Documente Academic
Documente Profesional
Documente Cultură
while they are there (authorize), and what actions they performed while accessing the
network (accounting).
Authentication - way to control who can access a network and it can be established
using username and password combinations.
Cryptography
Cryptography is a method that is used for secure communication. In this method sender
converts the plain text to cipher text (secure code) and send it to the receiver when it
is received by authorized receiver, cipher text is converted back to plain text by using
key.
Cryptography is provide
1. Confidentially / Privacy:- Ensuring that no one can read the message except the
intended receiver.
2. Integrity:- Assuring the receiver that the received message has not been altered.
3. Authentication:- The process of proving one's identity.
4. Non-repudiation: A mechanism to prove that the sender really sent this message.
i) Symmetric cryptography
ii) Asymmetric cryptography
iii) Hash
i) Stream cipher
ii) Block cipher
Stream ciphers operate on a single bit at a time and implement some form of feedback
mechanism so that the key is constantly changing.
A block cipher operates on one block of data at a time using the same key on each
block.
Asymmetric Cryptography:- In Asymmetric cryptography two keys are used one for
encryption and another for decryption. In this method the sender use public key to
encrypt the plain text and send the cipher text to the receiver. The receiver then
applies private key to decrypt the message and recover plain text. Asymmetric
cryptography is also known as private cryptography.
RSA and DSA (Digital Signature Algorithm) are example of Asymmetric cryptography.
HASH Function:- A Hash function is an algorithm that takes a string of any length as
input and produce a fixed length string as output. Hash function is used in cryptography
for authentication and integrity of data. In this method if data changes then hash value
also change.
MD5 (Message Digest) and SSH (Secure Hash Algorithm) are examples of Hash function.
Kerberos provides user-to-server authentication The Kerberos Server has two main
functions known as the Authentication Server (AS) and Ticket-Granting Server (TGS). The
current version of this protocol is Kerberos V5
VPN
A VPN is a private network that is created via tunneling over a public network, such as
Internet. Instead of using a dedicated physical connection, a VPN uses virtual
connections routed through the Internet from the organization to the remote site. The
logical connections can be made at either Layer 2 or Layer 3 of the OSI model.
i) Site-to-site
ii) Remote-access
A site-to-site VPN is created when devices on both sides of the VPN connection are
aware of the VPN configuration in advance. Frame Relay, ATM, GRE, and MPLS VPNs
are examples of site-to-site VPNs.
A remote-access VPN is created when VPN information is not statically set up, and it is
used for dynamically changing information.
SSL VPN is a technology that provides remote-access connectivity from almost any
Internet-enabled location using a web browser and SSL encryption. It does not require a
software client to be preinstalled on the endpoint host.
SSL VPN provides three modes of remote access on Cisco IOS routers: clientless, thin
client, and full client.
GRE (Generic routing encapsulation) is a tunneling protocol that creates a virtual point-to-
point link between remote devices over an IP. GRE supports multiprotocol tunneling. It
encapsulates the entire original IP packet with a standard IP header and GRE header.
The advantages of GRE are that it can be used to tunnel non-IP traffic over an IP
network. GRE supports multicast and broadcast traffic over the tunnel link. Therefore,
routing protocols are supported in GRE. GRE does not provide encryption.
IPsec is an IETF standard that defines how a VPN can be configured using the IP
addressing protocol. It is a framework that establishes the rules for secure
communications.
IPsec uses either AH or ESP for encapsulating packets and IKE protocol to establish
the key exchange process.
i) IPsec protocol
iii) confidentiality
iv) integrity
v) Authentication.
vi) Secure key exchange.
ii) ESP (Encapsulating Security Payload) – is used for packet encapsulation when
confidentiality and authentication is required. It provides confidentiality by performing
encryption on the IP packet. It
uses IP protocol 50.
HMAC (Hashed Message Authentication Codes) is a data integrity algorithm that guarantees
the integrity of the message using a hash value. At the local device hash algorithm is
used to produce a hash value. Then message is sent over the network with hash
value. At the remote device, the hash value is recalculated and compared to the sent
hash value. If the transmitted hash matches the received hash, the message integrity is
verified.
ii) SHA – is known as for "secure hash algorithm". It uses a 160-bit secret key.
The variable-length message and the 160-bit shared secret key are combined and
run through the SHA hash algorithm. The output is a 160-bit hash.
i) PSKs (Pre-shared Keys) – is a pre-shared secret key value is entered into each
peer manually and is used to authenticate the peer. Pre-shared keys are easy to
configure manually but do not scale well.
ii) RSA is one of the most common asymmetric algorithms and it is based on a
public key and a private key. In RSA the local device derives a hash and
encrypts it with its private key. The encrypted hash is attached to the message
and is forwarded to the remote end. At the remote end, the encrypted hash is
decrypted using the public key of the local end. If the decrypted hash matches
the recomputed hash, the signature is genuine.
Zone-based Firewall:- In zone-based policy firewall interfaces are assigned to zones and
then an inspection policy is applied to traffic moving between the zones..
Digital signatures provide the same functionality as handwritten signatures with much more
facilities. It is based on a hash function and a public-key algorithm. It is used to
authenticate a user by using the private key of the user and the signature. RSA or
DSA (Digital Signature Algorithm) are used to perform digital signing.
PKI is known as public key infrastructure and it is a service framework that needed to
support large-scale public key-based technologies. It is an important authentication solution
for VPNs.
Certificate – is a document, which binds together the name of the entity and its public
key and has been signed by the certificate authority (CA).
Certificate authority (CA) – is a trusted third party entity that signs the public keys of
entities in a PKI-based system and issues certificates.
The port number is a 16 bit binary number in the TCP. The port numbers are divided
into three ranges. Each application or service is represented at Layer 4 by a port
number. The port number is in the range of 0-65535.
Types of Port No
Dynamic Ports
The ports numbers from 49152 – 65535 are dynamic. It can be frequently used.
Normally they are used by client process temporarily.
TCP/IP Model:
TCP/IP created by department of defense in 1970. It is also called DoD Model. In
TCP/IP there are 4 layers:
1. Application Layer
2. Transport Layer
3. Internet Layer
4. Network Access Layer
TCP/IP Protocols
TCP/IP is known as Transport Control Protocol/Internet Protocol it is the most commonly
used network protocol stack. Almost every network supports TCP/IP because it enables
different types of computer workstations to communicate.
TCP/IP performs these functions:
Enables two network devices to establish a point-to-point connection and exchange
data. This is done by using an IP address.
Allows devices to communicate over a LAN or over the Internet.
Sends data from one LAN to another. This means it is a routable protocol.
Sequenced Unsequenced
Reliable Unreliable
Acknowledgement No Acknowledgement
Port 6 Port 17
FTP is known as File Transfer Protocol TFTP is known as Trivial File Transfer
Protocol
FTP uses TCP port 20 and 21 TFTP uses UDP port no 69
FTP provides authentication by using user TFTP does not provide authentication
name and password
FTP uses windowing while file transfer TFTP does not use windoing
HTTP HTTPS
HTTP is known as Hyper Transport Protocol HTTPs stand for Hypertext Transfer Protocol
and it is used for communication on internet Secure and it is a combination of the
Hypertext Transfer Protocol with the
SSL/TLS protocol to provide encrypted
communication and secure identification of a
network web server.
SFTP is known as SSH File Transfer protocol that provides file access, file transfer,
and file management functionality over any reliable data stream.
OSI Reference model is known as Open System Interconnection and it describes how
information is transferred from one networking component to another. It also provides a
guideline to the venders for the implementation of new networking standards and
technologies. It is most often used as a teaching and troubleshooting tool. It is
developed by the International Organization for Standardization (ISO).
There are 7 layers of OSI reference model. The function of upper three
1. Application Layer:- is the 7th layer of OSI Reference Model and it provides interface
(such as CLI and SDM) between communication software and any applications that need
to communicate outside the computer on which the application resides. It also defines
process for user authentication. FTP for file transfer, HTTP for web browsing, POP3 and
SMTP for e-mail are examples of Application Layer protocols
2. Presentation Layer:- is the 6th layer of OSI Reference Model and It is responsible for
defining how various form of information is transferred and presented to the user in the
required format. It also provides encryption, decryption and data compression. ASCII,
JPEG, MIDI main examples of Presentation Layer.
3. Session Layer:- is the 5th layer of OSI Reference Model and it establish, manage, and
terminate session between two communicating hosts. It organize communication between
two hosts by offering three different modes
Simplex
Half Duplex
Full Duplex
4. Transport Layer:- is the 4th Layer of OSI Reference Model and it manages end to end
communication between two hosts and error correction. It also assigns port number.
Transport Layer provides 5 main services:
c. Multiplexing
d. Segmentation and
e. Flow control.
TCP and UDP are the main examples of transport layer protocol.
5Network Layer: is the 3rd layer of OSI Reference Model and it determines three main
features: Routing, logical addressing and path determination. Router works at this layer.
TCP/IP, IP, IPX and Apple Talk are the example of network layer protocols. Ping,
tracerroute and ARP are common tools used to troubleshoot the network layer issue.
6. Data Link Layer:- is the 2nd layer of OSI Reference Model and defines the media’s
frame type and transmission method. It provides physical (MAC) or hardware address.
The data link layer also responsible for taking bits (binary 1 or 0s) from physical layer
and reassembling them into frame. It also does error detection by using FCS and
discards bad frames. Ethernet, HDLC, PPP, ATM and Frame Relay are examples of
Data Link Layer Protocol. Switch, Bridge, modem and NIC work at Data Link Layer.
Logical Link Control (LLC) 802.2 Sub Layer defines how to multiplex multiple network layer
protocols in the data link layer frame. LLC is performed in software.
Media Access Control (MAC) 802.3 Sub Layer defines how information is transmitted in an
Ethernet environment, and defines the framing, MAC addressing, and mechanics as to
how Ethernet works. MAC is performed in hardware.
7. Presentation Layer:- is the 1st or bottom most layer of OSI Reference Layer and
define physical characteristics of transmission medium including wire (UTP and FIBER)
and connectors (RJ-45, DB-9). It also provides Encryption, Compression and
Conversion. Ethernet IEEE 802.3 and RJ-45 are main examples of presentation layer.
Hub and Repeaters work at presentation layer.
IEEE 802.2: General standard for the data link layer in the OSI Reference Model.
The IEEE divides this layer into two sublayers -- the logical link control (LLC)
layer and the media access control (MAC) layer.
IEEE 802.3: Defines the MAC layer for bus networks that use CSMA/CD. This is
the basis of the Ethernet standard.
IEEE 802.4: Defines the MAC layer for bus networks that use a token-passing
mechanism (token bus networks).
1. The client sends a SYN segment to the server indicating that the source wants to
establish a reliable session.
2. In response, the server replies with SYN-ACK segments indicating that session can be
established.
3. Finally the client sends an ACK back to the server indicating that session is now
established.
Flow control
Flow Control is used to ensure that networking devices don’t send too much information
to the destination; otherwise due to overflow some information can be dropped.
The transport layer can use two basic flow control methods:
2. Ready/not ready signals- When the destination receives more traffic than it can handle
then it can send a not ready signal to the source indicating that the source should stop
transmitting data. When destination become free then it can send a ready signal
indicating that source can resume sending data.
Data Encapsulation:
As application data is passed down the protocol stack on its way to be transmitted
across the network media, various protocols add information to it at each level. This is
commonly known as the encapsulation process.