Suggested Answers Cryptography and Computer Security (MB361IT): July 2005

Section A : Basic Concepts (30 Marks)

1. This section consists of questions with serial number 1 - 30. Answer all questions. Each question carries one mark. Maximum time for answering Section A is 30 Minutes.
< Answer >

Various categories of attacks on the security of a system are I. Interception. II. Modification. III. Fabrication. IV. Interruption. (a) (b) (c) (d) (e) Both (I) and (II) above Both (II) and (III) above Both (I) and (III) above Both (II) and (IV) above All (I), (II), (III) and (IV) above.

2.

Which of the following is a passive attack on the security of the system? (a) (b) (c) (d) (e) Traffic analysis Reply Masquerade Modification of messages Denial of service.

< Answer >

3.

Which of the following security services prevents either sender or receiver from denying a transmitted message? (a) Authentication (c) Availability (b) Nonrepudiation (d) Access control (e) Integrity.

< Answer >

4.

Which of the following is not an ingredient of conventional encryption scheme? (a) (b) (c) (d) (e) Plaintext Encryption algorithm Primary key Cipher text Decryption algorithm.

< Answer >

5.

Which of the following is/are the requirements for secure use of conventional encryption? I. Strong encryption algorithm. II. Secure secret key. III. Secure primary key. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above.

< Answer >

6.

The process of attempting to discover the plaintext or key is known as (a) (b) (c) (d) (e) Encryption Decryption Cryptography Cryptanalysis Symmetric cryptography.

< Answer >

7.

If both the sender and receiver use the same key for encryption it is known as (a) Asymmetric key encryption 1

< Answer >

(b) (c) (d) (e) 8.

Two-key encryption Public key encryption Primary key encryption Single-key encryption.
< Answer >

The exact realization of Feistel network depends on I. Block size. II. Key size. III. Number of rounds. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above.

9.

An encryption scheme is computationally secure if I. The cost of breaking the cipher exceeds the value of the encrypted information. II. The time required to breaking the cipher is less than the useful lifetime of the information. III. The time required to breaking the cipher exceeds the useful lifetime of the information. (a (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (III) above All (I), (II) and (III) above.

< Answer >

10. Which of the following statements is/are true? I. Only relatively weak algorithms fail to withstand a cipher text-only attack. II. It is very difficult to estimate the amount of effort required to cryptanalyze cipher text successfully. III. A brute-force approach involves trying every possible key until an intelligible translation of the cipher text into plaintext is obtained. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above.

< Answer >

11. Which of the following attacks on encrypted messages is the easiest to defend against because the opponent has the least amount of information to work with? (a) Cipher text only (c) Chosen plaintext (b) Known plaintext (d) Chosen cipher text (e) Chosen text.

< Answer >

12. Which of the following is/are advantages of Triple Data Encryption Algorithm (TDEA)? I. It overcomes the vulnerability to brute-force attack of Data Encryption Algorithm (DEA). II. It is very resistant to cryptanalysis. III. The TDEA algorithm is relatively lively software. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above.

< Answer >

13. Which of the following Conventional Encryption Algorithms has the key size of 56 bits? (a) DES (b) Triple DES (c) IDEA (d) Blowfish (e) RC5.

< Answer >

14. Which of the following ways is/are used for message authentication? I. Conventional encryption. II. Public-key encryption. III. Secret value. (a) Only (I) above (b) Only (II) above 2

< Answer >

(c) Only (III) above (d) Both (I) and (II) above (e) All (I), (II) and (III) above. 15. Kerberos is an (a) (b) (c) (d) (e) Authentication service Network protocol Security protocol File Transfer Protocol None of the above.

< Answer >

16. Which of the following is/are the services provided by Pretty Good Privacy (PGP)? I. (a) (b) (c) (d) (e) Authentication. II. Compression. Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above. III. Segmentation.

< Answer >

17. Which of the following header fields defined in MIME describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent to represent the data to the user? (a) MIME-Version (c) Content-Transfer-Encoding (e) Content-Description. (b) Content-Type (d) Content-ID

< Answer >

18. Which of the following MIME Transfer Encoding is useful when the data consist largely of octets that correspond to printable ASCII characters? (a) 7 bit (b) 8 bit (c) binary (d) quoted-printable (e) base64.

< Answer >

19. Which of the following is/are the functions of S/MIME? I. Providing enveloped data. II. Providing signed data. III. Providing clear-signed data. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above.

< Answer >

20. A security association is uniquely identified by I. Security Parameters Index (SPI). II. IP Destination Address. III. Security Protocol Identifier. (a) Only (I) above (c) Only (III) above (e) All (I), (II) and (III) above. (b) Only (II) above (d) Both (I) and (II) above

< Answer >

21. Which of the following services is not provided by IPSec? (a) (b) (c) (d) (e) Network control Access control Confidentiality Data origin authentication Connectionless integrity.

< Answer >

22. Which of the following is not an element of Secure Network Management Protocol (SNMP)? (a) (b) (c) (d) (e) Management station Management agent Management information base Network management protocol Application protocol. 3

< Answer >

23. A Masquerader is An individual who is not authorized to use the computer and who penetrates a systems access controls to exploit a legitimate users account. II. A legitimate user who accesses data, programs, or resources for which such access is not authorized. III. An individual user who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress the audit collection. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above. I.

< Answer >

24. Which of the following is not a password selection strategy? (a) (b) (c) (d) (e) User education Computer-generated passwords Reactive password checking Proactive password checking Administrator password checking.

< Answer >

25. Which of the following is not an intruder detection technique? (a) (b) (c) (d) (e) Rule-based anomaly detection Rule-based penetration identification Distributed intrusion detection Native audit records Proactive audit records.

< Answer >

26. Which of the following models is/are used for intruder detection? I. Mean and standard deviation. II. Multivariate. III. Markov process. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above.

< Answer >

27. Which of the following is not a phase in the life cycle of a virus? (a) Dormant phase (c) Triggering phase (b) Propagation phase (d) Execution phase (e) Counter phase.

< Answer >

28. Which of the following virus hides itself from the detection by antivirus software? (a) Parasitic virus (c) Boot sector virus (e) Polymorphic virus. 29. Which of the following is/are firewalls? I. Packet filters. II. Application-level gateways. III. Circuit-level gateways. (a) (b) (c) (d) (e) Only (I) above Only (II) above Only (III) above Both (I) and (II) above All (I), (II) and (III) above. (b) Memory-resident virus (d) Stealth virus

< Answer >

< Answer >

30. In which of the following attacks, the intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into separate packet fragment? (a) Destination routing attacks (b) Network address spoofing (c) IP address spoofing 4

< Answer >

(d) Source routing attacks (e) Tiny fragment attacks.

Section B : Caselets (50 Marks)

This section consists of questions with serial number 1 6. Answer all questions. Marks are indicated against each question. Detailed explanations should form part of your answer. Do not spend more than 110 - 120 minutes on Section B.

Caselet 1
Read the caselet carefully and answer the following questions. 1. What is a firewall? Explain the various types of firewalls used for the network security? (10 marks) < Answer > 2. What is the importance of firewall to Lines n Things and why it wants to manage the firewall on its own? (7 marks) < Answer > 3. What features of WatchGuard Firebox helped Lines n Things to achieve network security and why the company has chosen WatchGuard for installing firewalls? (8 marks) < Answer > Linens n Things, Inc. is one of the leading, national large format retailers of home textiles, house wares, and home accessories. Headquartered in Clifton, NJ, and with 2003 sales of $2.4 billion, the company has 463 stores in 45 U.S. states and in five provinces across Canada. Linens n Things operates a private IP network to connect its regional stores to its headquarters, and then externally out to the Internet via a central firewall and T1 line. The company also has 400 mobile users who require access to the corporate network for vital applications such as email and inventory systems. Linens n Things has a wide range of suppliers who need access to devices secured on the network, for instance the environmental control systems in its warehouses that need constant monitoring. The network is managed by a staff of two, led by Gary Stein, network manager. Its Steins job to ensure each store, depot and warehouse across North America is constantly connected to external services such as banks, and that the companys supporting vendors and mobile users can access the information they need. Is Stein a firewall expert? No, hes never even had formal training but with the solution hes selected, its not a requirement. Stein needs to provide all 400 of his mobile users with network access. Half of these are home users who need to view their email at night and over the weekend in order to deal with urgent correspondence. The other 200 are senior managers, buyers, merchants, district managers and store managers who need to communicate, but also need access to core systems to check inventory, assess store performance, check supplier contacts on a database or view the corporate intranet. The flow of information around this international retailer relies on Steins network. Prior to 2002, Linens n Things used an outsourced service provider to manage the firewall that provides the gateway onto the network. When the provider started to run into financial difficulties, Stein realized it was time to act. Given the complexity of the network topology, the number of suppliers and staff accessing the network, and the variety of applications being run, Linens n Things firewall configuration is very dynamic. As a result, Stein decided to bring the firewall back in house: I didnt want to wait two hours liaising with the provider to make changes to the firewall. Our configurations are constantly changing suppliers need access to the network to troubleshoot. We keep the network locked down, so they need us to open ports to allow access, and its normally pretty urgent. We couldnt afford the delay of involving a third party; I wanted to be able to control the firewall myself. And that meant the interface had to be straightforward. Stein evaluated three firewall vendors Check Point, Cisco, and WatchGuard. We understood the basic concepts of firewall management, so were looking for a vendor that made configuration changes easy, said Stein. With WatchGuard, the administration was much more straightforward. Straight out of the box the Firebox covered 99% of our requirements, and we were able to fine tune the appliance very quickly using WatchGuard System Manager. Stein installed two WatchGuard Firebox III 4500 appliances in a High Availability (HA) configuration to provide 24/7 access to the network. Im a very security-conscious person. Im also careful when it comes to redundancy and so I wanted to make sure we had no single point of failure. Were looking to create a secure environment for our users. They leave the security to us, and I leave that to the Firebox, commented Stein. More recently, Stein upgraded his Firebox III 4500 appliances, installing two WatchGuard Firebox X2500 integrated security appliances in the Clifton, NJ headquarters. The company also installed WatchGuards SpamScreen anti-spam 6

solution, as well as its WebBlocker service which enables Stein to limit access to specific whitelisted URLs only. The Firebox X offers greater throughput and enhanced High Availability capacity, especially at peak times. The fact that the Firebox X has up to six Ethernet ports means I can run multiple DMZs and still provide a dedicated port for the High Availability heartbeat. Thats the type of redundancy you need when access is vital, Stein reasons. In addition, as network traffic increases in line with the opening of new stores, its good to know that the Firebox X line has model upgrade capability. If I purchase a Firebox X500, X700 or X1000 in the future, I can increase the horsepower by simply activating a license key on my existing appliance to increase performance, capacity or functionality. The transition to the new Firebox X appliances was straightforward since Stein was able to export his previous firewall configurations directly from the Firebox III appliances. He now plans to install the original Firebox III appliances at regional warehouses which arent currently on the private network, making communication with them much faster and easier. At the other end of the scale, Stein has also recently purchased a WatchGuard Firebox SOHO 6tc in order to connect a new remote store via cable modem. Moving forward, he plans to bring more of Linens n Things regional offices into the VPN to save on the cost of a dedicated leased line. Each Firebox appliance also includes a renewable subscription to WatchGuards LiveSecurity Service. This provides technical support, training, software updates and an information broadcast service to all active LiveSecurity subscribers. WatchGuards LiveSecurity Rapid Response Team monitors Internet threats as they evolve, assesses them and then provides clear instructions to subscribers recommending appropriate actions to ensure continued security. In this way, WatchGuard serves as an expert security resource for Linens n Things. The LiveSecurity alerts are extremely useful. Theyre clear, comprehensive, and above all short. I dont have time to read through reams of detail I just want the facts in an easily understandable format. I subscribe to several newsfeeds and WatchGuards LiveSecurity is easily one of the best. Security is important to Linens n Things and especially to Stein. If theres a problem, its his phone that rings. Hes understandably cautious given the billions of dollars in transactions that go across his network each year. Its a mark of his confidence in WatchGuards Firebox X then that he thinks little about security: Probably the greatest compliment I could pay is that security doesnt take up a large part of my day. WatchGuards Firebox X worked out of the box and is easy to manage. I have enough to worry about and thankfully, network access and security arent on the list.

Caselet 2
Read the caselet carefully and answer the following questions: 4. What is Multiprotocol Label Switching (MPLS)? What are the benefits derived by Vertex by implementing MPLS-IPSec based VPN solution? (10 marks) < Answer > 5. What are the applications of IP Security (IPSec)? (7 marks) < Answer > 6. What are the services provided by IPSec? (8 marks) < Answer > Vertex inc. is a large Japan based application service provider offering VPN services to a large number of customers. The company is planning to have Web based advisory systems for the agents and clients in addition to the mainframe system in the Data Center. For this they should have an Internet Data Center (IDC) with a business continuity site. Along with this, the company needed a solution for seamless connectivity of the employees, agents and customers. The Challenge The challenge to the solution lies in running IPSec VPN above the MPLS VPN client. There are multiple paths to two main sites. The company wanted to re-route VPN traffic via another IPSec tunnel in case the primary link fails and it wanted a smooth failover so that it will appear very transparent to the end users and there would be no connection failure. Multiprotocol Label Switching (MPLS) is a data-carrying mechanism, operating at a layer below protocols such as IP. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including both voice telephone traffic and IP packets. The Solution Initially, all the branches of the company were connected using 64K Frame Relay links. The company needed to upgrade the bandwidth from 64K. Wipro offered a MPLS VPN based solution, as it is a very cost-effective solution compared to leased or frame circuit. All that Vertex needed to do was to take only the local circuit to the service 7

provider and share the Service Provider's gigabit backbone. Using multi protocol BGP, the client routes are propagated to the other sites. In addition to this, multiple IPSec tunnels have been configured for having encrypted communication among sites. The company Head Quarters, Branches, Internet Data Center and the business continuity sites are connected via the MPLS VPN. All the mobile users are connected using Cisco VPN concentrators. The Mobile users dial into the nearest ISP and connect via Internet to access the Intranet sites. The entire solution is based on Cisco products. Their Head Quarter is connected to other offices in Singapore, Hong Kong, UK etc via another VPN based solution from Checkpoint. The Business Benefits: Uncovered the existing security vulnerabilities on various systems Can compare vulnerabilities of each week with the previous week

Specific benefits from the solution implemented by Wipro: Very cost effective compared to a dedicated link solution Ensured quality of service IPSec based encryption to ensure data security High scalability Remote access for mobile users.

END OF SECTION B

Section C : Applied Theory (20 Marks)

This section consists of questions with serial number 7 - 8. Answer all questions. Marks are indicated against each question. Do not spend more than 25 -30 minutes on section C.

7.

Pretty Good Privacy (PGP) provides confidentiality and authentication service that can be used for electronic mail and file storage applications. Discuss the various services provided by PGP. (10 marks) < Answer >

8.

The Key management portion of IPSec involves the determination and distribution of secret keys. Discuss the features of Oakely Key Determination Protocol. (10 marks) < Answer >

END OF SECTION C END OF QUESTION PAPER

Suggested Answers Cryptography and Computer Security (MB361IT): July 2005

Section A : Basic Concepts
1. Answer : (e) 8
< TOP >

Reason : Various categories of attacks on the security of a system are interception, modification, fabrication, interruption. So option (e) is the answer. 2. Answer : (a) Reason : Traffic analysis is a passive attack on the security of the system. All the other alternatives are active attacks on the security of the system. So option (a) is the correct answer. Answer : (b) Reason : Nonrepudiation is a security service that prevents either sender or receiver from denying a transmitted message. So option (b) is the correct answer. Answer : (c) Reason : The ingredients of conventional encryption scheme are plaintext, secret key, ciphertext , encryption algorithm and decryption algorithm. So option (c) is the correct answer. Answer : (d) Reason : The requirements for secure use of conventional encryption are strong encryption algorithm and secure secret key. So option (d) is the correct answer. Answer : (d) Reason : The process of attempting to discover the plaintext or key is known as cryptanalysis. So option (d) is the correct answer. Answer : (e) Reason : If both the sender and receiver use the same key for encryption it is known as single-key encryption. So option (e) is the answer. Answer : (e) Reason : The exact realization of Feistel network depends on Block size, Key size and number of rounds. So option (e) is the answer. Answer : (d) Reason : An encryption scheme is computationally secure if the cost of breaking the cipher exceeds the value of the encrypted information and the time required to breaking the cipher exceeds the useful lifetime of the information. So option (d) is the answer. Answer : (e) Reason : All the statements true. Only relatively weak algorithms fail to withstand a cipher text-only attack. It is very difficult to estimate the amount of effort required to cryptanalyze ciphertext successfully. A brute-force approach involves trying every possible key until an intelligible translation of the cipher text into plaintext is obtained. So option (e) is the answer. Answer : (a) Reason : The cipher text-only attack is the easiest to defend against because the opponent has the least amount of information to work with. So option (a) is the answer. Answer : (d) Reason : The advantages of Triple Data Encryption Algorithm (TDEA) are it overcomes the vulnerability to brute-force attack of Data Encryption Algorithm (DEA) and it is very resistant to cryptanalysis. The TDEA algorithm is relatively sluggish software. So option (d) is the answer. Answer : (a) Reason : The Data Encryption Standard (DES) has the key size of 56 bits. So option (a) is the answer. Answer : (e) 9
< TOP >

3.

< TOP >

4.

< TOP >

5.

< TOP >

6.

< TOP >

7.

< TOP >

8.

< TOP >

9.

< TOP >

10.

< TOP >

11.

< TOP >

12.

< TOP >

13.

< TOP >

14.

< TOP >

Reason : The three ways of message authentication are conventional encryption, public-key encryption and secret value. So option (e) is the answer. 15. 16. Answer : (e) Reason : Kerberos is an authentication service. So option (a) is the answer. Answer : (e) Reason : The services provided by Pretty Good Privacy are authentication, segmentation, compression, digital signature and message encryption. So option (e) is the answer. Answer : (b) Reason : The Content-Type field in MIME describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent to represent the data to the user. So option (b) is the answer. Answer : (d) Reason : The quoted-printable transfer encoding is useful when the data consist largely of octets that correspond to printable ASCII characters. So option (d) is the answer. Answer : (e) Reason : The functions of S/MIME are providing enveloped data, providing signed data and providing clear-signed data. So option (e) is the answer. Answer : (e) Reason : A security association is uniquely identified by Security Parameters Index (SPI) or IP Destination Address or Security Protocol Identifier. So option (e) is the answer. Answer : (a) Reason : Except network control all the other services namely access control, connectionless integrity, data origin authentication, confidentiality provided by IPSec. So option (a) is the answer. Answer : (e) Reason : Except Application protocol, all the other alternatives namely management station, management agent, management information base and network management protocol are the elements of Simple Network Management Protocol (SNMP). So option (e) is the answer. Answer : (a) Reason : An Masquerader is an individual who is not authorized to use the computer and who penetrates a systems access controls to exploit a legitimate users account. So option (a) is the answer. Answer : (e) Reason : Except (e) all the other alternatives namely user education, computergenerated passwords, Reactive password checking and proactive password checking are various password checking strategies. So option (e) is the answer. Answer : (e) Reason : Except (e) all the other techniques namely rule-based anomaly detection, rule-based penetration identification, distributed intrusion detection and native audit records are various intruder detection techniques. So option (e) is the answer. Answer : (e) Reason : The models used for intruder detection are mean and standard deviation, multivariate and markov process. So option (e) is the answer. 10
< TOP >

< TOP >

17.

< TOP >

18.

< TOP >

19.

< TOP >

20.

< TOP >

21.

< TOP >

22.

< TOP >

23.

< TOP >

24.

< TOP >

25.

< TOP >

26.

< TOP >

27.

Answer : (e) Reason : Except (e) all the other alternatives are the various phases in the lifecycle of a virus. So option (e) is the answer. Answer : (d) Reason : Stealth virus hides itself from the detection by antivirus software. So option (d) is the answer. Answer : (e) Reason : All of them are various types of firewalls namely packet filters, application-level gateways and circuit-level gateways. So option (e) is the answer. Answer : (e) Reason : In tiny fragment attacks ,intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into separate packet fragment. So option (e) is the answer.

< TOP >

28.

< TOP >

29.

< TOP >

30.

< TOP >

11

Section B : Problems
1. Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world via wide area networks and the Internet. The three common types of firewalls are packet filters, application-level gateways and circuit-level gateways. Packet-Filtering Router A packet-filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on fields in the IP and transport (e.g. TCP or UDP) header, including source and destination IP address, IP protocol field (which defines the transport protocol) and TCP or UDP port number (which defines an application such as SNMP or TELNET). The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. If there is a match to one of the rules, that rules is invoked to determine whether to forward or discard the packet. If there is no match to any rule, than a default action is taken. Application-Level Gateway An application-level gateway, also called a proxy server, acts as a relay of application-level traffic. The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the gateway can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features. Application-level gateways tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the applicationlevel gateway need only scrutinize a few allowable applications. In addition, it is easy to log and audit all incoming traffic at the application level. A prime disadvantage of this type of gateway is the additional processing overhead on each connection. In effect, there are two spliced connections between the end users, with the gateway at the splice point, and the gateway must examine and forward all traffic in both directions. Circuit-Level Gateway A third type of firewall is the circuit-level gateway. This can be a stand-alone system or it can be a specialized function performed by an application-level gateway for certain applications. A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself-and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections, will be allowed. A typical use of circuit-level gateways is a situation in which the system administrator trusts the internal users. The gateway can be configured to support application-level or proxy service on inbound connections and circuitlevel functions for outbound connections. In this configuration, the gateway can incur the processing overhead of examining incoming application data for forbidden functions but does not incur that overhead on outgoing data.
< TOP >

2.

The company has 463 stores in 45 U.S. states and in five provinces across Canada and it has 400 mobile users who require access to the corporate network for vital applications such as email and inventory systems. Linens n Things has a wide range of suppliers who need access to devices secured on the network, for instance the environmental control systems in its warehouses that need constant monitoring. To ensure each store, depot and warehouse across North America is constantly connected to external services such as banks, and that the companys supporting vendors and mobile users can access the information they need. Prior to 2002, Linens n Things used an outsourced service provider to manage the firewall that provides the gateway onto the network. When the provider started to run into financial difficulties, Stein realized it was time to act. Given the complexity of the network topology, the number of suppliers and staff accessing the network, and the variety of applications being run, Linens n Things firewall configuration is very dynamic. As a result, Stein decided to bring the firewall back in house:
< TOP >

3.

With WatchGuard, the administration was much more straightforward. Straight out of the box the Firebox 12

covered 99% of our requirements and we were able to fine tune the appliance very quickly using WatchGuard System Manager. The Firebox X offers greater throughput and enhanced High Availability capacity, especially at peak times. The fact that the Firebox X has up to six Ethernet ports means I can run multiple DMZs and still provide a dedicated port for the High Availability heartbeat. Thats the type of redundancy you need when access is vital, Stein reasons. In addition, as network traffic increases in line with the opening of new stores, its good to know that the Firebox X line has model upgrade capability. If I purchase a Firebox X500, X700 or X1000 in the future, I can increase the horsepower by simply activating a license key on my existing appliance to increase performance, capacity or functionality. The transition to the new Firebox X appliances was straightforward since Stein was able to export his previous firewall configurations directly from the Firebox III appliances. He now plans to install the original Firebox III appliances at regional warehouses which arent currently on the private network, making communication with them much faster and easier. Each Firebox appliance also includes a renewable subscription to WatchGuards LiveSecurity Service. This provides technical support, training, software updates and an information broadcast service to all active LiveSecurity subscribers. WatchGuards LiveSecurity Rapid Response Team monitors Internet threats as they evolve, assesses them and then provides clear instructions to subscribers recommending appropriate actions to ensure continued security. In this way, WatchGuard serves as an expert security resource for Linens n Things. The LiveSecurity alerts are extremely useful. Theyre clear, comprehensive, and above all short. I dont have time to read through reams of detail I just want the facts in an easily understandable format. I subscribe to several newsfeeds and WatchGuards LiveSecurity is easily one of the best. If theres a problem, its his phone that rings. Hes understandably cautious given the billions of dollars in transactions that go across his network each year. Its a mark of his confidence in WatchGuards Firebox X then that he thinks little about security:
< TOP >

4.

Multiprotocol Label Switching (MPLS) is a data-carrying mechanism, operating at a layer below protocols such as IP. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including both voice telephone traffic and IP packets. Benefits: Uncovered the existing security vulnerabilities on various systems Can compare vulnerabilities of each week with the previous week Specific benefits from the solution implemented by Wipro: Very cost effective compared to a dedicated link solution Ensured quality of service IPSec based encryption to ensure data security High scalability Remote access for mobile users.
< TOP >

5.

Applications of IPSec IPSec provided the capability to secure communications across a LAN, across private and public WANs and across the Internet. Examples of its use include the following: Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provided (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishing extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security.
< TOP >

6.

IPSec Services IPSec provides security services at the IP layer by enabling a system to select required security protocols, 13

determine the algorithms(s) to use for the service(s) and put in place any cryptographic keys required to provide the requested services. Two protocols are used to provide security: an authentication protocol designated by the header of the protocol, Authentication Header (AH) and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). The services are as follows: Access control Connectionless integrity Data origin authentication Rejection of replayed packets (a form of partial sequence integrity) Confidentiality (encryption) Limited traffic flow confidentiality < TOP >

Section C: Applied Theory

7. Pretty Good Privacy (PGP) consists of five services: authentication, confidentiality, compression, e-mail compatibility and segmentation. Summary of PGP Services Function Digital signature Algorithms Used DSS/SHA or RSA/SHA Description A hash code of a message is created using SHA1. This message digest is encrypted using DSS or RSA with the senders private key and included with the message. A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with the recipients public key and included with the message. A message may be compressed, for storage or transmission, using ZIP. To provide transparency for email applications, an encrypted message may be converted to an ASCII string using radix-64 conversion. To accommodate maximum message size limitations, PGP performs segmentation and reassembly.
< TOP >

Message encryption

CAST or IDEA or three-key triple DES with Diffie-Hellman or RSA

Compression E-mail compatibility

ZIP Radix-64 conversion

Segmentation

8.

Oakley Key Determination Protocol: Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security. Oakley is generic in that it does not dictate specific formats. Features of Oakley The Oakley algorithm is characterized by five important features: 1. It employs a mechanism known as cookies to thwart clogging attacks. 2. It enables the two parties to negotiate a group: this, in essence, specifies the global parameters of the DiffieHellman key exchange. 3. It uses nonces to ensure against replay attacks. 4. It enables the exchange of Diffie-Hellman public key values. 5. It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.
< TOP >

< TOP OF THE DOCUMENT >

14

15