v TRANSPORT LAYER SECURITY

TLS is a successor to Secure Sockets Layer protocol. TLS provides secure communications on the Internet for such things as e-mail, Internet faxing, and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains significantly the same. It is good idea to keep in mind that TLS resides on the Application Layer of the OSI model. This will save you a lot of frustrations while debugging and troubleshooting encryption troubles connected to TLS.

v TLS Features

TLS is a generic application layer security protocol that runs over reliable transport. It provides a secure channel to application protocol clients. This channel has three primary security features:

1. Authentication of the server.

2. Confidentiality of the communication channel.

3. Message integrity of the communication channel.

Optionally TLS can also provide authentication of the client. In general, TLS authentication uses public key based digital signatures backed by certificates. Thus, the server authenticates either by decrypting a secret encrypted under his public key or by signing an ephemeral public key.

The client authenticates by signing a random challenge. Server certificates typically contain the server's domain name. Client certificates can contain arbitrary identities.

Ø The Handshake Protocols

The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. In a typical scenario, only the server is authenticated and its identity is ensured while the client remains unauthenticated. The mutual authentication of the servers requires public key deployment to clients.

· Provide security parameters to the record layer.

· A Client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.

· The Server responds with a ServerHello, containing the chosen protocol version, a random number, cipher, and compression method from the choices offered by the client.

· The Server sends its Certificate (depending on the selected cipher, this may be omitted by the Server).

· The server may request a certificate from the client, so that the connection can be mutually authenticated, using a Certificate Request.

· The Server sends a ServerHelloDone message, indicating it is done with handshake negotiation.

· The Client responds with a ClientKeyExchange which may contain a PreMasterSecret, public key, or nothing. (Again, this depends on the selected cipher).

The Handshake protocol provides a number of security functions. Such as Authentication, Encryption, Hash Algorithms

· Authentication

A certificate is a digital form of identification that is usually issued by a certification authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. For authentication purposes, the Handshake Protocol uses an X.509 certificate to provide strong evidence to a second party that helps prove the identity of the party that holds the certificate and the corresponding private key.

· Encryption

There are two main types of encryption: symmetric key (also known as Private Key) and asymmetric key (also known as public key. TLS/SSL uses symmetric key for bulk encryption and public key for authentication and key exchange.

· Hash Algorithms

A hash is a one-way mapping of values to a smaller set of representative values, so that the size of the resulting hash is smaller than the original message and the hash is unique to the original data. A hash is similar to a fingerprint: a fingerprint is unique to the individual and is much smaller than the original person. Hashing is used to establish data integrity during transport. Two common hash algorithms are Message Digest5 (MD5) produce 128-bit hash value and Standard Hash Algorithm1 (SHA-1) produce 160-bit value.

Ø The Change Cipher Spec

The Change Cipher Spec Protocol signals a transition of the cipher suite to be used on the connection between the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This message consists of a single byte with the value1. Message after this will be encrypted and compressed using the new cipher suite.

Ø The Alert

The Alert Protocol includes event-driven alert messages that can be sent from either party. the session is either ended or the recipient is given the choice of whether or not to end the session. Schannel SSP will only generate these alert messages at the request of the application.

Ø The Record Layer/Protocol

The TLS record protocol is a simple framing layer with record format as shown below:

struct {

ContentType type;

ProtocolVersion version;

uint16 length;

opaque payload[length];

} TLSRecord;

As with TLS, data is carried in records. In both protocols, records can only be processed when the entire record is available.

The Record Layer might have four functions:

· It fragments the data coming from the application into manageable blocks (and reassemble incoming data to pass up to the application). Schannel SSP does not support fragmentation at the Record Layer.

· It compresses the data and decompresses incoming data. Schannel SSP does not support compression at the Record Layer.

· It applies a Message Authentication Code (MAC), or hash/digest, to the data and uses the MAC to verify incoming data.

· It encrypts the hashed data and decrypts incoming data.

Ø Application Protocol

TLS runs on application protocol such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example. While it can add security to any protocol that uses reliable connections (such as TCP), it is most commonly used with HTTP to form HTTPS. HTTPS is used to secure World Wide Web pages for applications such as electronic commerce and asset management. These applications use public key certificates to verify the identity of endpoints.

Ø TSL/ SSL Security

· The client may use the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.

· The client verifies that the issuing Certificate Authority (CA) is on its list of trusted Cas.

· The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.

v IPSec

IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as PIX Firewalls, Cisco routers, Cisco VPN 3000 Concentrators, Cisco VPN Clients, and other IPSec-compliant products. IPSec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPSec is a framework of open standards. Because it isn't bound to specific algorithms, IPSec allows newer and better algorithms to be implemented without patching the existing IPSec standards. IPSec provides data confidentiality, data integrity, and data origin authentication between participating peers at the IP layer. IPSec is used to secure a path between a pair of gateways, a pair of hosts, or a gateway and a host. Some of the standard algorithms are as follows:

Ø Data Encryption Standard (DES) algorithm—Used to encrypt and decrypt packet data.

Ø 3DES algorithm—effectively doubles encryption strength over 56-bit DES.

Ø Advanced Encryption Standard (AES)—a newer cipher algorithm designed to replace DES. Has a variable key length between 128 and 256 bits. Cisco is the first industry vendor to implement AES on all its VPN-capable platforms.

Ø Message Digest 5 (MD5) algorithm—Used to authenticate packet data.

Ø Secure Hash Algorithm 1 (SHA-1)—Used to authenticate packet data.

Ø Diffie-Hellman (DH)—a public-key cryptography protocol that allows two parties to establish a shared secret key used by encryption and hash algorithms (for example, DES and MD5) over an insecure communications channel.

IPSec security services provide four critical functions:

Ø Confidentiality (encryption)—the sender can encrypt the packets before transmitting them across a network. By doing so, no one can eavesdrop on the communication. If intercepted, the communications cannot be read.

Ø Data integrity—the receiver can verify that the data was transmitted through the Internet without being changed or altered in any way.

Ø Origin authentication—the receiver can authenticate the packet's source, guaranteeing and certifying the source of the information.

Ø Anti-replay protection—Anti-replay protection verifies that each packet is unique, not duplicated. IPSec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. Late and duplicate packets are dropped.

v How IPSec works

The goal of IPSec is to protect the desired data with the needed security services. IPSec's operation can be broken into five primary steps:

Ø Define interesting traffic—Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.

Ø IKE Phase 1—This basic set of security services protects all subsequent communications between the peers. IKE Phase 1 sets up a secure communications channel between peers.

Ø IKE Phase 2—IKE negotiates IPSec security association (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints.

Ø Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.

Ø IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

TASK 1(b)

IPSec's advantage over TLS:

It has more plasticity on choosing the Authentication mechanisms (like the Pre Shared Key), and therefore makes it hard for the attacker to do man in the middle.TLS is based only on Public key and with tools, it's possible to do man in the Middle breaking TLS. Going one step down the OSI stack, IP Security (IPSec) guarantees the data privacy and integrity of IP packets, regardless of how the application used the sockets. This means any application, as long as it uses IP to send data, will benefit from the underlying secure IP network. Nothing has to be rewritten or modified; it even is possible that users won't be aware their data is being processed through encrypting devices. This solution is the most transparent one for end users and the one most likely to be adopted in the future in the widest range of situations. The main drawback of IPSsec lies in its intrinsic infrastructural complexity, which demands several components to work properly. IPSec deployment must be planned and carried out by network administrators, and it is less likely to be adopted directly by end users.

TLS's advantage over IPSec:

The advantage of TLS over generic application-level security mechanisms is the application no longer has the burden of encrypting user data. Using a special socket and API, the communication is secured. The problem with TLS is an application wishing to exploit its functionality must be written explicitly in order to do so (see Resources). Existing applications, which constitute the majority of data producers on the Internet, cannot take advantage of the encryption facilities provided by TLS without being rewritten. Think of the common applications we use everyday: mail clients, web browsers on sites without HTTPS, IRC channels, peer-to-peer file sharing systems and so on. Also, most network services (such as mail relays, DNS servers, routing protocols) currently run over plain sockets, exchanging vital information as clear text and only seldomly adopting application-level counter-measures (mostly integrity checks, such as MD5 sums).

v IGMP

IGMP is a protocol used by IP hosts, and adjacent multicast network devices to identify their memberships. If they are part of the same multicast group they communicate with each other. ICMP communicates 1 to 1....IGMP communicates 1 to many.

v Establish Multicast group

We describe a distributed architecture for managing multicast addresses in the global Internet. A multicast address space partitioning scheme is proposed, based on the Unicast host address and a per-host address management entity. By noting that port numbers are an integral part of end-to-end multicast addressing we present a single, unified solution to the two problems of dynamic multicast address management and port resolution. We then present a framework for the evaluation of multicast address management schemes, and use it to compare our design with three approaches, as well as a random allocation strategy. The criteria used for the evaluation are blocking probability and consistency, address acquisition delay, the load on address management entities, robustness against failures, and processing and communications overhead. With the distributed scheme the probability of blocking for address acquisition is reduced by several orders of magnitude, to insignificant levels, while consistency is maintained. At the same time, the address acquisition delay is reduced to a minimum by serving the request within the host itself. It is also shown that the scheme generates much less control traffic, is more robust against failures, and puts much less load on address management entities as compared with the other three schemes. The random allocation strategy is shown to be attractive primarily due to its simplicity, although it does have several drawbacks stemming from its lack of consistency (addresses may be allocated more than once)

The "Routing and Remote Access" administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The "Routing and Remote Access" administrative tool or the "route" command line utility can be used to con a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the "Routing and Remote Access" tool, the following information is entered:

* Interface - Specify the network card that the route applies to which is where the packets will come from.

* Destination - Specify the network address that the packets are going to such as 192.168.1.0.

* Network Mask - The subnet mask of the destination network.

* Gateway - The IP address of the network card on the network that is cond to forward the packets such as 192.168.1.1.

* Metric - The number of routers that packets must pass through to reach the intended network. If there are more than 1, the Gateway address will not match the network address of the destination network.

Ø Dynamic Routing

Windows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three Windows 2000 supported Dynamic routing protocols are:

* Routing Information Protocol (RIP) version 2 for IP

* Open Shortest Path First (OSPF)

* Internet Group Management Protocol (IGMP) version 2 with router or proxy support.

The "Routing and Remote Access" tool is used to install, con, and monitor these protocols and routing functions. After any of these dynamic routing protocols are installed, they must be cond to use one or more routing interfaces.

v Protocol Independent Multicast (PIM):

This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol.

The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional { dense-mode} approach to multicast routing for campus networks, as developed by Deering [2][3] and implemented previously in MOSPF and DVMRP [4][5]. These

traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient; data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.

Ø The Protocol Independent Multicast (PIM) architecture:

· maintains the traditional IP multicast service model of receiver-initiated membership;

· can be cond to adapt to different multicast group and network characteristics;

· is not dependent on a specific unicast routing protocol;

· uses soft-state mechanisms to adapt to underlying network conditions and group dynamics.

The robustness, flexibility, and scaling properties of this architecture make it well suited to large heterogeneous inter-networks.

This document describes an architecture for efficiently routing to multicast groups that may span wide-area (and inter-domain) internets. We refer to the approach as Protocol Independent Multicast (PIM) because it is not dependent on any particular unicast routing protocol. The most significant innovation in this architecture is the efficient support of sparse, wide area groups. This sparse mode (SM) of operation complements the traditional { dense-mode} approach to multicast routing for campus networks, as developed by Deering [2][3] and implemented previously in MOSPF and DVMRP [4][5]. These traditional dense mode multicast schemes were intended for use within regions where a group is widely represented or bandwidth is universally plentiful. However, when group members, and senders to those group members, are distributed sparsely across a wide area, these schemes are not efficient; data packets (in the case of DVMRP) or membership report information (in the case of MOSPF) are occasionally sent over many links that do not lead to receivers or senders, respectively. The purpose of this work is to develop a multicast routing architecture that efficiently establishes distribution trees even when some or all members are sparsely distributed. Efficiency is evaluated in terms of the state, control message, and data packet overhead required across the entire network in order to deliver data packets to the members of the group.

A user of an internet- connected pc, Adam; send an email message to another internet connected pc user beryl.

1. Outlinethe function of four internet host that would normally be involved be involved in this task.

..................................................................................

: 1. Adam's Computer :

:2. Server of Adam's Internet Service Provider :

: 3. Server of Beryl's Internet Service Provider:

:4. Beryl's Computer :

..................................................................................

This program allows you to build and deal with a large mailing list, and to create modified messages from predefined templates while sending. It let's you define multiple independent SMTP server connections and will utilize the latest in multithreading technology, to send emails to you as fast as it is possible. You can use all the standard message formats like plain text, HTML or even create a rich content message in the Microsoft Outlook Express and export it into the program. The interface of the program is very simple and easy to learn - nearly all functions can be performed using hotkeys on the keyboard.

E-mail is a growing source of an enterprise's records and needs to be treated as any written memo, letter or report has been treated. The information in e-mail has the potential to add to the enterprise's knowledge assets, from interactions with the users or customers in the enterprise to interactions with colleagues overseas.

2. List the internet protocol which would be used in this task.

Internet Protocol (IP) is packet-based protocol that allows dissimilar hosts to connect to each other for the purpose of delivering data across the resulting networks. Applications combine IP with a higher- level protocol called

Transport Control Protocol (TCP), which establishes a virtual connection between a destination and a source. IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but there's no direct link between you and the recipient.

..................................................................................

: 1. HTTP :

:2. IMAP(Version 4):

: 3.SMTP :

:4.POP (Version 3) :

..................................................................................

Ø HTTP

(Hyper-Text Transfer Protocol) is the underlying protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTP/1.0, as defined by RFC 1945 [6], improved the protocol by allowing messages to be in the format of MIME-like messages, containing meta information about the data transferred and modifiers on the request/response semantics.

Ø IMAP4

(Internet Message Access Protocol) A mail protocol that provides management of received messages on a remote server. The user can review headers, create or delete folders/mailboxes and messages, and search contents remotely without downloading. It includes more functions than the similar POP protocol.

Ø POP3

(Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into most

popular e-mail products, such as Eudora and Outlook Express. It's also built into the Netscape and Microsoft Internet Explorer browsers. POP3 is designed to delete mail on the server as soon as the user has downloaded it. However, some implementations allow users or an administrator to specify that mail be saved for some period of time. POP can be thought of as a "store-and-forward" service.

Ø SMTP

(Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. SMTP usually is implemented to operate over Internet port 25. An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be delivered as e-mail.

3. Taking the case that the message include the text "please find attached abstract and 1." as well as in MS-Word format and an attachment in jpeg, list format of the send mail messages.

.................................................................

: 1. MIME :

.................................................................

Ø MIME

(Multi-Purpose Internet Mail Extensions) is an extension of the original Internet e-mail protocol that lets people use the protocol to exchange

different kinds of data files on the Internet: audio, video, images, application programs, and other kinds, as well as the ASCII text handled in the original protocol, the Simple Mail Transport Protocol (SMTP). In 1991, Nathan Borenstein of Bellcore proposed to the IETF that SMTP be extended so that Internet (but mainly Web) clients and servers could recognize and handle other kinds of data than ASCII text. As a result, new file types were added to "mail" as a supported Internet Protocol file type.

Servers insert the MIME header at the beginning of any Web transmission. Clients use this header to select an appropriate "player" application for the type of data the header indicates. Some of these players are built into the Web client or browser (for example, all browsers come with GIF and JPEG image players as well as the ability to handle HTML files).

4. How would received message differ the sent messages?

The email address that receives messages sent from users who click �reply� in their email clients. Can differ from the �from�address which can be an automated or unmonitored email address used only to send messages to a distribution list. �Reply-to� should always be a monitored address.

v IPv4: Internet Protocol (Version 4)

The Internet Protocol (IP) is a network-layer (Layer 3) protocol in the OSI model that contains addressing information and some control information to enable packets being routed in network. IP is the primary network-layer protocol in the TCP/IP protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP is equally well suited for both LAN and WAN communications.

IP (Internet Protocol) has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through a network; and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. The IP addressing scheme is integral to the process of routing IP datagram's through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub networks. Each computer (known as host) on a TCP/IP network is assigned a unique logical address (32-bit in IPv4) that is divided into two main parts: the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.

v IPv6 (IPng): Internet Protocol version 6

IPv6 is the new version of Internet Protocol (IP) based on IPv4, a network-layer (Layer 3) protocol that contains addressing information and some control information enabling packets to be routed in the network. There are two basic IP versions: IPv4 and IPv6. IPv6 is also called next generation IP or IPng. IPv4 and IPv6 are de-multiplexed at the media layer. For example, IPv6 packets are carried over Ethernet with the content type 86DD (hexadecimal) instead of IPv4's 0800. The IPv4 is described in separate documents.

IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler auto-configuration of addresses. IPv6 addresses are expressed in hexadecimal format (base 16) which allows not only numerals (0-9) but a few characters as well (a-f). A sample ipv6 address looks like: 3ffe: ffff: 100:f101:210:a4ff:fee3:9566. Scalability of multicast addresses is introduced. A new type of address called an any cast address is also defined, to send a packet to any one of a group of nodes. Two major improvements in IPv6 vs. v4:

* Improved support for extensions and options - IPv6 options are placed in separate headers that are located between the IPv6 header and the transport layer header. Changes in the way IP header options are encoded to allow more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future.

· Flow labeling capability - A new capability has been added to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default Quality of Service or real-time service.

v Comparison between IPv6 with IPv4

Data structure of IPv6 has modified as follows:

· Header length field found in IPv4 is removed in IPv6.

· Type of Service field found in IPv4 has been replaced with Priority field in IPv6.

· Time to live field found in IPv4 has been replaced with Hop Limit in IPv6.

· Total Length field has been replaced with Payload Length field

· Protocol field has been replaced with Next Header field

· Source Address and Destination Address has been increased from 32-bits to 128-bits.

v Major Similarities IPv6 with IPv4

Both protocols provide loopback addresses. IPv6 multicast achieves the same purpose that IPv4 broadcast does. Both allow the user to determine datagram size, and the maximum number of hops before termination. Both provide connectionless delivery service (datagrams routed independently). Both are best effort datagram delivery services.

v Major Differences between IPv6 with IPv4

Ø IPv6 host to IPv6 host routing via IPv4 network: Here, IPv6 over IPv4 tunneling is required to send a datagram. IPv6 packets are encapsulated within IPv4 packets, allowing travel over IPv4 routing infrastructures to reach an IPv6 host on the other side of the .IPv6 over IPv4 tunnel. The two different types of tunneling are automatic and cond. For a cond tunnel, the IPv6 to IPv4 mappings, at tunnel endpoints, have to be manually specified. Automatic tunneling eases tunneling, but nullifies the advantages of using the 128-bit address space.

Ø IPv6 host to IPv4 host and vice versa: The device that converts IPv6 packets to IPv4 packets (a dual IP stack/ dual stack router) allows a host to access both IPv4 and IPv6 resources for communication. A dual IP stack routes as well as converts between IPv4 and IPv6 datagrams

Ø ICMP: IPv6 enhances ICMP with ICMPv6. The messages are grouped as informational and error. An ICMPv6 message can contain much more information. The rules for message handling are stricter. ICMPv6 uses the Neighbor Discovery Protocol. New messages have been added also.

Ø Absence of ARP & RARP: Since IPv6 addresses are longer, they Encapsulate the hardware address along with the IP address in the IPv6 address. The 64 most significant bits identify a specific network interface. The suffix easily encodes the physical address.

Ø DNS: A major problem arises when obtaining the domain name of an IPv6 address over existing IPv4 DNS infrastructure. Current 32-bit name servers cannot handle name-resolution requests for 128-bit addresses. However, IETF designers have defined an IPv6 DNS standard, utilizing a DNS called "quad A" to map domain names for an IPv6 address.

The Major difference between IPv4 and IPng is the number of IP addresses. There are just over 4 billion IPv4 addresses. In contrast, there are over 16 billion-billion IPv6 addresses.

Subjects

IPv4

IPv6

IPv6 Advantages

Address Space

4 Billion Addresses

2^128

79 Octillion times the IPv4 address space

Configuration

Manual or use DHCP

Universal Plug and Play (UPnP) with or without DHCP

Lower Operation Expenses and reduce error

Broadcast / Multicast

Uses both

No broadcast and has different forms of multicast

Better bandwidth efficiency

Anycast support

Not part of the original protocol

Explicit support of anycast

Allows new applications in mobility, data center

Network Configuration

Mostly manual and labor intensive

Facilitate the re-numbering of hosts and routers

Lower operation expenses and facilitate migration

QoS support

ToS using DIFFServ

Flow classes and flow labels

More Granular control of QoS

Security

Uses IPsec for Data packet protection

IPSec becomes the key technology to protect data and control packets

Unified framework for security and more secure computing environment

Mobility

Uses Mobile IPv4

Mobile IPv6 provides fast handover, better router optimization and hierarchical mobility

Better efficiency and scalability; Work with latest 3G mobile technologies and beyond.

Internet Protocol Version 6 (IPv6), sometimes called the "next generation" IP protocol (IPng), is designed by the IETF to replace the current version Internet Protocol, IP Version 4 ("IPv4"), which is now more than twenty years old. Most of today's network uses IPv4 and it is beginning to have problems, for example, the growing shortage of IPv4 addresses.

IETF protocol designers have expended a substantial amount of effort to ensure that hosts and routers can be upgraded to IPv6 in a graceful, incremental manner. Transition mechanisms have been engineered to allow network administrators a large amount of flexibility in how and when they upgrade hosts and intermediate nodes. Consequently, IPv6 can be deployed in hosts first, in routers first, or, alternatively, in a limited number of adjacent or remote hosts and routers. Another assumption made by IPv6 transition designers is the likelihood that many upgraded hosts and routers will need to retain downward compatibility with IPv4 devices for an extended time period. It was also assumed that upgraded devices should have the option of retaining their IPv4 addressing.

v Key Features:

The IPv4 32-bit IP address space cannot accommodate users beyond 2020. 128-bit IPv6 makes the address space too large to be exhausted in the foreseeable future. IPv6 versatility allows for the accommodation of any reasonable address scheme, thus allowing network designers greater flexibility

for devices of the future. IPv6 utilizes three (not two) hierarchical addressing levels. The highest is for the globally known public topology, the next involving individual sites, and the third for individual N.I.C. addresses. The inflexibility in IPv4.s header options led to inefficiency. When sending datagrams, an empty header occupied substantial space. IPv6 allows the sender the freedom to select the required extension headers. IPv4 used DHCP to facilitate manual assignment of host addresses. IPv6 alleviates manual assignment problems, allowing new hosts to assign their own addresses. An ICMPv6 message determines if the address is unique. Auto-configuration allows renumbering of hosts. IPv6 allows hosts to be given new prefixes without manual reconfiguration, allowing numerous devices to dynamically attach to a network without incurring the associated administration costs.

v INTRUSION DETECTION SYSTEM

Intrusion detection systems do exactly as the name suggests: they detect possible intrusions. More specifically, IDS tools aim to detect computer attacks and/or computer misuse, and to alert the proper individuals upon detection. An IDS installed on a network provides much the same purpose as a burglar alarm system installed in a house. Through various methods, both detect when an intruder/attacker/burglar is present, and both subsequently issue some type of warning or alert.

Although IDSs may be used in conjunction with firewalls, which aim to regulate and control the flow of information into and out of a network, the two security tools should not be considered the same thing. Using the previous example, firewalls can be thought of as a fence or a security guard placed in front of a house. They protect a network and attempt to prevent intrusions,

while IDS tools detect whether or not the network is under attack or has, in fact, been breached. IDS tools thus form an integral part of a thorough and complete security system. They don't fully guarantee security, but when used with security policy, vulnerability assessments, data encryption, user authentication, access control, and firewalls, they can greatly enhance network safety.

Intrusion detection systems serve three essential security functions: they monitor, detect, and respond to unauthorized activity by company insiders and outsider intrusion. Intrusion detection systems use policies to define certain events that, if detected will issue an alert. In other words, if a particular event is considered to constitute a security incident, an alert will be issued if that event is detected. Certain intrusion detection systems have the capability of sending out alerts, so that the administrator of the IDS will receive a notification of a possible security incident in the form of a page, email, or SNMP trap. Many intrusion detection systems not only recognize a particular incident and issue an appropriate alert, they also respond automatically to the event. Such a response might include logging off a user, disabling a user account, and launching of scripts.

Ø Classification and Types, Techniques of intrusion detection systems

There are Four types of IDS

1. Host- Based IDS

2. Network- Based IDS

3. Hybrid Intrusion Detection System

4. Network Node Intrusion Detection System

1) Host-Based IDS (HIDS)

Host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that operate on a system and receive application or operating system audit logs. These programs are highly effective for detecting insider abuses. Residing on the trusted network systems themselves, they are close to the network's authenticated users. If one of these users attempts unauthorized activity, host-based systems usually detect and collect the most pertinent information in the quickest possible manner. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification.

On the down side, host-based systems can get unwieldy. With several thousand possible endpoints on a large network, collecting and aggregating separate specific computer information for each individual machine may prove inefficient and ineffective. In addition, if an intruder disables the data collection on any given computer, the IDS on that machine will be rendered useless because there is no backup.

Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris' BSM; host-based commercial products include Real Secure, ITA, Squire, and Intercepts, to name a few.

1.1. Application-Based IDSs

Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. The most common information sources used by application-based IDSs are the application's transaction log files. The ability to interface with the application directly, with significant domain or application-specific knowledge included in the analysis engine, allows application-based IDSs to detect suspicious behavior due to authorized users exceeding their authorization. This is because such problems are more likely to appear in the interaction between the user, the data, and the application.

2) Network-Based IDS (NIDS)

As opposed to monitoring the activities that take place on a particular network, Network-based intrusion detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. Because they are responsible for monitoring a network, rather than a single host, Network-based intrusion detection systems (NIDS) tend to be more distributed than host-based IDS. Software, or appliance hardware in some cases, resides in one or more systems connected to a network, and is used to analyze data such as network packets. Instead of analyzing information that originates and resides on a computer, network-based IDS uses techniques like “packet-sniffing” to pull data from TCP/IP or other protocol packets traveling along the network. This surveillance of the connections between computers makes network-based IDS great at detecting access attempts from outside the trusted network. In general, network-based systems are best at detecting the following activities:

* Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.

* Bandwidth theft/denial of service: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.

Some possible downsides to network-based IDS include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network-based IDS include Shadow, Snort!, Dragon, NFR, Real Secure, and Net Prowler.

3) Hybrid Intrusion Detection Systems

We have examined the different mechanisms that different IDSs use to signal or trigger alarms on your network. We have also examined two locations that IDSs use to search for intrusive activity. Each of these approaches has benefits and drawbacks. By combining multiple techniques into a single hybrid system, however, it is possible to create an IDS that possesses the benefits of multiple approaches, while overcoming many of the drawbacks.

4) Network Node Intrusion Detection (NNIDS)

Basically, this new type (NNIDS) works like typical NIDS, i.e., you take packets from network traffic and analyze them. But it only concerns packets which are addressed to the network node (this is where the name comes from). Another difference between NNIDS and NIDS is that NIDS run in promiscuous mode while NNIDS does not run in promiscuous mode. As not every packet is analyzed the performance of the system will not suffer to much, such systems run very fast as a rule.

Ø IDS Techniques

There are four basic techniques used to detect intruders: anomaly detection, misuse detection (signature detection), target monitoring, and stealth probes.

1) Anomaly Detection

Designed to uncover abnormal patterns of behavior, the IDS establishes a baseline of normal usage patterns, and anything that widely deviates from it gets flagged as a possible intrusion. What is considered to be an anomaly can vary, but normally, any incident that occurs on frequency greater than or less than two standard deviations from the statistical norm raise an eyebrow? An example of this would be if a user logs on and off of a machine 20 times a day instead of the normal 1 or 2. Also, if a computer is used at 2:00 AM when normally no one outside of business hours should have access, this should raise some suspicions. At another level, anomaly detection can investigate user patterns, such as profiling the programs executed daily. If a user in the graphics department suddenly starts accessing accounting programs or compiling code, the system can properly alert its administrators.

2) Misuse Detection or Signature Detection

Commonly called signature detection, this method uses specifically known patterns of unauthorized behavior to predict and detect subsequent similar attempts. These specific patterns are called signatures. For host-based intrusion detection, one example of a signature is "three failed logins." For network intrusion detection, a signature can be as simple as a specific pattern that matches a portion of a network packet. For instance, packet content signatures and/or header content signatures can indicate unauthorized actions, such as improper FTP initiation. The occurrence of a signature might not signify an actual attempted unauthorized access (for example, it can be an honest mistake), but it is a good idea to take each alert seriously. Depending on the robustness and seriousness of a signature that is triggered, some alarm, response, or notification should be sent to the proper authorities.

3) Target Monitoring

These systems do not actively search for anomalies or misuse, but instead look for the modification of specified files. This is more of a corrective control, designed to uncover an unauthorized action after it occurs in order to reverse it. One way to check for the covert editing of files is by computing a cryptographic hash beforehand and comparing this to new hashes of the file at regular intervals. This type of system is the easiest to implement, because it does not require constant monitoring by the administrator. Integrity checksum hashes can be computed at whatever intervals you wish, and on either all files or just the mission/system critical files.

4) Stealth Probes

This technique attempts to detect any attackers that choose to carry out their mission over prolonged periods of time. Attackers, for example, will check for system vulnerabilities and open ports over a two-month period, and wait another two months to actually launch the attacks. Stealth probes collect a wide-variety of data throughout the system, checking for any methodical attacks over a long period of time. They take a wide-area sampling and attempt to discover any correlating attacks. In effect, this method combines anomaly detection and misuse detection in an attempt to uncover suspicious activity.

v IDS strength and Limitation (weaknesses)

Ø Strength of IDSs

Current intrusion detection product have some strength that one must be aware of before undertaking an IDS deployment.

· A strong IDS Security Policy is the HEART of commercial IDS.

· Provides worthwhile information about malicious network traffic.

· Can be programmed to minimize damage.

· A useful tool for ones Network Security Armory.

· Help identify the source of the incoming probes or attacks.

· Can collect forensic evidence, which could be used to identify intruders.

· Similar to a security "camera" or a "burglar alarm".

· Alert security personnel that someone is picking the "lock".

· Alerts security personal that a Network Invasion maybe in progress.

· When well cond, provides a certain "peace" of mind.

· Part of a Total Defense Strategy infrastructure.

Ø Limitations of IDSs

Current intrusion detection products have limitations that one must be aware of before undertaking an IDS deployment.

· Despite vendor claims, most IDSs do not scale well as enterprise-wide solutions. The problems include the lack of sufficient integration with other security tools and sophisticated network management systems, the inability of IDSs to assess and visualize enterprise-level threats, and the inability of organizations to investigate the large number of alarms generated by hundreds or thousands of IDS sensors.

· Many IDSs create a large number of false positives that waste administrators' time and may even initiate damaging automated responses.

· While almost all IDSs are marketed as “real time” systems, during heavy network or host activity, IDS may take several minutes before reporting and automatically responding to an attack.

· IDSs usually cannot detect newly published attacks or variants of existing attacks. This can be a serious problem as 30-40 new computer attacks are posted on the Web every month. An attacker may simply wait for a new attack to be posted and then quickly penetrate a target network.

· IDSs' automated responses are often ineffective against sophisticated attackers. They usually stop novice hackers but, improperly cond, can hurt a network by interrupting legitimate network traffic.

· IDSs must be monitored by skilled computer security personnel in order to achieve maximum benefits and to understand the significance of what the IDS detects.

· IDS maintenance and monitoring can use a substantial amount of personnel resources.

· Many IDSs are not failsafe; that is, they are not well protected from attack or subversion.

· Many IDSs do not have user interfaces that allow users to spot cooperative or coordinated attacks.

v Deploying an IDSs

The network intrusion detection systems are in the process of becoming a standard information security safeguard. Together with firewalls and vulnerability scanners, intrusion detection is one of the pillars of modern computer security. While the IDS field is still in motion, several classes of products have formed. Most IDS products loosely fall into network IDS (NIDS) and host IDS (HIDS).

Network IDS usually monitors the entire subnet for network attacks against machines connected to it, using a database of attack signatures or a set of algorithms to detect anomalies in network traffic (or both). Alerting and attacks analysis might be handled by a different machine that collects the information from several sensors, possibly correlating IDS alerts with other data.

It appears that stateful and protocol-aware signature-based network IDS is still the most widely deployed type of intrusion detection. Simplified management and the availability of inexpensive NIDS appliances together with dominance of network-based attacks are believed to be the primary reasons for that.

In this brief article we will review several important mistakes companies make while planning and deploying the IDS systems. In addition to the obvious mistake (0th, I guess :-)) of not evaluating and deploying the IDS technology at all, the issues we cover often decrease or even eliminate the added value the companies might otherwise derive from running an intrusion detection systems.

· Since we already covered the trivial case of "not using an IDS", we discuss is using it without giving it an ability to see all the network traffic. In other words, deploying the network IDS without sufficient infrastructure planning. Network IDS might be deployed on the network choke point (such as right inside or outside the firewall), on the appropriate internal network segment or in the DMZ to see important traffic. For the shared Ethernet-based networks IDS will see all the network traffic within the Ethernet collision domain or subnet and also

destined to and from the subnet, but no more. For the switched networks, there are several IDS deployment scenarios which utilize special switch capabilities such as port mirroring or spanning. Additionally, one might procure an IDS integrated with a switch, such as Cisco IDS blade.

· When the IDS are deployed appropriately, but nobody is looking at the alerts it generates. This one is actually much more common than it seems. It is well-known that IDS is a "detection" technology, and it never promised to be a "shoot-and-forget" means of thwarting attacks. While in some cases, the organization might get away with dropping the firewall in place and configuring the policy, such deployment scenario never works for the intrusion detection. If IDS alerts are reviewed only after a successful compromise, the system turns into an overpriced incident response helper tool - clearly not what the technology designers had in mind. It still helps, but isn't it better to learn about the attack from the IDS rather then from angry customers? Being the form of monitoring and network audit technology, IDS still (and likely always will, unless its intelligence improves by orders of magnitude) requires a skilled personnel to run.

· Network IDS is deployed, "sees" all the traffic and there is a moderately intelligent somebody reviewing the alert stream. No more mistakes? Far from it! What is a response policy for each event type? Does the person viewing the alerts know what is the best course of action needed for each event (if any)? How to tell normal events from anomalous and malicious? What events are typically "false positives" (alerts being triggered on benign activity) and "false alarms" (alerts being triggered on attacks that cannot harm the target systems) in the protected environment? How to gather the required context information to answer the above? Unless the above questions are answered in advance by means of a response process, it is likely that no intelligent action is being taken based on IDS alerts - a big mistake by itself.

· All the previous pitfalls are avoided and the NIDS is humming along nicely. However, the staff monitoring the IDS starts to get flooded with alerts. They know what to do for each alert, but how quickly they can take action after receiving the 10,000th alert on a given day? Unfortunately, current network IDS systems have to be tuned for the environment. While the detailed guide for IDS tuning is beyond the scope of this article, two general approaches are commonly used. One approach is to enable all possible IDS rules and spend several days flooded with alerts, analyzing them and reducing the rule set accordingly. This route is more appropriate for internal network IDS deployment. Another solution is to reduce the rule set to only watch the "risky" services. This works better in a highly secure DMZ setup where all machines are carefully audited and hardened.

· This is simply not accepting the inherent limitations of network IDS technology. While anomaly-based IDS systems might potentially detect an unknown attack, most signature based IDS will miss a new exploit if there is no rule written for it. IDS systems have to be frequently updated with vendor signature updates. Even if updates are applied on a timely schedule, the exploits which are unknown to the IDS vendor will likely not be caught by the signature-based system. Attackers may also try to blind or evade the NIDS using many tools available for download as well as, no doubt, a large collection of non-public tools. There is a constant battle between the IDS developers and those wishing to escape detection. IDS are becoming more sophisticated and able to see through the old evasion methods, but new approaches are created by attackers. Those deploying the network IDS technology should be aware of its limitations and practice "defense-in -depth" by deploying multiple and diverse security solutions.

References

1. The Wikipedia organization, Transport layer security, Viewed 23 June 2007, <http://en.wikipedia.org/wiki/Secure_Sockets_Layer>.

2. The Microsoft TechNet, United States, Viewed 27 June 2007, <http://technet2.microsoft.com/WindowsServer/en/library/c22a4d3d-6335-4b9b-b344-bbae041203b41033.mspx?mfr=true>.

3. The IETF organization, Dr.Taylor Independent T. wu Stanford University 13 June 2007, Viewed 25 June 2007, <http://www.ietf.org/internet-drafts/draft-ietf-tls-srp-14.txt>.

4. T J Hudson, and E A Young, SSL programmer Reference, Viewed 23 June 2007, <http://psych.psy.uq.oz.au/~ftp/Crypto/ssl.html#HDR0>.

5. The Network World, Security, Paul Szymanski network Administrator 22 Jan 2007, Viewed 23 June 2007, <http://www.networkworld.com/news/2007/011807-tls3.html>.

6. The Cisco Press, Ipsec, Andrew Mason 01 Oct 2004, viewed 25 June 2007, <http://www.ciscopress.com/articles/article.asp?p=341484&seqNum=6>.

7. The AT-TLS and CS IPSec, LIN OVERBY, Viewed 28 June 2007, <http://www-03.ibm.com/systems/z/security/pdf/Got_the_world_on_your_shoulders_Overby.pdf>.

8. The Isoc Organization, Design and Implementation of TLS and IPSec, Nagendra Modadugu and Eric Rescorla, Stanford University, Viewed 28 June 2007, <http://www.isoc.org/isoc/conferences/ndss/04/proceedings/Papers/Modadugu.pdf>.

9. The Linux Journal, The Security Protocol, Gianluca Insolvibile 08 Sep 2002, viewed by 01 July 2007, < http://www.linuxjournal.com/article/6117>.

10. The improving Network Availability, IPv4 & IPv6 (IPng), viewed by 10 July 2007, <http://freespace.virgin.net/fonaset.net/ipv.html>.

11. The Answers.com, IPv4, Viewed 10 July 2007, <http://www.answers.com/topic/ipv4?cat=technology>.

12. The TCP/IP Guide, The History of IP/ Standard/ Versions, Viewed 10 July 2007, <http://www.tcpipguide.com/free/t_IPHistoryStandardsVersionsandCloselyRelatedProtoco.htm>.

13. The Moldova.org/IT, IPv4, Viewed 10 July 2007, <http://it.moldova.org/pagini/eng/528/>

14. The American Registry of Internet Numbers, IPv4 and IPv6, viewed 10 July 2007, <http://www.arin.net/media/fact_sheets/IPv4_IPv6.pdf>.

15. The Network Dictionary, Protocols, Viewed 12 July 2007, <http://www.networkdictionary.com/protocols/ip.php>.

16. The Multi-party Authentication protocol, Ajit Ravidran, MSC distributed Multimedia System (2003/2004), Viewed 15 July 2007, <http://www.comp.leeds.ac.uk/mscproj/reports/0304/ravindran.pdf>.

17. The network Security and encryption, Internet security, Viewed 25 July 2007, <http://www.electronics.dit.ie/staff/mdavis/Section11_InternetSecurity.pdf>.

18. The McMaster University, S. Bilal Mehmood 04 April 2003, Viewed 30 July 2007, <http://www.cas.mcmaster.ca/~wmfarmer/SE-4C03-03/projects/papers/Proj_Final.pdf>.

19. The re-engineering protocol, Ramesh Naharathnam 04 April 2003, viewed 30 July 2007, <http://www.cas.mcmaster.ca/~wmfarmer/SE-4C03-03/projects/papers/IPv6.pdf>.

20. The Window security, Intrusion detection, Przemyslaw Kazienko & Piotr Dorosz 23 July 2004, Viewed 31 July 2004, <http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-techniques.html>.

21. The Cisco Press, Intrusion Detection System, Earl Carter 15 Feb 2002, Viewed 31 July 2007, <http://www.ciscopress.com/articles/article.asp?p=25334&seqNum=3>.

22. The Security Focus, Intrusion System Paul Innella 12 June 2001, Viewed 31 July 2007, <http://www.securityfocus.com/infocus/1520>.

23. The NIST Special Publication, Intrusion Detection system, Viewed 31 July 2007, <http://www.21cfrpart11.com/files/library/reg_guid_docs/nist_intrusiondetectionsys.pdf>.

24. The Birds-eye .net, HTTP Preethi Ramkumar, Viewed 31 July 2007, < http://www.birds-eye.net/definition/h/http-hyper_text_transfer_protocol.shtml>.

25. The Birds-eye.net, Internet Protocol Bruce Bahlmann, Viewed 31 July 2007, < http://www.birds-eye.net/definition/acronym.cgi?what+is+IP=Internet+Protocol&id=1160272098>.

26. The Cheap 56k, IMAP, Viewed 31 July 2007, < http://www.cheap56k.com/glossary/IMAP.html>.

27. The Tech web, IMAP4, Viewed 31 July 2007, < http://www.techweb.com/encyclopedia/defineterm.jhtml?term=IMAP%34>.

28. The Search Exchange, POP3, Viewed 31 July 2007, < http://searchexchange.techtarget.com/sDefinition/0,,sid43_gci212805,00.html>.

29. The search Web Services, MIME, Viewed 31 July 2007, < http://searchwebservices.techtarget.com/sDefinition/0,290660,sid26_gci212576,00.html>.

30. The IBM research Journal, MIME Message Format, Viewed 31 July 2007, < www.research.ibm.com/journal/sj/371/vonka3.gif>.

31. The Soap wicourt gov, Step tech over view send message Gif Format, viewed 31 July 2007, < http://soap.wicourts.gov/overview/StepTechOverview11.gif>.

32. The its 4 sms, Receive messages Images, Viewed 31 July 2007, < http://www.its4sms.com/images/email2sms-screen2.gif>.

33. The SANS institute, Intrusion detection strength, Viewed 2nd August 2007, <http://www.sans.org/resources/idfaq/ipe.php>.

34. The Nist Gov publication, Viewed 5 Aug 2007, <http://csrc.nist.gov/publications/nistbul/itl99-11.txt>.

35. The VPNC.org, Viewed 31 July 2007, <http://www.vpnc.org/ietf-ipsec/00.ipsec/msg02104.html>.

36. The Info sec writer Text Library, Viewed 5 Aug 2007, < http://www.infosecwriters.com/texts.php?op=display&id=117>.

37. The email experience organization, Viewed 14 August 2007, < http://www.emailexperience.org/resources/email-glossary/>.