0507_CCS

8/12/2019 0507_CCS

1/15

8/12/2019 0507_CCS

2/15

2

(b) Two-key encryption(c) Public key encryption(d) Primary key encryption(e) Single-key encryption.

8. The exact realization of Feistel network depends on

I. Block size.

II. Key size.III. Number of rounds.

(a) Only (I) above(b) Only (II) above(c) Only (III) above(d) Both (I) and (II) above(e) All (I), (II) and (III) above.

< Answer >

9. An encryption scheme is computationally secure if

I. The cost of breaking the cipher exceeds the value of the encrypted information.II. The time required to breaking the cipher is less than the useful lifetime of the information.III. The time required to breaking the cipher exceeds the useful lifetime of the information.

(a Only (I) above(b) Only (II) above(c) Only (III) above(d) Both (I) and (III) above(e) All (I), (II) and (III) above.

< Answer >

10. Which of the following statements is/are true?

I. Only relatively weak algorithms fail to withstand a cipher text-only attack.II. It is very difficult to estimate the amount of effort required to cryptanalyze cipher text successfully.III. A brute-force approach involves trying every possible key until an intelligible translation of the cipher text

into plaintext is obtained.


< Answer >

11. Which of the following attacks on encrypted messages is the easiest to defend against because the opponent hasthe least amount of information to work with?

(a) Cipher text only (b) Known plaintext(c) Chosen plaintext (d) Chosen cipher text (e) Chosen text.

< Answer >

12. Which of the following is/are advantages of Triple Data Encryption Algorithm (TDEA)?

I. It overcomes the vulnerability to brute-force attack of Data Encryption Algorithm (DEA).II. It is very resistant to cryptanalysis.

III. The TDEA algorithm is relatively lively software.(a) Only (I) above(b) Only (II) above(c) Only (III) above(d) Both (I) and (II) above(e) All (I), (II) and (III) above.

< Answer >

13. Which of the following Conventional Encryption Algorithms has the key size of 56 bits?

(a) DES (b) Triple DES (c) IDEA (d) Blowfish (e) RC5.

< Answer >

14. Which of the following ways is/are used for message authentication?

I. Conventional encryption.II. Public-key encryption.

III. Secret value.

(a) Only (I) above(b) Only (II) above

< Answer >

8/12/2019 0507_CCS

3/15

3

(c) Only (III) above(d) Both (I) and (II) above(e) All (I), (II) and (III) above.

15. Kerberos is an

(a) Authentication service(b) Network protocol

(c) Security protocol(d) File Transfer Protocol(e) None of the above.

< Answer >

16. Which of the following is/are the services provided by Pretty Good Privacy (PGP)?

I. Authentication. II. Compression. III. Segmentation.


< Answer >

17. Which of the following header fields defined in MIME describes the data contained in the body with sufficient

detail that the receiving user agent can pick an appropriate agent to represent the data to the user?(a) MIME-Version (b) Content-Type(c) Content-Transfer-Encoding (d) Content-ID(e) Content-Description.

< Answer >

18. Which of the following MIME Transfer Encoding is useful when the data consist largely of octets that correspondto printable ASCII characters?

(a) 7 bit (b) 8 bit (c) binary (d) quoted-printable (e) base64.

< Answer >

19. Which of the following is/are the functions of S/MIME?

I. Providing enveloped data.II. Providing signed data.III. Providing clear-signed data.


< Answer >

20. A security association is uniquely identified by

I. Security Parameters Index (SPI).II. IP Destination Address.III. Security Protocol Identifier.

(a) Only (I) above (b) Only (II) above

(c) Only (III) above (d) Both (I) and (II) above(e) All (I), (II) and (III) above.

< Answer >

21. Which of the following services is notprovided by IPSec?

(a) Network control(b) Access control(c) Confidentiality(d) Data origin authentication(e) Connectionless integrity.

< Answer >

22. Which of the following is notan element of Secure Network Management Protocol (SNMP)?

(a) Management station(b) Management agent

(c) Management information base(d) Network management protocol(e) Application protocol.

< Answer >

8/12/2019 0507_CCS

4/15

4

23. A Masquerader is

I. An individual who is not authorized to use the computer and who penetrates a systems access controls toexploit a legitimate users account.

II. A legitimate user who accesses data, programs, or resources for which such access is not authorized.III. An individual user who seizes supervisory control of the system and uses this control to evade auditing and

access controls or to suppress the audit collection.


< Answer >

24. Which of the following is nota password selection strategy?

(a) User education(b) Computer-generated passwords(c) Reactive password checking(d) Proactive password checking(e) Administrator password checking.

< Answer >

25. Which of the following is notan intruder detection technique?(a) Rule-based anomaly detection(b) Rule-based penetration identification(c) Distributed intrusion detection(d) Native audit records(e) Proactive audit records.

< Answer >

26. Which of the following models is/are used for intruder detection?

I. Mean and standard deviation.II. Multivariate.III. Markov process.

(a) Only (I) above

(b) Only (II) above(c) Only (III) above(d) Both (I) and (II) above(e) All (I), (II) and (III) above.

< Answer >

27. Which of the following is nota phase in the life cycle of a virus?

(a) Dormant phase (b) Propagation phase(c) Triggering phase (d) Execution phase (e) Counter phase.

< Answer >

28. Which of the following virus hides itself from the detection by antivirus software?

(a) Parasitic virus (b) Memory-resident virus(c) Boot sector virus (d) Stealth virus(e) Polymorphic virus.

< Answer >

29. Which of the following is/are firewalls?

I. Packet filters.II. Application-level gateways.III. Circuit-level gateways.


< Answer >

30. In which of the following attacks, the intruder uses the IP fragmentation option to create extremely smallfragments and force the TCP header information into separate packet fragment?

(a) Destination routing attacks(b) Network address spoofing(c) IP address spoofing

< Answer >

8/12/2019 0507_CCS

5/15

5

(d) Source routing attacks(e) Tiny fragment attacks.

8/12/2019 0507_CCS

6/15

6

Section B : Caselets (50 Marks)

This section consists of questions with serial number 1 6.

Answer allquestions.

Marks are indicated against each question.

Detailed explanations should form part of your answer.Do not spend more than 110 - 120 minutes on Section B.

Caselet 1

Read the caselet carefully and answer the following questions.

1. What is afirewall? Explain the various types of firewalls used for the network security?

(10 marks) < Answer >

2. What is the importance of firewall to Lines n Things and why it wants to manage the firewall on its own?


3. What features of WatchGuard Firebox helped Lines n Things to achieve network security and why the company

has chosen WatchGuard for installing firewalls?


Linens n Things, Inc. is one of the leading, national large format retailers of home textiles, house wares, and homeaccessories. Headquartered in Clifton, NJ, and with 2003 sales of $2.4 billion, the company has 463 stores in 45 U.S.states and in five provinces across Canada.

Linens n Things operates a private IP network to connect its regional stores to its headquarters, and then externally outto the Internet via a central firewall and T1 line. The company also has 400 mobile users who require access to thecorporate network for vital applications such as email and inventory systems. Linens n Things has a wide range ofsuppliers who need access to devices secured on the network, for instance the environmental control systems in itswarehouses that need constant monitoring. The network is managed by a staff of two, led by Gary Stein, networkmanager. Its Steins job to ensure each store, depot and warehouse across North America is constantly connected to

external services such as banks, and that the companys supporting vendors and mobile users can access the informationthey need. Is Stein a firewall expert? No, hes never even had formal training but with the solution hes selected, itsnot a requirement.

Stein needs to provide all 400 of his mobile users with network access. Half of these are home users who need to viewtheir email at night and over the weekend in order to deal with urgent correspondence. The other 200 are seniormanagers, buyers, merchants, district managers and store managers who need to communicate, but also need access tocore systems to check inventory, assess store performance, check supplier contacts on a database or view the corporateintranet. The flow of information around this international retailer relies on Steins network.

Prior to 2002, Linens n Things used an outsourced service provider to manage the firewall that provides the gatewayonto the network. When the provider started to run into financial difficulties, Stein realized it was time to act. Given thecomplexity of the network topology, the number of suppliers and staff accessing the network, and the variety ofapplications being run, Linens n Things firewall configuration is very dynamic. As a result, Stein decided to bring the

firewall back in house: I didnt want to wait two hours liaising with the provider to make changes to the firewall. Ourconfigurations are constantly changing suppliers need access to the network to troubleshoot. We keep the networklocked down, so they need us to open ports to allow access, and its normally pretty urgent. We couldnt afford thedelay of involving a third party; I wanted to be able to control the firewall myself. And that meant the interface had to

be straightforward.

Stein evaluated three firewall vendors Check Point, Cisco, and WatchGuard. We understood the basic concepts offirewall management, so were looking for a vendor that made configuration changes easy, said Stein. WithWatchGuard, the administration was much more straightforward. Straight out of the box the Firebox covered 99% ofour requirements, and we were able to fine tune the appliance very quickly using WatchGuard System Manager.

Stein installed two WatchGuard Firebox III 4500 appliances in a High Availability (HA) configuration to provide 24/7access to the network. Im a very security-conscious person. Im also careful when it comes to redundancy and so Iwanted to make sure we had no single point of failure. Were looking to create a secure environment for our users.

They leave the security to us, and I leave that to the Firebox, commented Stein.

More recently, Stein upgraded his Firebox III 4500 appliances, installing two WatchGuard Firebox X2500 integratedsecurity appliances in the Clifton, NJ headquarters. The company also installed WatchGuards SpamScreen anti-spam

8/12/2019 0507_CCS

7/15

7

solution, as well as its WebBlocker service which enables Stein to limit access to specific whitelisted URLs only. TheFirebox X offers greater throughput and enhanced High Availability capacity, especially at peak times. The fact thatthe Firebox X has up to six Ethernet ports means I can run multiple DMZs and still provide a dedicated port for theHigh Availability heartbeat. Thats the type of redundancy you need when access is vital, Stein reasons. In addition,as network traffic increases in line with the opening of new stores, its good to know that the Firebox X line has modelupgrade capability. If I purchase a Firebox X500, X700 or X1000 in the future, I can increase the horsepower by simplyactivating a license key on my existing appliance to increase performance, capacity or functionality.

The transition to the new Firebox X appliances was straightforward since Stein was able to export his previous firewallconfigurations directly from the Firebox III appliances. He now plans to install the original Firebox III appliances atregional warehouses which arent currently on the private network, making communication with them much faster andeasier.

At the other end of the scale, Stein has also recently purchased a WatchGuard Firebox SOHO 6tc in order to connect anew remote store via cable modem. Moving forward, he plans to bring more of Linens n Things regional offices intothe VPN to save on the cost of a dedicated leased line.

Each Firebox appliance also includes a renewable subscription to WatchGuards LiveSecurity Service. This providestechnical support, training, software updates and an information broadcast service to all active LiveSecurity subscribers.WatchGuards LiveSecurity Rapid Response Team monitors Internet threats as they evolve, assesses them and then

provides clear instructions to subscribers recommending appropriate actions to ensure continued security. In this way,WatchGuard serves as an expert security resource for Linens n Things.

The LiveSecurity alerts are extremely useful. Theyre clear, comprehensive, and above all short. I dont have timeto read through reams of detail I just want the facts in an easily understandable format. I subscribe to severalnewsfeeds and WatchGuards LiveSecurity is easily one of the best.

Security is important to Linens n Things and especially to Stein. If theres a problem, its his phone that rings. Hesunderstandably cautious given the billions of dollars in transactions that go across his network each year. Its a mark ofhis confidence in WatchGuards Firebox X then that he thinks little about security: Probably the greatest compliment Icould pay is that security doesnt take up a large part of my day. WatchGuards Firebox X worked out of the box and iseasy to manage. I have enough to worry about and thankfully, network access and security arent on the list.

Caselet 2

Read the caselet carefully and answer the following questions:

4. What is Multiprotocol Label Switching (MPLS)? What are the benefits derived by Vertex by implementingMPLS-IPSec based VPN solution?


5. What are the applications of IP Security (IPSec)?


6. What are the services provided by IPSec?


Vertex inc. is a large Japan based application service provider offering VPN services to a large number of customers.The company is planning to have Web based advisory systems for the agents and clients in addition to the mainframesystem in the Data Center. For this they should have an Internet Data Center (IDC) with a business continuity site.Along with this, the company needed a solution for seamless connectivity of the employees, agents and customers.

The Challenge

The challenge to the solution lies in running IPSec VPN above the MPLS VPN client. There are multiple paths to twomain sites. The company wanted to re-route VPN traffic via another IPSec tunnel in case the primary link fails and itwanted a smooth failover so that it will appear very transparent to the end users and there would be no connectionfailure.

Multiprotocol Label Switching (MPLS) is a data-carrying mechanism, operating at a layer below protocols such as IP.It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clientswhich provide a datagram service model. It can be used to carry many different kinds of traffic, including both voicetelephone traffic and IP packets.

The SolutionInitially, all the branches of the company were connected using 64K Frame Relay links. The company needed toupgrade the bandwidth from 64K. Wipro offered a MPLS VPN based solution, as it is a very cost-effective solutioncompared to leased or frame circuit. All that Vertex needed to do was to take only the local circuit to the service

8/12/2019 0507_CCS

8/15

8

provider and share the Service Provider's gigabit backbone. Using multi protocol BGP, the client routes are propagatedto the other sites. In addition to this, multiple IPSec tunnels have been configured for having encrypted communicationamong sites.

The company Head Quarters, Branches, Internet Data Center and the business continuity sites are connected via theMPLS VPN. All the mobile users are connected using Cisco VPN concentrators. The Mobile users dial into the nearestISP and connect via Internet to access the Intranet sites. The entire solution is based on Cisco products. Their HeadQuarter is connected to other offices in Singapore, Hong Kong, UK etc via another VPN based solution from

Checkpoint.

The Business Benefits:

Uncovered the existing security vulnerabilities on various systems

Can compare vulnerabilities of each week with the previous week

Specific benefits from the solution implemented by Wipro:

Very cost effective compared to a dedicated link solution

Ensured quality of service

IPSec based encryption to ensure data security

High scalability Remote access for mobile users.

END OF SECTION B

Section C : Applied Theory (20 Marks)

This section consists of questions with serial number 7 - 8.

Answer allquestions.Marks are indicated against each question.

Do not spend more than 25 -30 minutes on section C.

7. Pretty Good Privacy (PGP) provides confidentiality and authentication service that can be used for electronic mailand file storage applications. Discuss the various services provided by PGP.


8. The Key management portion of IPSec involves the determination and distribution of secret keys. Discuss thefeatures of Oakely Key Determination Protocol.


END OF SECTION C

END OF QUESTION PAPER

Suggested Answers

Cryptography and Computer Security (MB361IT): July 2005

Section A : Basic Concepts

1. Answer : (e) < TOP >

8/12/2019 0507_CCS

9/15

9

Reason : Various categories of attacks on the security of a system areinterception, modification, fabrication, interruption. So option (e) is theanswer.

2. Answer : (a)

Reason : Traffic analysis is a passive attack on the security of the system. Allthe other alternatives are active attacks on the security of the system.So option (a) is the correct answer.

< TOP >

3. Answer : (b)

Reason : Nonrepudiation is a security service that prevents either sender orreceiver from denying a transmitted message. So option (b) is thecorrect answer.

< TOP >

4. Answer : (c)

Reason : The ingredients of conventional encryption scheme are plaintext, secretkey, ciphertext , encryption algorithm and decryption algorithm. Sooption (c) is the correct answer.

< TOP >

5. Answer : (d)

Reason : The requirements for secure use of conventional encryption are strong

encryption algorithm and secure secret key. So option (d) is the correctanswer.

< TOP >

6. Answer : (d)

Reason : The process of attempting to discover the plaintext or key is known ascryptanalysis. So option (d) is the correct answer.

< TOP >

7. Answer : (e)

Reason : If both the sender and receiver use the same key for encryption it isknown as single-key encryption. So option (e) is the answer.

< TOP >

8. Answer : (e)

Reason : The exact realization of Feistel network depends on Block size, Keysize and number of rounds. So option (e) is the answer.

< TOP >

9. Answer : (d)

Reason : An encryption scheme is computationally secure if the cost of breakingthe cipher exceeds the value of the encrypted information and the timerequired to breaking the cipher exceeds the useful lifetime of theinformation. So option (d) is the answer.

< TOP >

10. Answer : (e)

Reason : All the statements true. Only relatively weak algorithms fail towithstand a cipher text-only attack. It is very difficult to estimate theamount of effort required to cryptanalyze ciphertext successfully. A

brute-force approach involves trying every possible key until anintelligible translation of the cipher text into plaintext is obtained. So

option (e) is the answer.

< TOP >

11. Answer : (a)

Reason : The cipher text-only attack is the easiest to defend against because theopponent has the least amount of information to work with. So option(a) is the answer.

< TOP >

12. Answer : (d)

Reason : The advantages of Triple Data Encryption Algorithm (TDEA) are itovercomes the vulnerability to brute-force attack of Data EncryptionAlgorithm (DEA) and it is very resistant to cryptanalysis. The TDEAalgorithm is relatively sluggish software. So option (d) is the answer.

< TOP >

13. Answer : (a)

Reason : The Data Encryption Standard (DES) has the key size of 56 bits. Sooption (a) is the answer.

< TOP >

14. Answer : (e) < TOP >

8/12/2019 0507_CCS

10/15

10

Reason : The three ways of message authentication are conventional encryption,public-key encryption and secret value. So option (e) is the answer.

15. Answer : (e)

Reason : Kerberos is an authentication service. So option (a) is the answer.

< TOP >

16. Answer : (e)

Reason : The services provided by Pretty Good Privacy are authentication,segmentation, compression, digital signature and message encryption.So option (e) is the answer.

< TOP >

17. Answer : (b)

Reason : The Content-Type field in MIME describes the data contained in thebody with sufficient detail that the receiving user agent can pick anappropriate agent to represent the data to the user. So option (b) is theanswer.

< TOP >

18. Answer : (d)

Reason : The quoted-printable transfer encoding is useful when the data consistlargely of octets that correspond to printable ASCII characters. Sooption (d) is the answer.

< TOP >

19. Answer : (e)

Reason : The functions of S/MIME are providing enveloped data, providingsigned data and providing clear-signed data. So option (e) is theanswer.

< TOP >

20. Answer : (e)

Reason : A security association is uniquely identified by Security ParametersIndex (SPI) or IP Destination Address or Security Protocol Identifier.So option (e) is the answer.

< TOP >

21. Answer : (a)

Reason : Except network control all the other services namely access control,

connectionless integrity, data origin authentication, confidentialityprovided by IPSec. So option (a) is the answer.

< TOP >

22. Answer : (e)

Reason : Except Application protocol, all the other alternatives namelymanagement station, management agent, management information

base and network management protocol are the elements of SimpleNetwork Management Protocol (SNMP). So option (e) is the answer.

< TOP >

23. Answer : (a)

Reason : An Masquerader is an individual who is not authorized to use thecomputer and who penetrates a systems access controls to exploit alegitimate users account. So option (a) is the answer.

< TOP >

24. Answer : (e)Reason : Except (e) all the other alternatives namely user education, computer-

generated passwords, Reactive password checking and proactivepassword checking are various password checking strategies. So option(e) is the answer.

< TOP >

25. Answer : (e)

Reason : Except (e) all the other techniques namely rule-based anomalydetection, rule-based penetration identification, distributed intrusiondetection and native audit records are various intruder detectiontechniques. So option (e) is the answer.

< TOP >

26. Answer : (e)

Reason : The models used for intruder detection are mean and standarddeviation, multivariate and markov process. So option (e) is theanswer.

< TOP >

8/12/2019 0507_CCS

11/15

11

27. Answer : (e)

Reason : Except (e) all the other alternatives are the various phases in thelifecycle of a virus. So option (e) is the answer.

< TOP >

28. Answer : (d)

Reason : Stealth virus hides itself from the detection by antivirus software. Sooption (d) is the answer.

< TOP >

29. Answer : (e)

Reason : All of them are various types of firewalls namely packet filters,application-level gateways and circuit-level gateways. So option (e) isthe answer.

< TOP >

30. Answer : (e)

Reason : In tiny fragment attacks ,intruder uses the IP fragmentation option tocreate extremely small fragments and force the TCP headerinformation into separate packet fragment. So option (e) is the answer.

< TOP >

8/12/2019 0507_CCS

12/15

12

Section B : Problems

1. Firewalls can be an effective means of protecting a local system or network of systems from network-basedsecurity threats while at the same time affording access to the outside world via wide area networks and the

Internet.The three common types of firewalls are packet filters, application-level gateways and circuit-level gateways.

Packet-Filtering Router

A packet-filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packet.The router is typically configured to filter packets going in both directions (from and to the internal network).Filtering rules are based on fields in the IP and transport (e.g. TCP or UDP) header, including source anddestination IP address, IP protocol field (which defines the transport protocol) and TCP or UDP port number(which defines an application such as SNMP or TELNET).

The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. If there isa match to one of the rules, that rules is invoked to determine whether to forward or discard the packet. If there isno match to any rule, than a default action is taken.

Application-Level Gateway

An application-level gateway, also called a proxy server, acts as a relay of application-level traffic. The usercontacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for thename of the remote host to be accessed. When the user responds and provides a valid user ID and authenticationinformation, the gateway contacts the application on the remote host and relays TCP segments containing theapplication data between the two endpoints. If the gateway does not implement the proxy code for a specificapplication, the service is not supported and cannot be forwarded across the firewall. Further, the gateway can beconfigured to support only specific features of an application that the network administrator considers acceptablewhile denying all other features.

Application-level gateways tend to be more secure than packet filters. Rather than trying to deal with thenumerous possible combinations that are to be allowed and forbidden at the TCP and IP level, the application-level gateway need only scrutinize a few allowable applications. In addition, it is easy to log and audit all incom-ing traffic at the application level.

A prime disadvantage of this type of gateway is the additional processing overhead on each connection. In effect,there are two spliced connections between the end users, with the gateway at the splice point, and the gatewaymust examine and forward all traffic in both directions.

Circuit-Level Gateway

A third type of firewall is the circuit-level gateway. This can be a stand-alone system or it can be a specializedfunction performed by an application-level gateway for certain applications. A circuit-level gateway does not

permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and aTCP user on an inner host and one between itself-and a TCP user on an outside host. Once the two connections areestablished, the gateway typically relays TCP segments from one connection to the other without examining thecontents. The security function consists of determining which connections, will be allowed.

A typical use of circuit-level gateways is a situation in which the system administrator trusts the internal users.The gateway can be configured to support application-level or proxy service on inbound connections and circuit-

level functions for outbound connections. In this configuration, the gateway can incur the processing overhead ofexamining incoming application data for forbidden functions but does not incur that overhead on outgoing data.

< TOP >

2. The company has 463 stores in 45 U.S. states and in five provinces across Canada and it has 400 mobile users whorequire access to the corporate network for vital applications such as email and inventory systems. Linens nThings has a wide range of suppliers who need access to devices secured on the network, for instance theenvironmental control systems in its warehouses that need constant monitoring. To ensure each store, depot andwarehouse across North America is constantly connected to external services such as banks, and that thecompanys supporting vendors and mobile users can access the information they need.

Prior to 2002, Linens n Things used an outsourced service provider to manage the firewall that provides thegateway onto the network. When the provider started to run into financial difficulties, Stein realized it was time toact. Given the complexity of the network topology, the number of suppliers and staff accessing the network, andthe variety of applications being run, Linens n Things firewall configuration is very dynamic. As a result, Stein

decided to bring the firewall back in house:

< TOP >

3. With WatchGuard, the administration was much more straightforward. Straight out of the box the Firebox

8/12/2019 0507_CCS

13/15

13

covered 99% of our requirements and we were able to fine tune the appliance very quickly using WatchGuardSystem Manager.

The Firebox X offers greater throughput and enhanced High Availability capacity, especially at peak times. Thefact that the Firebox X has up to six Ethernet ports means I can run multiple DMZs and still provide a dedicated

port for the High Availability heartbeat. Thats the type of redundancy you need when access is vital, Steinreasons. In addition, as network traffic increases in line with the opening of new stores, its good to know that theFirebox X line has model upgrade capability. If I purchase a Firebox X500, X700 or X1000 in the future, I can

increase the horsepower by simply activating a license key on my existing appliance to increase performance,capacity or functionality.

The transition to the new Firebox X appliances was straightforward since Stein was able to export his previousfirewall configurations directly from the Firebox III appliances. He now plans to install the original Firebox IIIappliances at regional warehouses which arent currently on the private network, making communication withthem much faster and easier.

Each Firebox appliance also includes a renewable subscription to WatchGuards LiveSecurity Service. Thisprovides technical support, training, software updates and an information broadcast service to all activeLiveSecurity subscribers. WatchGuards LiveSecurity Rapid Response Team monitors Internet threats as theyevolve, assesses them and then provides clear instructions to subscribers recommending appropriate actions toensure continued security. In this way, WatchGuard serves as an expert security resource for Linens n Things.

The LiveSecurity alerts are extremely useful. Theyre clear, comprehensive, and above all short. I dont have

time to read through reams of detail I just want the facts in an easily understandable format. I subscribe toseveral newsfeeds and WatchGuards LiveSecurity is easily one of the best.

If theres a problem, its his phone that rings. Hes understandably cautious given the billions of dollars intransactions that go across his network each year. Its a mark of his confidence in WatchGuards Firebox X thenthat he thinks little about security:

< TOP >

4. Multiprotocol Label Switching (MPLS) is a data-carrying mechanism, operating at a layer below protocols such asIP. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switchingclients which provide a datagram service model. It can be used to carry many different kinds of traffic, including

both voice telephone traffic and IP packets.

Benefits:

Uncovered the existing security vulnerabilities on various systems

Can compare vulnerabilities of each week with the previous week

Specific benefits from the solution implemented by Wipro:

Very cost effective compared to a dedicated link solution

Ensured quality of service

IPSec based encryption to ensure data security

High scalability

Remote access for mobile users.

< TOP >

5. Applications of IPSec

IPSec provided the capability to secure communications across a LAN, across private and public WANs andacross the Internet. Examples of its use include the following:

Secure branch office connectivity over the Internet: A company can build a secure virtual private networkover the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its needfor private networks, saving costs and network management overhead.

Secure remote access over the Internet: An end user whose system is equipped with IP security protocols canmake a local call to an Internet service provided (ISP) and gain secure access to a company network. This reducesthe cost of toll charges for traveling employees and telecommuters.

Establishing extranet and intranet connectivity with partners: IPSec can be used to secure communicationwith other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism.

Enhancing electronic commerce security: Even though some Web and electronic commerce applications havebuilt-in security protocols, the use of IPSec enhances that security.

< TOP >

6. IPSec Services

IPSec provides security services at the IP layer by enabling a system to select required security protocols,

8/12/2019 0507_CCS

14/15

14

determine the algorithms(s) to use for the service(s) and put in place any cryptographic keys required to providethe requested services. Two protocols are used to provide security: an authentication protocol designated by theheader of the protocol, Authentication Header (AH) and a combined encryption/authentication protocol designated

by the format of the packet for that protocol, Encapsulating Security Payload (ESP). The services are as follows:

Access control

Connectionless integrity

Data origin authentication

Rejection of replayed packets (a form of partial sequence integrity)

Confidentiality (encryption)

Limited traffic flow confidentiality

< TOP >

Section C: Applied Theory

7. Pretty Good Privacy (PGP) consists of five services: authentication, confidentiality, compression, e-mailcompatibility and segmentation.

Summary of PGP Services

Function Algorithms Used Description

Digital signature DSS/SHA or RSA/SHA A hash code of a message is created using SHA-1. This message digest is encrypted using DSS orRSA with the senders private key and includedwith the message.

Message encryption CAST or IDEA orthree-key triple DESwith Diffie-Hellman orRSA

A message is encrypted using CAST-128 orIDEA or 3DES with a one-time session keygenerated by the sender. The session key isencrypted using Diffie-Hellman or RSA with therecipients public key and included with themessage.

Compression ZIP A message may be compressed, for storage ortransmission, using ZIP.

E-mail compatibility Radix-64 conversion To provide transparency for email applications,an encrypted message may be converted to anASCII string using radix-64 conversion.

Segmentation To accommodate maximum message sizelimitations, PGP performs segmentation andreassembly.

< TOP >

8. Oakley Key Determination Protocol: Oakley is a key exchange protocol based on the Diffie-Hellman algorithmbut providing added security. Oakley is generic in that it does not dictate specific formats.

Features of Oakley

The Oakley algorithm is characterized by five important features:

1. It employs a mechanism known as cookies to thwart clogging attacks.

2. It enables the two parties to negotiate a group: this, in essence, specifies the global parameters of the Diffie-Hellman key exchange.

3. It uses nonces to ensure against replay attacks.

4. It enables the exchange of Diffie-Hellman public key values.

5. It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.

< TOP >

< TOP OF THE DOCUMENT >

8/12/2019 0507_CCS

15/15

15

Documents

0507_CCS