Exam Study Notes

Unit 4: Application Layer and Network Security

25. Domain Name System (DNS)

  • DNS is a client/server application.
  • A DNS client/server program can support an e-mail program to find the IP address of an e-mail recipient.
  • It enables the use of application layer addresses, such as an email address, instead of network layer logical addresses.
  • It resolves an IP address to a host name or vice-versa.
  • It is a distributed mapping service.
  • All devices connected to the Internet are identified by IP addresses (numbers).
  • Hostnames are used to make it easier for people to remember devices on a network.
  • TCP/IP protocols use the IP address to identify the connection of a host to the Internet.
  • A system is needed to map a name to an address or vice versa because people prefer to use names instead of numeric addresses.
  • When the Internet was small, mapping was done using a host file with two columns: name and address.
  • Every host could store the host file locally and update it periodically from a master host file.
  • When a program or user wants to map a name to an address, the host file is consulted.
  • It's impossible to have a single host file to relate every address with a name because the file would be too large and difficult to update.

Solutions:

  1. Store the entire host file in a single computer and allow access to every computer that needs mapping; however, this creates a huge amount of traffic.
  2. Divide the information into smaller parts and store each part on a different computer, allowing hosts to contact the closest computer with the needed information. This is the method used by DNS.

DOMAIN NAME SPACE

  • A domain name space was designed to have a hierarchical name space.
  • Names are defined in an inverted-tree structure with the root at the top.
  • The tree can have 128 levels: level 0 (root) to level 127.

Label:

  • Each node has a label, a string with a maximum of 63 characters.
  • The root label is a null string (empty string).
  • Children of a node must have different labels to guarantee the uniqueness of domain names.

Domain Name:

  • Each node has a domain name.
  • A full domain name is a sequence of labels separated by dots (.).
  • Domain names are read from the node up to the root.
  • The last label is the label of the root (null), which means a full domain name always ends in a dot.

Domain

  • A domain is a subtree of the domain name space.
  • The name of the domain is the domain name of the node at the top of the subtree.
  • A domain may be divided into subdomains.

DISTRIBUTION OF NAME SPACE

  • The information in the domain name space must be stored.
  • It is inefficient and unreliable to have one computer store all the information.
  • Inefficient because of the heavy load from responding to requests worldwide.
  • Unreliable because any failure makes the data inaccessible.

Hierarchy of Name Servers

  • Distribute the information among many computers called DNS servers to solve these problems.
  • Divide the whole space into many domains based on the first level.
  • Let the root stand alone and create as many domains as there are first-level nodes.
  • DNS allows domains to be further divided into smaller domains (subdomains).
  • Each server can be responsible for a large or small domain.
  • There is a hierarchy of servers in the same way that there is a hierarchy of names.

Zone:

  • A zone is a contiguous part of the entire tree for which a server is responsible or has authority.
  • If a server accepts responsibility for a domain and does not divide the domain into smaller domains, the domain and the zone refer to the same thing.

Root Server:

  • A root server is a server whose zone consists of the whole tree.
  • There are several root servers distributed around the world, each covering the whole domain name space.

Primary and Secondary Servers:

  • DNS defines two types of servers: primary and secondary.
Primary server:
  • Stores a file about the zone for which it is an authority.
  • Responsible for creating, maintaining, and updating the zone file.
  • Stores the zone file on a local disk.
Secondary server:
  • Transfers the complete information about a zone from another server (primary or secondary) and stores the file on its local disk.
  • Does not create or update the zone files.
  • The primary and secondary servers are both authoritative for the zones they serve.

DNS in the Internet

  • DNS is a protocol that can be used on different platforms.
  • In the Internet, the DNS is divided into three different sections: generic domains, country domains, and the inverse domain.
Generic Domains:
  • Defines registered hosts according to their generic behavior.
  • Each node in the tree defines a domain, which is an index to the DNS database.
Country Domains:
  • Uses two-character country abbreviations (e.g., us for United States).
  • Second labels can be organizational or more specific national designations.
  • The United States, for example, uses state abbreviations as a subdivision of us (e.g., ca.us.).
  • The address anza.cup.ca.us can be translated to De Anza College in Cupertino, California, in the US.
Inverse Domain:
  • Used to map an address to a name.
  • This may happen when a server has received a request from a client to do a task.
  • This type of query is called an inverse or pointer (\text{PTR}) query.

RESOLUTION

  • Mapping a name to an address or an address to a name is called name-address resolution.

Resolver:

  • DNS is designed as a client/server application.
  • A host that needs to map an address to a name or a name to an address calls a DNS client called a resolver.

Recursive Resolution:

  • The client (resolver) can ask for a recursive answer from a name server.
  • This means that the resolver expects the server to supply the final answer.
  • When the query is finally resolved, the response travels back until it finally reaches the requesting client.

Iterative Resolution:

  • If the client does not ask for a recursive answer, the mapping can be done iteratively.
  • If the server is an authority for the name, it sends the answer.
  • This process is called iterative resolution because the client repeats the same query to multiple servers.

26. Electronic Mail and File Transfer

  • One of the most popular Internet services is electronic mail (\text{e-mail}
  • Allows users to exchange messages.
  • Today's e-mail systems are based on a stored-and-forward model.
  • Email servers accept, forward, deliver, and store messages.
  • Neither the users nor their computers are required to be online simultaneously.

Architecture:

  • Client pushes messages.
  • Client pulls messages.
  • A mail spool is a file that stores the mail header and message of the body of every email for a particular account
  • Boxes contains delivered emails.

Services of user agent

  • A user agent is a software package (program) that composes, reads, replies to, and forwards messages. It also handles mailboxes.
  • UA provides service to the user to make the process of sending and receiving a message easier.
Composing messages:
  • A user agent helps the user compose the e-mail message to be sent out.
  • Template
  • Built-in editor (spell checking, grammar checking, and other tasks expected from a sophisticated word processor.)
Reading messages:
  1. Number field.
  2. A flag field: status of the mail (new, already read but not replied to, or read and replied to.
  3. The size of the message.
  4. The sender.
  5. The optional subject field.
Replying to messages:
  • After reading a message, a user can use the UA to reply to a message.
  • Reply to:
    • Original sender
    • All recipients of the message.
  • It contain the original message (for quick reference) and the new message.
Forwarding messages:
  • Sending the message to a third party.
Handling Mailboxes:
  • A UA normally creates two mailboxes:
    1. Inbox (all the received mails)
    2. Outbox (Sent e-mails)
  • Most UAs today are capable of creating customized mailboxes.

Format of an e-mail

Mail From: forouzan@some.com RCPT To: mosharraf@aNetwork.com From: Behrouz Forouzan To: Firouz Mosharraf Date: 1/10/2011 Subject: Network

An email address consists of 3 parts: abcxyz@gmail.com Unique User Name chosen by the email account owner "At" sign Domain Name company/organization providing the email service

Concept of Network Virtual Terminal

  • TELNET: TErminal NETwork: It is a general-purpose client/server application program.

MIME (Multipurpose Internet Mail Extensions)

  • It is a supplementary protocol that allows non-ASCII data to be sent through e-mail.

Five headers in MIME Version (1.1) Content- Type Content-Transfer-Encoding Content-Id Content-Description (body is image, audio, or video)

Content-Type

  • Type of data used in the body of the message
    Content-Types: < type / subtype; parameters> Type Subtype Description Plain Text HTML Multipart Mixed Body contains ordered parts of different data types Parallel Same as above, but no order Digest Similar to Mixed, but the default is message/RFC822 Alternative Parts are different versions of the same message Message RFC822 Body is an encapsulated message Partial Body is a fragment of a bigger message External-Body Body is a reference to another message Image JPEG Image is in JPEG format GIF Image is in GIF format Video MPEG Video is in MPEG format Audio Basic Single channel encoding of voice at 8 KHz Application PostScript Adobe PostScript Octet-stream General binary data (eight-bit bytes)

Content-Transfer-Encoding

  • It defines the method used to encode the messages into 0s and 1s for transport.

11001100 Base64 conversion Non-ASCII data 10000001 00111001 A set of bits Combine and split 110011 001000 000100 111001 Four 6-bit chunks 51 8 4 57 Base64 converter Z I E ASCII data 10 5 Four Characters

Protocols used in electronic mail

  • To send mail, a system must have a client MTA

  • To receive mail, a system must have a server MTA.

  • SMTP (Push protocol) It defines the MTA client/server programs. It also defines commands and responses

  • MAA: POP and IMAP (Pull protocol)

SMTP format and Commands

Keyword: argument(s) Keyword Argument(s) Description HELO Sender's host name Identifies itself MAIL FROM Sender of the message Identifies the sender of the message RCPT TO Intended recipient Identifies the recipient of the message DATA Body of the mail Sends the actual message QUIT Terminates the message RSET Aborts the current mail transaction VRFY Name of recipient Verifies the address of the recipient NOOP Checks the status of the recipient TURN Switches the sender and the recipient EXPN Mailing list Asks the recipient to expand the mailing list. HELP Command name Asks the recipient to send information about the command sent as the argument SEND FROM Intended recipient Specifies that the mail be delivered only to the terminal of the recipient, and not to the mailbox SMOL FROM Intended recipient Specifies that the mail be delivered to the terminal or the mailbox of the recipient SMAL FROM Intended recipient Specifies that the mail be delivered to the terminal and the mailbox of the recipient

SMTP responses

Code Description Positive Completion Reply 211 System status or help reply 214 Help message 220 Service ready 221 Service closing transmission channel 250 Request command completed 251 User not local; the message will be forwarded Positive Intermediate Reply 354 Start mail input Transient Negative Completion Reply 421 Service not available 450 Mailbox not available 451 Command aborted: local error 452 Command aborted; insufficient storage

SMTP responses (Continued)

Permanent Negative Completion Reply 500 Syntax error; unrecognized command 501 Syntax error in parameters or arguments 502 Command not implemented 503 Bad sequence of commands 504 Command temporarily not implemented 550 Command is not executed; mailbox unavailable 551 User not local 552 Requested action aborted; exceeded storage location 553 Requested action not taken; mailbox name not allowed 554 Transaction failed

Mail Transfer Phases

Steps for SMTP client to SMTP server communication is described with sequence of responses and commands from each sides.

Message Access Agent (MAA)- Pull protocol

  • POP3 (Post Office Protocol)
  • IMAP4 (Internet Mail Access Protocol)
    Described Bob and Alice Communication

POP3 (Post Office Protocol)

  • It is simple and limited in functionality
  • It is a software for client/server programs
  • It has two modes: Delete and Keep
  • Limitations: It does not allow to organize the mail (folder creations) on the server.It does not allow the user to partially check the contents of the mail before downloading.

IMAP4 (Internet Mail Access Protocol)

  • It is similar to POP3, but it has more features.
  • It is more powerful and more complex.
  • Extra functions: User can check the e-mail header prior to downloading, User can search the contents of the e-mail, User can partially download e-mail (useful in limited bandwidth applications), User can create, delete, or rename mailboxes on the mail server.

Chapter 29 Multimedia

  • It refers to a number of different integrated media, such as text, images, audio, and video, that are generated, stored, and transmitted digitally and can be accessed interactively.
  • Multimedia today is a broad subject that cannot be fully discussed in one lecture.

A. Digitizing

B. Compression

C. Multimedia in the Internet into three categories:

  1. Streaming stored audio/video
  2. Streaming live audio/video
  3. Real-time interactive audio/video

D. Transport-layer protocols used for multimedia applications: RTP and RTCP.

A. Digitizing Audio and Video

  • Audio:
    • fs = 8000 samples/second
    • n = 8 bits/second
    • Bit rate = n \times fs = 64 Kbps Music:
    • fs = 44.1 KHz
    • n = 16 bits/sample
    • Bit rate = 705.6 Kbps (Mono)
    • Bit rate = 1.411 Mbps (Stereo)
  • Video:

B. Compression

  • Plays a crucial role in multimedia communication due to the large volume of data exchanged.
  • In compression, we reduce the volume of data to be exchanged.
  • We can divide compression into two broad categories: Lossless: Run-length coding, Dictionary coding, Huffman coding, and Arithmetic coding. Lossless compression has limits on the amount of compression.
  • Lossy: Predictive coding (PCM, DPCM, DM, ADM, and LPC) and Transform coding: DCT

CD format: Uncompressed data rate = 1.4 Mbps
AAC files on an iPod: Compressed data rate = 128 Kbps
Compression ratio = 1.4 Mbps/128Kbps = 10.9

C. Multimedia in the Internet

1. Streaming Stored Audio/Video:
  • User can listen to (or watch) the file after the downloading has started.
  • Files are compressed and stored on a server a client downloads the files through the internet- sometimes called on demand A/V Examples: Stored audio files: Songs, famous lectures. Stored video files: Movies, TV shows and music video clips.
2. Streaming Live Audio/Video:
  • A user can listen to broadcast A/V through the internet.
  • Example: Internet radio Radio stations: Only on Internet Both on Internet and Air Internet TV (IP TV) UDP and RTP TCP
3. Interactive Audio/Video:
  • People use the Internet to interactively communicate with one another.
  • Internet telephony and teleconferencing.
  • Voice over IP (VoIP) RTP

D. Real-time interactive protocols

Schematic diagram of a real-time multimedia system

1. Real-time Transport Protocol (RTP)

  • It is the protocol designed to handle real-time traffic on the Internet.
  • It allows only one type of message, one that carries data from the source to the destination.
  • It does not have a delivery mechanism (multicasting, port numbers, and so on); it must be used with UDP.
  • RTP stands between UDP and the multimedia application.
  • The literature and standards treat RTP as the transport protocol (not a transport-layer protocol) that can be thought of as located in the application layer.
  • It uses an even-numbered UDP port.

RTP Issues

  • No QoS guarantees No guarantee of packet delivery]
  • RTP Timestamp (TS) and Sequence Number (SN) TS used to order packets in correct timing order SN to detect packet loss*

2. Real-time Transport Control Protocol (RTCP).

  • RTP allows only one type of message, one that carries data from the source to the destination.
  • To really control the session, we need more communication between the participants in a session.
  • Control communication in this case is assigned to a separate protocol called RTCP.
  • It provides flow control, quality of data control, and feedback to the sources.
  • It uses an odd-numbered UDP port.

Chapter 30: Cryptography

  • Cryptography is used to achieve Network security.
  • The chapter opens the door for studying network security.
  • Prevent data from being read by 3rd party.

1. Cryptography: “Secret writing” ( from Greek origins)

  • It refer to the science and art of transforming messages to make them secure and immune to attacks.

2. Cipher:

  • Encryption and decryption algorithms are known as ciphers.
  • It is used to represent different categories of algorithms in cryptography.
  • This is not to say that every sender-receiver pair needs their very own unique cipher for a secure communication.
  • On the contrary, one cipher can serve millions of communicating pairs.

3. Key:

  • It is a number (or a set of numbers) that the cipher, as an algorithm, operates on.

4. Alice, Bob, and Eve:

  • Alice is the person who needs to send secure data.
  • Bob is the recipient of the data.
  • Eve is the person who somehow disturbs the communication between Alice and Bob by intercepting messages.
  • These three names represent computers or processes that actually send or receive data, or intercept or change data.

Categories of cryptography- Symmetric-key/Secret-key and Asymmetric-key/Public-key

1. Symmetric-Key Cryptography
  • In symmetric-key cryptography, the same key is used by both parties.
  • It started thousands of years ago when people needed to exchange secrets (for example, in a war).
  • Today‟s ciphers are much more complex a Traditional algorithms - character-oriented. b Modem algorithms - bit-oriented.
Traditional ciphers-

  • Substitution and Transposition.

  • Monoalphabetic: A (plaintext) with D (ciphertext) – regardless of the position.

  • Polyalphabetic: A with N with D

Transposition: Reorders symbols in a block of symbols 2 4 1 3 (plaintext) 1 2 3 4 (ciphertext)

Modern Ciphers:
  • Bit-oriented Numbers, Graphics, Audio, and Video data- Digital data (plain text)

XOR Cipher

2. Asymmetric – Key Cryptography
  • Asymmetric-key (public key cryptography) uses two keys: one private and one public.
  • Two algorithms: RSA and Diffie-Hellman.
2.A RSA Algorithm
  • The most common public key algorithm is RSA, named for its inventors Rivest, Shamir, and Adleman (RSA).
  • It uses two numbers, e and d, as the public and private keys.
General Algorithm
  1. Generate two large random prime numbers, p and q.
  2. Compute n = p \times q and \phi = (p - 1) \times (q - 1)
  3. Choose an integer \text{``e''} such that 1 < e < \phi and gcd (e, \phi) = 1.
  4. Compute secret exponent d, 1 < d < \phi such that ed =1 (mod \phi).
  5. The public key is (e, n) and private key (d, n). Keep secret p, q, \phi.

Example:

  1. p = 7 and q = 11.
  2. Compute n = 77 and \phi = (p - 1) \times (q - 1) = 60
  3. Choose an integer \text{``e''} such that 1 < e < \phi and gcd (e, \phi) = 1. e = 13
  4. Compute secret exponent d, 1 < d < \phi such that ed (mod \phi) = 1. d = 37

Plaintext = 5 Encryption, C= p^e mod n Public key (e, n) (13, 77) Plaintext = Cd mod n Private key (d, n) (37, 77)

Advantages:
  • Key advantage: difficulty of factoring large integers.
  • It is easier to solve the fundamental problems of cryptography.
  • Very fast, very simple encryption and verification.
  • Easier to understand.
Disadvantages:
  • Very slow key generation Slow decryption, which is slightly tricky to implement security.
Applications:
  • Used for all, Encryption, Authentication and Digital Signing.
  • It is very slow if the message is long.
2.B Diffie-Hellman (DH)
  • RSA is a public-key cryptosystem that is often used to encrypt and decrypt symmetric keys.
  • Diffie-Hellman, on the other hand, was originally designed for key exchange.
  • In a Diffie-Hellman cryptosystem, two parties create a symmetric session key to exchange data without having to remember or store the key for future use.
Alice

*1. R_1 = g^x mod p

Bob
  1. R_2= g^y mod p*

The values of p and g are public Shared secret key
K = g^{xy} mod p*

Alice chooses a large random number x such that 0≤x≤(p-1) and calculates R1 = g^x mod p.
Alice sends R1 to Bob (but not sends the value of x).
Bob chooses another large random number y such that 0≤y≤(p-1) and calculates R2 = g^y mod p. Bob sends R2 to Alice (but not sends the value of y). Alice calculate K = (R1)^y mod p. Bob calculate K= (R1)^y mod p.
K is the symmetric key for the session.

CHAPTER 31 Network Security

  • We are living in the information age.
  • Information is an asset that has a value like any other asset.
  • As an asset, information needs to be secured from attacks: hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), available to an authorized entity when it is needed (availability)
  • It is a set of rules and configurations designed to protect the integrity, confidentiality and accessibility of computer networks and data using both software and hardware technologies.

Attacks

  • Goals of security ⎯ confidentiality, integrity, and availability ⎯ can be threatened by security attacks.
  • Although the literature uses different approaches to categorizing the attacks, we can divide them into three groups related to the security goals.

Attackers- Hacker, Cyber-Terrorist, Cyber-Criminal Attck Nature- Passive, Active
Attack Types- Confidentiality,Integrity,Authentication,Availability
Targets- Software/Hardware; Controller Device; Communications; Drone; Data

10 most common cyber attack types

  1. Denial-of-service (DoS) and distributed DoS (DDos) – System‟s resources: TCP SYN flood Solution: place the server behind a firewall configured to stop SYN packets
  2. Man-in-the-middle (MitM): session hijacking, IP Spoofing, Replay Solution: Encryption and Digital certificates.
  3. Phishing - sending emails that appears to be trusted sources Critical thinking - do not accept that an email Move your mouse over the link, but do not click it Analyzing email headers (“Reply-to” and “Return –Path”)
  4. Drive-by Common method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP. Solution: Keep your browser and OS up to date
  5. Password Common and effective attack approach Sniffing the connection Brute-force: Password guessing using random approach by trying different passwords Solution: Account lockout policy
  6. SQL injection Common for database-driven websites Solution: Stick to stored procedures (don‟t use dynamic SQL)
  7. Cross-site scripting (XSS) It uses third party web resources. Solution: Developers can sanitize data input by users in an HTTP request before response.
  8. Eavesdropping: It occurs through the interception on network traffic Attacker can obtain passwords, credit card numbers. Passive: Listening to the message in the network Active: Tempering Solution: Data encryption
  9. Birthday These are made against hash algorithms that are used to verify the integrity of a message. It refers to the probability of finding two random messages that generate the same message digest (MD) 10. Malware Malicious software can be described as unwanted software that is installed in your system without your consent. Macro viruses, File infectors, Polymorphic viruses, Stealth viruses, Trojans, Logic bombs, Worms, Droppers, Ransomware, Adware, Spyware.
Conclusions:
  • Keep your system and AV database up to date Configure your firewall Keep your password strong Make regular backups Continuously audit your IT systems*

Attacks Threatening Confidentiality:

Snooping:
  • It refers to unauthorized access to or interception of data.
  • How to prevent? the data can be made nonintelligible to the interceptor by using encipherment techniques.
Traffic Analysis:
  • Obtaining some other types of information by monitoring online traffic.
  • For example, finding the electronic address (such as the e-mail address) of the sender or the receiver.

Attacks Threatening Integrity:

Modification:
  • After intercepting or accessing information, the attacker modifies the information to make it beneficial. Bank information.
Masquerading:
  • It happens when the attacker impersonates somebody else.
  • For example: an attacker might steal the bank card and PIN of a bank customer.
Replaying: (also known as playback)
  • It is a form of network attack in which a valid data transmission is maliciously repeated or delayed.
  • In replaying, the attacker obtains a copy of a message sent by a user.
  • This kind of attack has an ability to crash applications which are designed poorly. Timestamping is way of preventing a replay attack.
  • Synchronization should be achieved using a secure protocol.
Repudiation:
  • This type of attack is different from others because it is performed by one of the two parties in the communication: the sender or the receiver.
  • It happens when an application or system does not adopt controls to properly track and log users' actions, thus permitting malicious manipulation or forging the identification of new actions.

Attacks Threatening Availability:

Denial of Service:
  • Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service of a system.
  • The attacker can use several strategies to achieve this. The attacker may sent many bogus requests to a server that the server crashes because of the heavy load.
  • The attacker may also intercept requests from the clients, causing the clients to send requests many times and overload the system.

Services and Techniques:

  • ITU-T defines some security services to achieve security goals and prevent attacks.
  • Each of these services is designed to prevent one or more attacks while maintaining security goals.
  • The actual implementation of security goals needs some techniques. Two techniques: one is very general (cryptography) and one is specific (steganography).

Cryptography - “secret writing” : It means concealing the contents of a message by enciphering. Steganography: “covered writing” : It means concealing the message itself by covering it with something else

SECURITY SERVICES

A. Message

B. Entity Authentication

A. Message: a. Confidentiality or Privacy:

Sender and receiver expects privacy To all other message must be garbage. Symmetric and Asymmetric key cryptography. b. Integrity:
Data must arrive at the receiver exactly as they were sent. There must be no change during the transmission, neither accidently nor maliciously. Data can be modified by unauthorized users. Message and fingerprint.

Cont. c. Authentication:
  • It is beyond message integrity The receiver needs to be sure of the sender‟s identity.
d. Nonrepudiation:
  • A Sender must not be able to deny sending a message that he or she , in fact, did send. Message authentication code (MAC) – It uses a secret key
  • Digital Signature: Electronic signature – It uses a pair of private- public keys. It is a another way to provide message integrity, authentication, and nonrepudiation. It is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and integrity of the data
Cont. B. Entity Authentication
  • Entity or user is verified prior to access to the system resources.
  • An entity can be a person, a process, a client, or a server. Fixed password and OTP.
  • Message authentication (or data-origin authentication) might not happen in real time; entity authentication does.
  • Message authentication simply authenticates one message; the process needs to be repeated for each new message.
  • Entity authentication authenticates the applicant for the entire duration of a session.
Verification Categories Something Known:
  • This is a secret known only by the claimant that can be checked by the verifier. Examples: a password, a PIN, a secret key, and a private key.
Something Possessed:
  • This is something that can prove the claimant‟s identity. Examples: a passport, a driver‟s license, an identification card, a credit card, and a smart card.
Something Inherent:
  • This is an inherent characteristic of the claimant. Examples: are conventional signatures, fingerprints, voice, facial characteristics, retinal pattern, and handwriting.

CHAPTER 32 Internet Security

  • Internet security is normally applied at three layers in the Internet: the network layer, the transport layer, and the application layer. We also discuss firewalls, a technology that provides system security for an enterprise.

NETWORK-LAYER SECURITY

  • At the network layer, security is applied between two hosts, two routers, or a host and a router.
  • The purpose of network-layer security is to protect those applications that use the service of the network layer directly, such as routing protocols. The only application-layer security we discuss here is called IPSec.
  • IP Security (IPSec) is a collection of protocols designed by the IETF to provide security for a packet at the network level. IPSec helps to create authenticated and confidential packets for the IP layer.

Two Modes

Transport Mode:
  • In transport mode, IPSec protects what is delivered from the transport layer to the network layer.
  • It does not protect the IP header