploying malicious code that exploits vulnerabilities in end systems. Worms, pieces of self-replicating code that spread over networks, have been known for several decades and continue to cause problems, as do their relatives, viruses, which are spread by the transmission of infected files. Infected machines can then be arranged into botnets, which can be used to inflict further harm, such as launching DoS attacks, Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20V(CA13) 3 There are many tools today for securing networked systems, ranging from various forms of cryptography to specialized devices such as firewalls. This chapter will provide an introduction to these tools with a particular focus on the use of cryptographic methods to improve network security. Improving the security of networks continues to be a field of rapid change and considerable research effort. Defi unintelligible text and vice-versa. It is a method of storing and transmitting data in a particular jon: Cryptography is associated with the process of converting ordinary plain text into form so that only those for whom it is intended can read and process it. Cryptography not only protects data from theft or altcration, but can also be used for uscr authentication. 5.1 SYMMETRIC-KEY ENCRYPTION Encryption transforms a message in Exoten EI vey Message such a way that it becomes unintelligible to any party that does not have the secret of how to reverse the transformation. The sender applies an encryption function to the = | original plaintext message, resulting \ in a ciphertext message that is sent URE | Senet eae wd despa 5.1. The receiver applies a secret decryption function—the inverse of the encryption function—to over the network, as shown in Figure recover the original plaintext. The ciphertext transmitted across the network is unintelligible to any eavesdropper, assuming the eavesdropper doesn’t know the decryption function. The transformation represented by an encryption function and its corresponding decryption function is. called a cipher. Dr. Rama Satish KV, RNSIT, me.Module 5: Network Security and Applications (20V(CA13) 4 The encryption and decryption functions should be parameterized by a key, and furthermore that the functions should be considered public knowledge—only the key need be secret. Thus, the ciphertext produced for a given plaintext message depends on both the encryption function and the key. 1.2 SYMMETRIC-KEY CIPHERS Prantox Bock 2 Plait Bock + In a symmetric-key cipher, both participants Prine | in a communication share the same key. In other words, if a message is encrypted using a particular key, the same key is required for . Ergon Blocks of pero decrypting the message. If the cipher totam oe illustrated in Figure 5.1 were a symmetric-key cipher, then the encryption and decryption keys would be identical, Symmetric-key [nmazanonvecor Fried FIGURE 52 Cipher Mock ehsning (CBC) ciphers are also known as secret-key ciphers n sa {CHO since the shared key must be known only to the participants. Most ciphers are block ciphers; they are defined to take as input a plaintext block of a certain fixed size, typically 64 to 128 bits. Using a block cipher to encrypt each block independently—known. as electronic codebook (ECB) mode encryption. ECB has the weakness that a given plaintext block value will always result in the same ciphertext block. Hence, recurring block values in the plaintext are recognizable as such in the ciphertext, making it much easier for a cryptanalyst to break the cipher. To prevent this, block ciphers are always augmented to make the ciphertext for a block vary depending on context. Ways in which a block cipher may be augmented are called modes of operation, A common mode of operation is cipher block chaining (CBC), in which each plaintext block is XORed with the previous block’s ciphertext before being encrypted. The result is that each block’s ciphertext depends in part on the preceding blocks (ie., on its context). Since the first plaintext block has no preceding block, it is XORed with a random number. That random number called an initialization vector (IV), is included with the series of ciphertext blocks so that the first ciphertext block can be decrypted. This mode is illustrated in Figure 5.2 Data Encryption Standard (DES) Dr. Rama Satish KV, RNSIT, me.Module 5: Network Security and Apy The U.S. National Institute of Standards and Technology (NIST) has issued standards for a series of symmetric-key ciphers. Data Encryption Standard (DES). DES’s keys (56 independent bits) are now too small given current processor speeds. DES keys have 56 independent bits (although they have 64 bits in total; the last bit of every byte is a parity bit), As noted above, you would, on average, have to search half of the space of 2° possible keys to find the right one. That may sound like a lot, but such a search is highly parallelizable, so it’s possible to throw as many computers at the task as you can get your hands on—and these days it’s easy to lay your hands on thousands of computers. By the late 1990s, it was already possible to recover a DES key after a few hours Consequently, NIST updated the DES standard in 1999 to indicate that DES should only be used for legacy systems, NIST also standardized the cipher Triple DES (3DES), which leverages the cryptanalysis resistance of DES while in effect increasing the key size. A 3DES key has 168 (= 3 X 56) independent bits, and is used as three DES keys Although 3DES solves DES’s key-length problem, it inherits some other shortcomings. Software implementations of DES/3DES are slow 3DES is being superseded by the Advanced Encryption Standard (AES) standard issued by NIST in 2001. AES supports key lengths of 128, 192, or 256 bits, and the block length is 128 bits. AES permits fast implementations in both software and hardware. It doesn’t require much memory, which makes it suitable for small mobile devices. AES has some mathematically proven security properties and, as of the time of writing, has not suffered from any significant successful attacks, 5.1.3 PUBLIC-KEY CIPHERS An altemative to symmetric-key ciphers is asymmetric, or public-key, ciphers. Instead of a single key shared by two participants, a public- key cipher uses a pair of related keys, one for encryption and a different one for decryption. The pair of keys is “owned” by just one participant, The owner keeps the decryption key secret so that only the owner can decrypt messages: that key is called the private kev. The owner makes the encryption key public, so that anyone can encrypt messages for the owner; that is key is called the public key. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Apr ations (20MCA13) 6 An important additional property of public-key ciphers is that the private “decryption” key can be used with the encryption algorithm to encrypt messages so that they can only be decrypted using the public “encryption” key. This property clearly wouldn’t be useful for confidentiality since anyone with the public key could decrypt such a message. Pate Pusey This property is, however, useful for authentication \ | since it tells the receiver of such a message that it Wes" ‘oo eeclon could only have been created by the owner of the keys. This is illustrated in Figure 8.4 It should be clear from the figure that anyone with the public key can decrypt the encrypted message, and, assuming that the result of the decryption matches the expected result, it can be concluded that the private key must have been used to perform the encryption. Table 5.1: Differences between Symmetric key cipher and Asymmetric key cipher SYMMETRIC BASIS FOR ASYMMETRIC ENCRYPTION COMPARISON ENCRYPTION Basic Symmetric encryptionuses a Asymmetric encryption uses a different single key for both encryption _key for encryption(public-key) and and Decryption. decryption (private-key) Performance ‘Symmetric encryptionis fast in Asymmetric Encryption is slow in execution execution due to the high computational burden Algorithms DES, 3DES, AES, and RC4. Diffie-Hellman, RSA. Purpose The symmetric encryption is The asymmetric encryption is often used for bulk data transmission. used for securely exchanging secret keys, Topology Owner and user can encrypt as Anyone can encrypt but only owner well as decrypt can deervpt 5.2 FIREWALL Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20V(CA13) 7 A firewall is a system that typically sits at some point of connectivity between a site it protects and the rest of the network, as illustrated in Figure 5.5. It is usually implemented as an “appliance” or part of a router, although a “personal firewall” may be implemented on an end user machine. Firewall-based security depends on the firewall being the only connectivity to the site from outside; there should be no way to bypass the firewall via other gateways, wireless connections, or dial-up connections. i ‘One way to think of a firewall is that by default it blocks — traffic unless that traffic is specifically allowed to pass eo = ven addresses or to particular TCP port numbers. through. For example, it might filter out all incoming messages except those addresses to a particular sct of IP A firewall divides a network into a more-trusied zone internal to the firewall and a less-trusted zone external to the firewall. This is useful if you do not want external users to access a particular host or service within your site. Much of the complexity comes from the fact that you want to allow different kinds of access to different external users, ranging from the general public, to business partners, to remotely located members of your organization. A firewall may also impose restrictions on outgoing traffic to prevent certain attacks and to limit losses if an adversary succeeds in getting access inside the firewall Firewalls may be used to create multiple zones of trust, such as a hierarchy of increasingly trusted zones. A common arrangement involves three zones of trust: the internal network, the DMZ (“demilitarized zone”); and the rest of the Internet, The DMZ is used to hold services such as DNS and email servers that need to be accessible to the outside. Both the internal nctwork and the outside world can access the DMZ, but hosts in the DMZ cannot access the internal network; therefore, an adversary who succeeds in compromising a host in the exposed DMZ still cannot access the internal network. The DMZ can be periodically restored to a clean state, Firewalls filter based on IP, TCP, and UDP information, among other things. They are configured with a table of addresses that characterize the packets they will, and will not, forward, By addresses, we mean more than just the destination’s IP address, although that is one possibility. Generally, each entry in the table is a 4-tuple: It gives the IP address and TCP (or UDP) port number for both the source and destination. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20V(CA13) 8 For example, a firewall might be configured to filter out (not forward) all packets that match the following description: (192.12.13.14, 1234, 128.7, 80) This pattern says to discard all packets from port 1234 on host 192.12.13.14 addressed to port 80 on host 128.7.6.5. (Port 80 is the well known TCP port for HTTP.) Of course, it’s often not practical to name every source host whose packets you want to filter, so the patterns can include wildcards. For example, (**,128.7.6.5, 80) says to filter out all packets addressed to port 80 on 128.7.6.5, regardless of what source host or port sent the packet. Stateless firewalls are designed to protect networks based on static information such as source and destination. Whereas stateful firewalls filter packets based on the full context of a given nepwork connection, stateless firewalls filter packets hased on the individual packets themselves, A stateful firewall is a firewall that monitors the full state of active network connections. This means that stateful firewalls are constantly analyzing the complete context of traffic and data packets, seeking entry to a network rather than discrete traffic and data packets in isolation. Once a certain kind of traffic has been approved by a stateful firewall, it is added to a state table and can travel more freely into the protected network. Traffic and data packets that don’t successfully complete the required handshake will be blocked. By taking multiple factors into consideration before adding a type of connection to an approved list, such as TCP stages, stateful firewalls are able to observe traffic streams in their entirety. However, this method of protection does come with a few vulnerabilities. For example, stateful firewalls can fall prey to DDoS attacks due to the intense compute resources and unique software- network relationship necessary to verify connestions Many client/server applications dynamically assign a port to the client. Ifa client inside a firewall initiates access to an external server, the server's response would be addressed to the dynamically assigned port. This poses a problem: How can a firewall be configured to allow an arbitrary server's response packet but disallow a similar packet for which there was no client request? This is not possible with a stateless firewall, which evaluates each packet in isolation. It requires a statefiul firewall, which keeps track of the state of each connection. An incoming packet addressed to a Dr. Rama Satish KV, RNSIT, Bore.Module 5: Network Security and Applications (20V(CA13) 9 dynamically assigned port would then be allowed only if it is a valid response in the current state of a connection on that port Modem firewalls also understand and filter based on many specific application-level protocols such as HTTP, Telnet, or FTP. They use information specific to that protocol, such as URLs in the case of HTTP, to decide whether to discard a message. 5.2.1 STRENGTHS AND WEAKNESSES OF FIREWALLS While a firewall is an integral part of an organization’s security architecture and plays a vital role in protection of assets, it has strengths and weaknesses too. The strengths of a firew: Helping to enforce security and safety policies of an organization. Restricting access to specified services. Access can even be granted selectively based on authentication functionality. Their singularity of purpose which means that companies need not make any compromises between usability and security. Its appraisal capacity which results in an organization getting to know and monitor all the traffic that sifts through their networks. Being a notification system which can slert people concemed about specific events The weaknesses of a firewall: An inability to fend off attacks from within the system that it is meant to protect. This could take the form of people granting unauthorized access to other users within the network or social engineering assaults or even an authorized user intent on malafide use of the network. Itcan only stop the intrusions from the traffic that actually passes through them. It cannot circumvent poorly structured security policies or had administrative practices. For instance, if'a company has a very loosely knit policy on security and over-permissive rules, then a firewall cannot protect data or the network. As long as a communication or transaction has been permitted, a firewall has no ability to protect the system against it. For instance, if a firewall has been built to allow emails to come through, it cannot detect a virus or a Trojan within that email. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20MCA13) 10 Module 5b Applica This part of the chapter explores some of the most popular network applications available today. The best way to build effective networked applications is to understand the building blocks that a network can provide and how those blocks can interact with each other. Thus, for example, a particular networked application might need to make use of a reliable transport protocol, authentication and privacy mechanisms, and resource allocation capabilities of the underlying network. ‘We proceed by examining a variety of familiar, and not so familiar, network applications. These range from exchanging email and surfing the Web, to integrating applications across businesses, to multimedia applications like vic and vat, to managing a set of network elements, to emerging peer-to-peer and content distribution networks. This list is by no means exhaustive, but it does serve to illustrate many of the key principles of designing and building applications. Applications need to pick and choose the appropriate building blocks that are available at other layers either inside the network or in the host protocol stacks and then augment those underlying services to provide the precise communication service required by the application 5.3 TRADITIONAL APPLICATIONS We begin our discussion of applications by focusing on two of the most popular—the World Wide Web and email. Broadly speaking, both of these applications use the request/reply paradigm— users send requests to servers, which then respond accordingly. We refer to these as “traditional” applications because they typify the sort of applications that have existed since the early days of computer networks This section looks at two very widely used, standardized application protocols * Simple Mail Transfer Protocol (SMTP) is used to exchange electronic mail © HyperText Transport Protocol (HTTP) is used to communicate between web browsers and. web servers. We'll also look at how custom application protocols are defined in the Web Services architecture. Dr. Rama Satish KV, RNSIT, Bore.Module 5: Network Security and Applications (20MCA13) ul 5.3.1 ELECTRONIC MAIL (SMTP, MIME, IMAP) Email 1s one of the oldest network applications. Electronic mail, most commonly referred to as email is a method of exchanging digital messages from an author to one or more recipients. Email operates across the Internet or other computer networks. Three major components: 1, User agents 2. Mail servers 3. Protocols SMTP, MIME, IMAP, RFC 822 z — ae pay rsicer ee, __ ean User Agent (“mail reader”) Composing, editing, reading mail messages e.g., Eudora, Outlook, elm, Mozilla Thunderbird outgoing, incoming messages stored on server Mail Servers: Mailbox contains incoming messages for user Message queue of outgoing (to be sent) mail messages, SMTP protocol between mail servers to send email messages client: sending mail server server: receiving mail server SMTP IRFC 28211; © Uses TCP to reliably transfer email message from client to server, port 25 ‘© Direct transfer: sending server to receiving server. © Messages must be in 7-bit ASCII Dr. Rama Satish KV, RNSIT, Bore.Module 5: Network Security and Applications (20MCA13) 2 Mailbox = ~~ g=-= eZ L] Message ‘SMTP Message Sender Transtor Agent Transtor Agent Sener User Agent User Agent 4: Mail 2: Message 3: Final submission transfer delivery > The user agent is a program that provides a graphical interface, or sometimes a text- and command- based interface that lets users i eract with the email system. > Itincludes a means to compose messages and replies to messages, display incoming messages, and organize messages by filing, searching, and discarding them. > The act of sending new messages into the mail system for delivery is called mail submission. > The message transfer agents are typically system processes. They run in the background on mail server machines and are intended to be always available. Their job is to automatically move email through the system from the originator to the recipient with SMTP (Simple Mail Transfer Protocol). This is the message transfer step. v Message transfer agents also implement mailing lists, in which an identical copy of a message is delivered to everyone on a list of email addresses. Other advanced features are carbon copies, blind carbon copies, high-priority email, secret (i.e., encrypted) email, alternative recipients if the primary one is not currently available, and the ability for assistants to read and answer their bosses’ email > Linking user agents and message transfer agents are the concepts of mailboxes and a standard format for email messages. Mailboxes store the email that is received for a user. They are maintained by mail servers. User agents simply present users with a view of the contents of their mailboxes. > — To do this, the user agents send the mail servers commands to manipulate the mailboxes, inspecting their contents, deleting messages, and so on. The retrieval of mail is the final delivery As noted above, itis important (1) to distinguish the user interface (ie., your mail reader) from the underlying message transfer protocols (such as SMTP or IMAP), and (2) to distinguish between this transfer protocol and a companion protocel (RFC 822 and MIME) that defines the format of the messages being exchanged. We start by locking at the message format. Dr. Rama Satish KV, RNSIT, me.Module 5: Network Security and Applications (20V(CA13) B 7 ™ Components of Email —— alias as aaa Message Format Message Trensfer Mail Reader RFC 822, MIME SMTP IMAP, POP. —— ~— pee Message format By 1977, the Arpanet employed several informal standards for the text messages (mail) sent among its host computers. The result of that effort was Request for Comments (RFC). RFC 822 defines messages to have two parts: a header and a body. Both parts are represented in ASCII text. Originally, the body was assumed to be simple text. This is still the case, although RFC 822 has been augmented by MIME to allow the message body to carry all sorts of data, The header fields contain information about the message, such as the sender, the recipient, and the subject. The message header is a series of -terminated lines. If a message body is included, it is separated from the header fields by an empty line (\r\n). The following example illustrates a message in the RFC 822 message format: From? [email protected] To [email protected] Subject: An RFC 822 formatted message Date: Sat, 01 dun 2019 19:45:19 -0400 hie te the plain tent bedy of the message. Note the blank line between the header information and the body of the message. RFC 822 was extended in 1993 to allow email messages to carry many different types of data: audio, video, images, PDF documents, and so on, MIME consists of three basic pieces. The first piece is a collection of header lines that augment the original set defined by RFC 822. These header lines describe, in various ways, the data being carried in the message body. They include MIME- Version: (the version of MIME being used), Content-Description: (a human-readable description of what’s in the message), Content-Type: (the type of data contained in the message), and Content- Transfer-Encoding (how the data in the message body is encoded). ‘The second piece is definitions for a set of content types and subtypes. For example, MIME defines image types, denoted image/gif and image/jpeg, each with the obvious meaning. Similarly Dr. Rama Satish KV, RNSIT, me.Module 5: Network Security and Applications (20V(CA13) 4 text/plain, text/richtext. MIME defines an application type, where the subtypes correspond to the output of different application programs (¢.g., application/postscript and application/msword) MIME also defines @ multipart type that says how a message carrying more than one data type is structured. Example: MIME-Version: 1.0 Content-Type: multipart /mixed; boundar: ~41 7CA6E2DE4ABCAFBCS" From: Alice Smith To: [email protected] Subject: promised material Dales Muu, 07 Sep 1990 19445419 -0400 41 7AGE2DE4ADCAFDCS Content-Type: text/plain; charset=us-ascii bit Content~Transfer-Enceding: Bob, Here's the jpeg image and draft report I promised. --Alice 41 7CASEQDEARBCAFECS Content-Type: image/jpeg Content-Transfer-Encoding: baseé4 +++ unreadable encoding of a jpeg figure 41 7CAGE2DE4ABCAFECS Content-Type: application/postscript; name=' Content-Transfer-Encoding: Tbit :+ readable encoding of a PostScript document draft.ps" Message Transfer For many years, the majority of email was moved from host to host using only SMTP. While SMTP continues to play a central role, it is now just one email protocol of several, Internet Message Access Protocol (IMAP) and Post Office Protecol (POP) being two other important protocols for retrieving mail messages |,_seare | SMTP. | esata | ene i son Tso LANAWAN FS Alice 150d To place SMTP in the right context, we need to identify the key players. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20MCA13) 15 First, users interact with a mail reader when they compose, file, search, and read their email Countless mail readers are available, just like there are many web browsers to choose from. Second, there is a mail daemon (or process) running on each host that holds a mailbox. You can think of this process, also called a message transfer agent (MTA), as playing the role of a post office: Users (or their mail readers) give the daemon messages they want to send to other users, the daemon uses SMTP running over TCP to transmit the message to a daemon running on another machine, and the daemon puts incoming messages into the user’s mailbox (where that user’s mail reader can later find them). While it is certainly possible that the MTA on a sender’s machine establishes an SMTP/TCP connection to the MTA on the recipient’s mail server, in many cases the mail traverses one or more mail gateways on its route from the sender’s host to the receiver’s host. Mail gateway SMTP/TCP. SMTP/TCP FIGURE 55 Sequence of mal gateways sere a forward emal message, Mail Reader The final step is for the user to actually retrieve his or her messages from the mailbox, read them, reply to them, and possibly save a copy for future reference IMAP is similar to SMTP in many ways. Its a client/server protocol running over TCP, where the client (running on the user’s desktop machine) issues commands in the form of - terminated ASCII text lines and the mail server (running on the machine that maintains the user’s mailbox) responds in kind. The exchange begins with the client authenticating }- or herself and identifying the mailbox he or she wants to access. This can be represented by the simple state transition diagram shown in Figure 5.6. Dr. Rama Satish KV, RNSIT, me.Module 5: Network Security and Apr (1) Connection without preauthentication (OK greeting) (2) Preauthenticated connection (PREAUTH greeting) (3) Rejected connection (BYE greeting) (7) LOGOUT command, server shutdown, or connection closed (4) Successful LOGIN or AUTHENTICATE command (5) Successful SELECT or EXAMINE command (6) CLOSE command, or failed SELECT or EXAMINE command 5.3.2 WORLD WIDE WEB (HTTP) ——r 16 ‘GUESS IMAP oe emstn dom The World Wide Web has been so successful and has made the Internet accessible to 0 many people. The original goal of the Web was to find a way to organize and retrieve information, drawing on ideas about hypertext— interlinked documents—that had been around since at least the 1960s. The core idea of hypertext is that one document can link to another document, and the protocol (HTTP) and document language (HTML) were designed to meet that goal. The Hypertext Transfer Protocol (HIIP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This is the foundation for data communication for the World Wide Web (ice. internet) since 1990. When you ask your browser to view a page, your browser (the client) fetches the page from the server using HTTP running over TCP. Like SMTP, HTTP is a text- oriented protocol. At its core, HTTP is a request/response protocol, where every message has the general form START_LINE MESSAGE_HEADER MESSAGE_BODY Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20V(CA13) "7 HTTP Request Structure from Client A simple request message from a client computer consists of the following components: PCN oe tei Operation Description OPTIONS | Request information about available options GET Retrieve document identified in URL HEAD Retrieve metainformation about document identified in URL PosT Give information (e.g, annotation) to server PUT Store document under specified URL DELETE | vatete specmed uxt. TRACE —_| Loopback request message CONNECT | Foruse by proxies A request line to get a required resource, for example a request GET /content/pagel html is requesting a resource called /content/pagell html from the server. © Headers (Example — Accept-Language: EN). © Anempty line. A message body which is optional. All the lines should end with a carriage return and line feed. The empty line should only contains carriage return and line feed without any spaces. Example: Let us take an example that you want to open a page “home.html” from the site “yoursite.com”. Below is how the request from the client browser should look like to get a “home.htmt” page from “yoursite.com”. HTTP Request Structure 1 GET “home. html HTTP/1.1 2 Host: www. yoursite.com HTTP Response Structure from Web Server A simple response from the server contains the following components: © HTTP Status Code (For example HTTP/I.1 301 Moved Permanently, means the requested resource was permanently moved and redirecting to some other resource), © Headers (Example — Content-lype: html) © Anempty line, © A message hody which is optional Dr. Rama Satish KV, RNSIT, Bore. For updates visit:Module 5: Network Security and Applications (20MCA13) 18 SO a er ted Example Reasons request received, continuing process action successfully received, understood, and accepted further action must be taken to complete the request Client Error ‘Server Error equest contains bad syntax or cannot be fulfilled server falled to fulfill an apparently valid request All the lines in the server response should end with a carriage return and line feed. Similar to request, the empty line in a response also should only have carriage return and line feed without any spaces. Chunked transfer encoding is a method HTTP Response Structure HITP/1.1 200 0K Dote: Sun, 28 Jul 2013 15:37:37 GMT Server: Apache Lost-Modified: Sun, 7 Jul 2013 06:13:43 GT Transfer-Encoding: chunked Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Webpage Content in which the server responds with a data in chunks and this used in place of Content-Length header. The communication is stopped when a zero length of chunk is received and this method is used in HTTP Version 1.1 Uniform Resource Identifiers The URLs that HTTP uses as addresses are one type of Uniform Resource Identifier (URI). A URI is a character string that identifies a resource, where a resource can be anything that has identity, such as a document, an image, or a service. The format of URIs allows various more specialized kinds of resource identifiers to be incorporated into the URI space of identifiers. The first part of a LIRI is a scheme that names a particular way of identifying a certain kind of resource, such as mailto for email addresses or file for file names. The second part of a URI, separated from the first part by a colon, is the scheme-specific part. It is a resource identifier consistent with the scheme in the first part, as in the URIs mailto:[email protected] and file:///C:/foo.html TCP Connections The original version of HTTP (1.0) established a separate TCP connection for each data item retrieved from the server. It’s not too hard to see how this was a very inefficient mechanism: Dr. Rama Satish KV, RNSIT, Bore.Module 5: Network Security and Applications (20MCA13) 19 connection setup and teardown messages had to be exchanged between the client and server even if all the client wanted to do was verify that it had the most recent copy of a page. Thus, retrieving a page that included some text and a dozen icons or other small graphics would result in 13 separate TCP connections being established and closed. Figure 5.7 shows the sequence of events for fetching a page that has cent server SYN just a single embedded object. Colored lines indicate TCP messages, while SYN+ACK black lines indicate the HTTP requests and responses. You can see two round trip times are spent setting up TCP connections while another two (at least) are spent getting the page and image. As well as the latency impact, there is also processing cost on the server to handle the extra TCP connection establishment and termination. To overcome this situation, HTTP FIGURE 5.7 HTTP 1.0 behavior. version 1.1 introduced persistent connections—the client and server can exchange multiple request/response messages over the same TCP connection. Persistent connections have many advantages. First, they obviously eliminate the connection setup overhead, thereby reducing the load on the server, the load on the network caused by the additional TCP packets, and the delay perceived by the user. Second, because a Sage client can send multiple request messages down a single TCP connection, TCP’s congestion window mechanism is able to operate more efficiently. This risus: 7 11 ehanoc wi prae comecine is because it’s not necessary to go through the slow start phase for each page. Figure 5.8 shows the transaction from Figure 5.7 using a persistent connection in the case where the connection is already open. 5.4 DNS (DOMAIN NAME SYSTEM) ‘© The “Domain Name System” is the mechanism by which Internet software translates names to attributes such as addresses and vice versa. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20V(CA13) 20 * An Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Intemet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address There are 3 components: ‘* Name Space: Specifications for a structured name space and data associated with the names © Resolvers: Client programs that extract information from Name Servers. * Name Servers: Server programs which hold information about the structure and the names. DNS Name Space: The name space 1s the structure of the DNS database © Each node has a label: The root nade has a null label, written as“ /” ‘* DNS namespace is divided into non overlapping zones. One possible way to divide the name space is shown below. Each circled zone contains some part of the tree Goneric [oot = DNS Resolvers: DNS resolver is a server that uses the DNS protocol to query for information from DNS servers. DNS resolvers communicate with either remote DNS servers or the DNS servers or the DNS server program running on the local computer. ey fest nave vere SP errotserverarel) CRF etsrare wes ees, Example of resolver looking up a remote name in 10 steps. Dr. Rama Satish KV, RNSIT, me. For updates visi : https://sites.qoogle.com/view/satishkvr/Module 5: Network Security and Applications (20MCA13) 21 Step 1 shows the query that is sent to the local name server. The query contains the domain name sought, the type (A), and the class (IN). The next step is to start at the top of the name hierarchy by asking one of the root name servers. These name servers have information about each top-level domain. This is shown as step 2 To contact a root server, each name server must have information about one or more root name servers. This information is normally present in a system configuration file that is loaded into the DNS cache when the DNS server is started. It is simply a list of NS records for the root and the corresponding A records. There are 13 root DNS servers, unimaginatively called a-root-servers.net through m.root- servers.net, Each root server could logically be a single computer. The root name server is unlikely to know the address of a machine at UW, and probably does not know the name server for UW either. But it must know the name server for the edu domain, in which cs.washington.edu is located. It retums the name and IP address for that part of the answer in step 3. The local name server then continues its quest. It sends the entire query to the edu name server (a.edu-servers.net). That name server returns the name server for UW. This is shown in steps 4 and step 5. Closer now, the local name server sends the query to the UW name server (step 6). If the domain name being sought was in the English department, the answer would be found, as the UW zone includes the English department, But the Computer Science department has chosen to run its own name server. The query returns the name and IP address of the UW Computer Science name server (step 7). Finally, the local name server queries the UW Computer Science name server (step 8). This server is authoritative for the domain cs.washington.edu, so it must have the answer. It returns the final answer (step 9). which the local name server forwards as a response to flits.cs.vu.nl (step10). The name has been resolved. There are three technical points to discuss about this long scenario, First, two different query mechanisms are at work. When the host flits.cs.vu.nl sends its query to the local name server, that name server handles the resolution on behalf of flits until it has the desired answer to return, It does not retum partial answers. They might be helpful, but they are not what the query was seeking. This mechanism is called a recursive query. DNS Name Servers ‘Name servers store information about the name space in units called “zones”. Dr. Rama Satish KV, RNSIT, Bore. For updates visit: https://sites.google.com/view/satishkvr/Module 5: Network Security and Applications (20MCA13) 2 The name servers that load a complete zone are said to “have authority for” or “be authoritative for” the zone Usually, more than one name servers are authoritative for the same zone This ensures redundancy and spreads the load Also, a single name server may be authoritative for many zones rs Part ofthe DNS name space divided into 2otes (which are circled). 5.5 SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP) Simple Network Management Protocol (SNMP) is an application-layer protocol used to ‘manage and monitor network devices and their functions, ‘SNMP provides a common language for network devices to relay management information within single- and multivendor environments in a local area network (LAN) or wide area network (WAN). The most recent iteration of SNMP, version 3, includes security enhancements that authenticate and encrypt SNMP messages as well as protect packets during transit. SNMP is supported on an extensive range of hardware -— from conventional network equipment like routers, switches and wireless access points to endpoints like printers, scanners and intemet of things (IoT) devices. In addition to hardware, SNMP can be used to monitor services such as Dynamic Host Configuration Protocol (DHCP). Software agents on these devices and services communicate with a network management system (NMS), also referred to as an SNMP ‘manager, via SNMP to relay status information and configuration changes. 5.5.1 COMPONENTS OF SNMP ‘There are four main components in an SNMP-managed network: Dr. Rama Satish KV, RNSIT, me.Module 5: Network Security and Applications (20MCA13) 2B 1. SNMP agen data about various metrics like bandwicth use or disk space. When queried by the SNMP is program runs on the hardware or service being monitored, collecting ‘manager, the agent sends this information back to the management system. An agent may also proactively notify the NMS if an error occurs. Most devices come with an SNMP agent preinstalled; it typically just needs to be tuned on and configured 2. SNMP-managed devices and resources: These are the nodes on which an agent runs. 3. SNMP manager (aka NMS): This software platform functions as a centralized console to which agents feed information. It will actively request agents send updates via SNMP at regular intervals, What a network manager can do with that information depends heavily on how feature-rich the NMS is. There are several free SNMP managers available, but they are typically limited in their capabilities or the number of nodes they can support. At the other end of the spectrum, enterprise-grade platforms offer advanced features for more complex networks, with some products supporting up to tens of thousands of nodes. 4. Management information base (MIB): This database is a text file (.:mib) that itemizes and describes all objects used by a particular device that can be queried or controlled using SNMP. This database must be loaded into the NMS so that it can identify and monitor the status of these properties. Each MIB item is assigned an object identifier (OID). 5.5.2 HOW SNMP WORKS? SNMP performs a multitude of functions, relying on a blend of push and pull communications between network devices and the management system. It can issue read ot write commands, such as resetting a password or changing a configuration setting. It can report back how much bandwidth, CPU and memory are in use, with some SNMP managers automatically sending the administrator an email or text message alert if a predefined threshold is exceeded. In most cases, SNMP functions in asynchronous model, with communication initiated by the SNMP manager and the agent sending a response. These commands and messages, typically transported over User Datagram Protocol (UDP) or Transt ion Control Protocol/Internet Protocol (TCP/IP), are known as protocol data units (PDUs) © GET: Generated by the SNMP manager and sent to an agent to obtain the value of a variable, identified by its OID, in an MIB. * RESPONSE: Sent by the agent to the SNMP manager, issued in reply to a GET request Contains the values of the requested variables. * GETNEXT: Sent by the SNMP manager to agent to retrieve the values of the next OID in the MIB's hierarchy Dr. Rama Satish KV, RNSIT, Bore.Module 5: Network Security and Applications (20V(CA13) 24 * GETBULK: Sent by the SNMP manager to the agent to obtain large tables of data by performing multiple GETNEXT commands. * SET: Sent by the SNMP manager to the agent to issue configurations or commands * TRAP: An asynchronous alert sent by the agent to the SNMP manager to indicate a significant event, such as an error or failure, has occurred. 1. What are the security threats in Internetworks? 2. Define Cryptography, Ciphertext. 3. With a neat diagram, discuss the working of symmetric-key encryption using CBC. 4, Write a short note on Data Encryption Standard (DES). 5. Bring out the relation between public-key ciphers and authenticators 6. Write the difference between Symmetric key cipher and Asymmetric key cipher. 7. Elaborate the functions of firewall, What is statefull and stateless firewall? 8, Narrate the strengths and weaknesses of firewall. 9. Describe the working components of email. 10. Write the HTTP request and HTTP response message structure. 11. Indicate the improvement of HTTP 1.1 over HTTP 1.0. 12. Explain the working of DNS. 13, Write a short note on Simple Network Management Protocol. 14, Discuss the importance of each component in SNMP. Dr. Rama Satish KV, RNSIT, Bore.