RAGHU ENGINEERING COLLEGE

Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)
Ph: +91-8922-248001, 248002 Fax: + 91-8922-248011
e-mail: principal@raghuenggcollege.com website: www.raghuenggcollege.com

UNIT-2: Fundamental security Mechanisms: Introduction, Basics on security,

secure communication protocols and VPN implementation, Authentication,
Access control, Wi-Fi security dedicated architectures, Hot spot architecture,
Wireless Intrusion detection systems, and Wireless honeypots.

FUNDAMENTAL SECUIRTY MECHANISMs:

Introduction:
For a better understanding of security solutions described here: it is useful to
first present the fundamental mechanisms of network security.
This topic introduces mostly security services notions, two cryptographic
families, hash functions, electronic certificates and PKI, the SSL and IPsec
security protocols, etc. The chapter also describes the VPN (Virtual Private
Network) technologies supporting virtual private network implementation and
several authentication techniques, and access control solutions like firewalls and
intrusion detection systems.
Security services:
Security services refer to security concepts contrary to security mechanisms
which include the set of cryptographic tools useful for implementing security
Services. The X.800 standard [X800] defines the security services (except for
replay detection) as follows:
Availability: “the property of being accessible and useable upon demand by an
authorized entity”.
Access control: “the prevention of unauthorized use of a resource, including the
prevention of use of a resource in an unauthorized manner”;
Data integrity: “the property that data have not been altered or destroyed in an
Unauthorized manner”;
Data origin authentication: “the corroboration that the source of data received
is as claimed”;
Peer entity authentication: “the corroboration that a peer entity in an
association is the one claimed”. Note the clear distinction between
“identification “and “authentication”. Identification refers to an entity (user,
equipment) claiming its identity by providing an identifier (name, pseudonym,
email address, IP address, domain name), or the procedure to find the Identity of
a user among N users known by the systems under several features.
Authentication consists of proving the claimed identity by providing one or
several authentication elements;
Confidentiality: “the property that information is not made available or
disclosed to unauthorized individuals, entities or processes”;
Replay detection (not defined in X.800): replay detection consists of an entity
to detect that received data are duplicated from a previous exchange. Some data
might have been sent in a secure manner by a legitimate entity, but they can be
Copied and injected again to the same destination. Data are still authentic but
they are already processed; thus, it is necessary to detect replay to avoid them
being processed several times.
Encryption mechanisms enable the implementation of data confidentiality.
Most of the time, the services of data integrity and data origin authentication are
Implemented by the same security mechanisms: hash function and MAC
generation. The replay detection mechanisms are based on injecting a sequence
number in each of the transmitted information elements.

TYPES OF CRYPTOGRAPHY:

In symmetric cryptography, the enciphering and deciphering systems know the

same cryptographic key, while asymmetric cryptography (known as public key
Cryptography) is based on two complementary keys – the public and private
keys – one of them for encrypting and the other one for decrypting.
Note that older cryptographic algorithms were based on the secret of the
algorithm itself. This means that as soon as the algorithm was cracked, the
cryptographs needed to invent a new one. The novelty of symmetric and
asymmetric algorithms was to make public the whole enciphering/deciphering
processing and to externalize the secret into a secret parameter also called the
“cryptographic key”.
 Symmetric cryptography is based on the usage of the same key to
encrypt and Decrypt data. These keys are called symmetric keys
(sometimes secret keys).
 In the context of exchanges over a network, a transmitter encrypts data
with a key and the destination entity decrypts the data with the same key.
 If the symmetric algorithms are efficient, and make it possible to reach a
high data rate when Encrypting/decrypting, they raise the problem of
establishing the same key between the transmitter and the receiver.
 However sharing a key with each possible communicating entity, even in
a closed group of entities, is a very high constraint, and rapidly leads to a
big number of keys to be managed. Thus, it is better automating the
establishment of these keys.
 The most well-known symmetric algorithms are, in the chronological
order of their definition: DES (Data Encryption Standard), 3DES
(pronounced “Triple DES”), and AES (Advanced Encryption Standard).
DES was invented in 1977 by IBM as the public encryption algorithm
with secret keys of 56 bits and input of 64-bits data blocks.
 DES is based on permutation mechanisms and exclusive OR gates.
 These fast operations make DES highly efficient, but brute force attacks
are still able to crack the 56-bits keys by trying any combinations of keys.
 The 3DES algorithm was more robust and was successor of DES; 3DES
applies DES three times, one after the other; the 3DES key is maximum
168 bits (3*56=168) and applies to the same input block size (64 bits).
 The 3DES algorithm is not always efficient from an encryption rate point
of view, robustness to brute-force attacks, etc., so an international
competition was launched in 1997 to elaborate a new algorithm to replace
3DES.
 After several selection steps, the Belgium Rinjdael algorithm was
selected for its fast processing time, its portability on several platforms
(hardware and software, 8 and 32 bits), several supported key lengths,
etc.
 Thus, we talk indifferently about AES or Rinjdael. AES is the generic
name of the algorithm winning the competition. It relies on inputs of 128-
bit blocks and key lengths of 128, 192 or 256 bits.
 Symmetric algorithms can work according to several modes. Usually we
Distinguish the ECB (Electronic Code Book) mode which consists of
encrypting each of the blocks independently. Thus, the operation of
encrypting a message consists of fragmenting a message into blocks of
the expected size (dependent on the selected algorithm). Each of these
blocks is then encrypted independently.
 The drawback of the ECB mode is that two similar blocks give similar
encrypted blocks outputs. This makes ECB vulnerable, as a spy on the
network can detect two similar encrypted blocks, attempt to guess their
contents, and perform a brute-force attack by testing any combination of
the keys until the assumed clear text message is obtained.
 The CBC (Cipher Block Chaining) mode, also known as the “chaining
mode”, consists of processing a block by injecting the last computed
ciphered block into the processing, such that encrypting two similar
blocks leads to two different blocks.
 Attacks are more difficult to implement. According to the algorithms, the
encryption mode used and the length of the message to be encrypted, it is
sometimes necessary to align the message on a whole number of blocks.
Aligning consists of appending to the message prior to encryption some
padding information, that is, some meaningless information.
Asymmetric cryptography or public key cryptography:
 Asymmetric or public key cryptography relies on two encryption keys, called
“Asymmetric keys”. Both keys are generated at the same time and play a complementary role
in that the encryption with one of the keys needs to be decrypted with the other key.
Each key plays a specific role.
 The private key must be known by only one entity and can be used for authenticating
itself for instance.
 The public key can be largely published and it is better that public keys are largely
published in order that any other entity can perform authentication. Obviously,
knowledge of the public key does not enable us to deduce the complementary private
key.
 To authenticate the origin of message in a communication over a network, the
transmitter must use its own private key, for instance to generate an electronic
signature that it will append to the message before transmission.
 The receiver who knows the public key will be able to verify the validity of the
signature and will have guarantees regarding the origin of the message.
 To ensure the confidentiality of a message, it is necessary to encrypt the transmitted
message with the public key of the receiver. This public key is known by all entities
and can be served to any entity to encrypt a message.
 However, the complementary private key is only known to the destination of the
message; the receiver will be the only one able to decrypt the message. The property
of confidentiality is thus obtained.
 Using these classical examples of usage of the public/private keys, we must
understand that all the difficulty is related to the guarantee provided that a public key
is truly associated with the unique identified entity.
 This association entity/public key is fundamental. With no such reliable guarantee, it
is useless implementing security over a network.
 A first idea would be that each entity previously registers every public key of its
correspondents, but this would be as bad as the symmetric cryptography with a
number of keys to be managed.
 A second solution now that largely applies consists of defining a trusted third party,
that is, an entity in which a large number of entities have trust. This trust is created by
the knowledge of a public key associated with the trusted third party. This trusted
third party can for instance take the form of a certification authority whose role is to
issue electronic certificates i.e. some data structures binding a public key to an entity,
and signed by the certification authority.
 RSA (Rivest, Shamir, Adleman) is the most well-known asymmetric algorithm.
It is based on the theory of prime numbers and encryption keys with classic key sizes
of 512 classic, 1,024, 2,048 or 4,096 bits.
 Today a good level of security refers to keys of at least 2,048 bits. If the robustness of
cryptographic algorithms is dependent on the length of the keys used, it is
meaningless comparing the robustness of symmetric and asymmetric algorithms with
respect to the same length of keys.
 Indeed, cracking an asymmetric algorithm (in order to discover the used key) does not
require testing all the possibilities for keys like the symmetric algorithms; breaking
RSA for instance is like successfully factorizing a big number into two primary
numbers; in terms of robustness, 1,024-bit RSA keys are equivalent to 80-bit
symmetric keys or 2,048-bit RSA keys to 112-bit symmetric keys.
  To accelerate the deployment of public key cryptography, developers organized into
the commercial organization RSA Laboratories to define the syntax of different data
structures related to public key cryptography like private keys but also the
certification requests, etc. These de facto standards were included in a number of
standards and are known as PKCS (Public-Key Cryptography Standard).

Complementariness between the two cryptographic systems:

Security protocols use both security protocols, each having a specific usage:
– Symmetric cryptography (or secret key cryptography) makes it possible to protect
high bit rate data exchanged over a network; the processing speed of symmetric
algorithms is used;
– Asymmetric (or public key) cryptography is used to initialize a secure connection
between two entities of the network by enabling those entities to authenticate each
other and to establish a symmetric key in a confidential way.

HASH FUNCTIONs:
Hash functions aim to give a representative result of the message’s content over
a limited number of bytes. They are pretty like a more sophisticated CRC (Cyclic
Redundancy Check).
The awaited properties of these hash functions are as follows:
– a result on a limited number of bytes (usually 16 or 20 bytes);
– inability to recover the original message from the outcome of the function;
– two messages that differ by only 1 bit produce two results that differ by at least
half a bit.
Several terms for hash functions like irreversible functions or one-way functions
are used indifferently. Several other terms for the result of the hash functions are
used like hash or fingerprint. Thereafter, the term “footprint” is used.
Several hash functions are today defined like a series of MD (Message Digest)
functions MD2, MD4 and MD5 which give a 16 byte fingerprint, but also algorithm
SHA-1 (Secure Hash Algorithm-1) which gives a 20 byte long result. Today MD5
and SHA-1 are the most frequently used. However, MD5 was recently proven
vulnerable to attack by collisions [LLO 06]. Indeed, within hours, it is possible to
find a message leading to the same footprint MD5.
A series of algorithms named SHA-256, SHA-224 and SHA-512 have been
invented by the NSA (National Security Agency) since 2000. They all derive from
SHA-1, but give results in a greater number of bits (256, 224 and 512 bits). SHA-
256 is today the most popular and is considered as the successor of SHA-1.

Electronic signatures and MAC:

The electronic signature or a MAC (Message Authentication Code) appended to
a message has a twofold objective: to enable the recipient to authenticate the origin
of this message and to prove its integrity. Implementation of the electronic signature
and MAC uses hash functions and symmetric or asymmetric keys. In the case of
symmetric cryptography usage, we can talk about “MAC” (or MIC – Message
Integrity Code). In the case of asymmetric cryptography, we can talk about “MAC”,
but we prefer talking about the electronic signature.
GENERATION & VERIFICATION OF A MAC: (SYMMETRIC CRYPTOGRAPHY)

Limitations of MAC:
There are two major limitations of MAC, both due to its symmetric nature of operation −

 Establishment of Shared Secret.

 It can provide message authentication among pre-decided legitimate users who have
shared key.
 This requires establishment of shared secret prior to use of MAC.
 Inability to Provide Non-Repudiation

Non-repudiation is the assurance that a message originator cannot deny any previously sent
messages and commitments or actions.

MAC technique does not provide a non-repudiation service. If the sender and receiver get
involved in a dispute over message origination, MACs cannot provide a proof that a message
was indeed sent by the sender.

Though no third party can compute the MAC, still sender could deny having sent the message
and claim that the receiver forged it, as it is impossible to determine which of the two parties
computed the MAC.
When We Need MAC Codes?
A sample scenario for using MAC codes is like this:
 Two parties exchange somehow a certain secret MAC key (pre-shared key).
 We receive a msg + auth_code from somewhere (e.g. from Internet, from the block
chain, or from email message).
 We want to be sure that the msg is not tampered, which means that both the key and
msg are correct and match the MAC code.
 In case of tampered message, the MAC code will be incorrect.
Authenticated Encryption: Encrypt / Decrypt Messages using MAC:
 Another scenario to use MAC codes is for authenticated encryption: when we encrypt
a message and we want to be sure the decryption password is correct and the
decrypted message is the same like the original message before encryption.
 First, we derive a key from the password. We can use this key for the MAC
calculation algorithm (directly or hashed for better security).
 Next, we encrypt the message using the derived key and store the cipher text in the
output.
 Finally, we calculate the MAC code using the derived key and the original message
and we append it to the output.
 When we decrypt the encrypted message (cipher text + MAC), we proceed as follows:
First, we derive a key from the password, entered by the user. It might be the correct
password or wrong. We shall find out later.
 Next, we decrypt the message using the derived key. It might be the original message
or incorrect message (depends on the password entered).
 Finally, we calculate a MAC code using the derived key + the decrypted message.
 If the calculated MAC code matches the MAC code in the encrypted message, the
password is correct. Otherwise, it will be proven that the decrypted message is not the
original message and this means that the password is incorrect

GENERATION & VERIFICATION OF ELECTRONIC/DIGITAL SIGNATURE:

[ASYMMETRIC CRYPTOGRAPHY]

Digital Signature:
A digital signature is a mathematical technique used to validate the authenticity and integrity
of a message, software, or digital document.
Key Generation Algorithms: Digital signature is electronic signatures, which assure that
the message was sent by a particular sender. While performing digital transactions
authenticity and integrity should be assured, otherwise, the data can be altered or someone
can also act as if he was the sender and expect a reply.
Signing Algorithms: To create a digital signature, signing algorithms like email programs
create a one-way hash of the electronic data which is to be signed. The signing algorithm then
encrypts the hash value using the private key (signature key). This encrypted hash along with
other information like the hashing algorithm is the digital signature. This digital signature is
appended with the data and sent to the verifier. The reason for encrypting the hash instead of
the entire message or document is that a hash function converts any arbitrary input into a
much shorter fixed-length value. This saves time as now instead of signing a long message a
shorter hash value has to be signed and moreover hashing is much faster than signing.
Signature Verification Algorithms: Verifier receives Digital Signature along with the data.
It then uses Verification algorithm to process on the digital signature and the public key
(verification key) and generates some value. It also applies the same hash function on the
received data and generates a hash value. Then the hash value and the output of the
verification algorithm are compared. If they both are equal, then the digital signature is valid
else it is invalid.
The steps followed in creating digital signature are:
 Message digest is computed by applying hash function on the message and then
message digest is encrypted using private key of sender to form the digital signature.
(digital signature = encryption (private key of sender, message digest) and message
digest = message digest algorithm(message)).
 Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
 Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his
private key which can thus be decrypted by sender’s public key).
 The receiver now has the message digest.
 The receiver can compute the message digest from the message (actual message is
sent with the digital signature).
 The Message digest computed by receiver and the message digest (got by decryption
on digital signature) need to be same for ensuring integrity.
 Message digest is computed using one-way hash function, i.e. a hash function in
which computation of hash value of a message is easy but computation of the message
from hash value of the message is very difficult.
 Hashed value of original message is encrypted with sender's secret key to generate the
digital signature. It is generated by CA (Certifying Authority) that involves four steps:
Key Generation, Registration, Verification, and Creation. Authenticity of Sender,
integrity of the document and non-repudiation.
PUBLIC KEY INFRASTRUCTURE & KEY MANAGEMENT:
 The most distinct feature of Public Key Infrastructure (PKI) is that it uses a pair of
keys to achieve the underlying security service. The key pair comprises of private key
and public key.
 Since the public keys are in open domain, they are likely to be abused. It is, thus,
necessary to establish and maintain some kind of trusted infrastructure to manage
these keys.
Key Management:
 It goes without saying that the security of any cryptosystem depends upon how
securely its keys are managed. Without secure procedures for the handling of
cryptographic keys, the benefits of the use of strong cryptographic schemes are
potentially lost.
 It is observed that cryptographic schemes are rarely compromised through weaknesses
in their design. However, they are often compromised through poor key management.

There are some important aspects of key management which are as follows −

Cryptographic keys are nothing but special pieces of data.

Key management refers to the secure administration of cryptographic keys.

Key management deals with entire key lifecycle as depicted in the following illustration

There are two specific requirements of key management for public key cryptography.

Secrecy of private keys : Throughout the key lifecycle, secret keys must remain secret from
all parties except those who are owner and are authorized to use them.
Assurance of public keys:
 In public key cryptography, the public keys are in open domain and seen as public
pieces of data. By default there are no assurances of whether a public key is correct,
with whom it can be associated, or what it can be used for. Thus key management of
public keys needs to focus much more explicitly on assurance of purpose of public
keys.
 The most crucial requirement of ‘assurance of public key’ can be achieved through
the public-key infrastructure (PKI), a key management systems for supporting public-
key cryptography.

Public Key Infrastructure (PKI)

 PKI provides assurance of public key. It provides the identification of public keys and
their distribution.
An anatomy of PKI comprises of the following components:
 Public Key Certificate commonly referred to as ‘digital certificate’.
 Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
Digital Certificate:
 For analogy, a certificate can be considered as the ID card issued to the person.
People use ID cards such as a driver's license, passport to prove their identity. A
digital certificate does the same basic thing in the electronic world, but with one
difference.
 Digital Certificates are not only issued to people but they can be issued to computers,
software packages or anything else that need to prove the identity in the electronic
world.
 Digital certificates are based on the ITU standard X.509 which defines a standard
certificate format for public key certificates and certification validation. Hence digital
certificates are sometimes also referred to as X.509 certificates.
 Public key pertaining to the user client is stored in digital certificates by The
Certification Authority (CA) along with other relevant information such as client
information, expiration date, usage, issuer etc.
 CA digitally signs this entire information and includes digital signature in the
certificate.
 Anyone who needs the assurance about the public key and associated information of
client, he carries out the signature validation process using CA’s public key.
Successful validation assures that the public key given in the certificate belongs to the
person whose details are given in the certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the
following illustration:

As shown in the illustration, the CA accepts the application from a client to certify his public
key. The CA, after duly verifying identity of client, issues a digital certificate to that client.

Certifying Authority (CA)

As discussed above, the CA issues certificate to a client and assist other users to verify the
certificate. The CA takes responsibility for identifying correctly the identity of the client
asking for a certificate to be issued, and ensures that the information contained within the
certificate is correct and digitally signs it.

Key Functions of CA
The key functions of a CA are as follows −

Generating key pairs − The CA may generate a key pair independently or jointly with the
client.

Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport
agency − the CA issues a certificate after client provides the credentials to confirm his
identity. The CA then signs the certificate to prevent modification of the details contained in
the certificate.

Publishing Certificates − The CA need to publish certificates so that users can find them.
There are two ways of achieving this. One is to publish certificates in the equivalent of an
electronic telephone directory. The other is to send your certificate out to those people you
think might need it by one means or another.
Verifying Certificates − The CA makes its public key available in environment to assist
verification of his signature on clients’ digital certificate.

Revocation of Certificates − At times, CA revokes the certificate issued due to some reason
such as compromise of private key by user or loss of trust in the client. After revocation, CA
maintains the list of all revoked certificate that is available to the environment.

Classes of Certificates
 There are four typical classes of certificate −

Class 1 − These certificates can be easily acquired by supplying an email address.

Class 2 − These certificates require additional personal information to be supplied.

Class 3 − These certificates can only be purchased after checks have been made about the
requestor’s identity.

Class 4 − They may be used by governments and financial organizations needing very high
levels of trust.

Registration Authority (RA)

 CA may use a third-party Registration Authority (RA) to perform the necessary
checks on the person or company requesting the certificate to confirm their identity.
The RA may appear to the client as a CA, but they do not actually sign the certificate
that is issued.

Certificate Management System (CMS)

 It is the management system through which certificates are published, temporarily or
permanently suspended, renewed, or revoked. Certificate management systems do not
normally delete certificates because it may be necessary to prove their status at a point
in time, perhaps for legal reasons. A CA along with associated RA runs certificate
management systems to be able to track their responsibilities and liabilities.

Private Key Tokens

 While the public key of a client is stored on the certificate, the associated secret
private key can be stored on the key owner’s computer. This method is generally not
adopted. If an attacker gains access to the computer, he can easily gain access to
private key. For this reason, a private key is stored on secure removable storage token
access to which is protected through a password.
 Different vendors often use different and sometimes proprietary storage formats for
storing keys. For example, Entrust uses the proprietary .epf format, while Verisign,
GlobalSign, and Baltimore use the standard .p12 format.

Hierarchy of CA
 With vast networks and requirements of global communications, it is practically not
feasible to have only one trusted CA from whom all users obtain their certificates.
Secondly, availability of only one CA may lead to difficulties if CA is compromised.
  In such case, the hierarchical certification model is of interest since it allows public
key certificates to be used in environments where two communicating parties do not
have trust relationships with the same CA.
 The root CA is at the top of the CA hierarchy and the root CA's certificate is a self-
signed certificate.
 The CAs, which are directly subordinate to the root CA (For example, CA1 and CA2)
have CA certificates that are signed by the root CA.
 The CAs under the subordinate CAs in the hierarchy (For example, CA5 and CA6)
have their CA certificates signed by the higher-level subordinate CAs.
 Certificate authority (CA) hierarchies are reflected in certificate chains. A certificate
chain traces a path of certificates from a branch in the hierarchy to the root of the
hierarchy.

The following illustration shows a CA hierarchy with a certificate chain leading from an
entity certificate through two subordinate CA certificates (CA6 and CA3) to the CA
certificate for the root CA.
 Verifying a certificate chain is the process of ensuring that a specific certificate chain
is valid, correctly signed, and trustworthy.
 The following procedure verifies a certificate chain, beginning with the certificate that
is presented for authentication –
 A client whose authenticity is being verified supplies his certificate, generally along
with the chain of certificates up to Root CA.
 Verifier takes the certificate and validates by using public key of issuer. The issuer’s
public key is found in the issuer’s certificate which is in the chain next to client’s
certificate.
 Now if the higher CA who has signed the issuer’s certificate, is trusted by the verifier,
verification is successful and stops here.
 Else, the issuer's certificate is verified in a similar manner as done for client in above
steps. This process continues till either trusted CA is found in between or else it
continues till Root CA.
What is Cryptographic Key Management?

 Cryptographic key management generally refers to key management. It is basically

defined as management of cryptographic keys that are used to deliver different
purposes in a cryptographic network.
 The basic cryptographic key management deals with the generation, exchange,
storage, use, replacement and destruction of keys. The process involves cryptographic
protocol design, key servers, user procedures, and other relevant protocols.
 Key management is essential to maintain the security of cryptosystems. It is one of
the most different states of cryptography and involves aspects such as system policy,
user training, organizational and departmental interactions.

Cryptographic key management includes following steps:

Key exchange:

 Sometimes some cryptographic functions required cryptographic key exchange.

Public keys can be openly exchanged symmetric keys requiring a secured connection.
 Traditional approach involves secure channels such as diplomatic bags and protocols
like Diffie-Hellman key exchange. While modern methods employ modern systems
such as OpenPGP compatible systems and asymmetric key algorithms.
 Another modern method of key exchange includes key encapsulation with one
another. It is a cumbersome and expensive method that involves breaking a master
key into multiple parts and sending each with a trusted courier.

Key storage:
 Key storage is basically the allocation of the keys. Distributed keys should be stored
securely. This is so done to ensure communication security. There are various
methods to ensure perfect storing of the cryptographic keys.
 The most common technique employed for the purpose is an encryption application.
the application manages the key, and its usage depends on an access password to
control the use of the key.

Key Use
 As the duration of the usage of keys increases, risk factors also shoot high. as the risk
of a hacker is directly proportional to its duration of use. That’s why the keys should
be frequently changed. This limits the loss of vulnerable information.

Challenges involved in Cryptographic Key Management:

There are several challenges and threats that cause risks to the cryptographic keys. Following
are the challenges that are involved in cryptographic key management:

Unintended use of the Keys:

These keys should be used for the specific function for which they are designed for. It should
not be used for other purposes. As when keys are used for intended purpose, they cause a risk
to the protection.
Weak Keys:
Logically, keys are nothing else but the combination of random numbers and characters.
Easier this combination, the hacker can easily crack these keys. Keys should be strong
enough to protect the data and its vulnerabilities. An ideally qualified random number
generator should be used to create the keys.

Reuse:
Sometimes improper reuse of the already used keys is also a threat to the protection of
cryptographic keys.

Poor storage of keys

Sometimes the keys are stored alongside the data that they are meant to protect. In such cases
any exfiltration of the protected data compromises the security of the key also. Thus, the keys
should be stored in an appropriate manner.

Non-rotation
Using the same older symmetric algorithms again and again increases the threat issue for the
keys. To avoid this key should be rotated and updated regularly.

Non destruction
If the expired keys are not destroyed immediately, it can lead to the accidental compromise
of future data. Thus, keys should be securely deleted leaving no trace, once they are expired.

Unencrypted keys
As keys ensure the safety of data, that’s why they should be stored encrypted. Because
unencrypted keys are vulnerable to risks even at an offline stage.

Insecure movement
Cryptography techniques often involve the movement of keys. When these keys are moved
insecurely, it can ultimately lead to data loss. Thus, the movement of keys should be
accomplished in an encrypted way via a pre-shared transport key.

Audit logging
The entire lifecycle of the key should be fully logged and recorded, to avoid any further
forensic investigation.
SECURE COMMUNICATION PROTOCOLS FOR MOBILE & WIRELESS
NETWORKS:
Network security protocols are network protocols that ensure the integrity and security of
data transmitted across network connections. The specific network security protocol used
depends on the type of protected data and network connection. Each protocol defines the
techniques and procedures required to protect the network data from unauthorized or
malicious attempts to read or exfiltrate information.

Internet Protocol Security (IPsec) Protocol—OSI Layer 3

 IPsec is a protocol and algorithm suite that secures data transferred over public
networks like the Internet. The Internet Engineering Task Force (IETF) released the
IPsec protocols in the 1990s. They encrypt and authenticate network packets to
provide IP layer security.
 IPsec originally contained the ESP and AH protocols. Encapsulating Security Payload
(ESP) encrypts data and provides authentication, while Authentication Header (AH)
offers anti-replay capabilities and protects data integrity. The suite has since expanded
to include the Internet Key Exchange (IKE) protocol, which provides shared keys
establishing security associations (SAs). These enable encryption and decryption via a
firewall or router.
 IPsec can protect sensitive data and VPNs, providing tunneling to encrypt data
transfers. It can encrypt data at the application layer and enables authentication
without encryption.
SSL and TLS—OSI Layer 5

 The Secure Sockets Layer (SSL) protocol encrypts data, authenticates data origins,
and ensures message integrity. It uses X.509 certificates for client and server
authentication. SSL authenticates the server with a handshake, negotiating security
session parameters and generating session keys. It can then securely transmit the data
by authenticating its origin.
 SSL sessions use cryptographic algorithms similar to the algorithms used by the client
and server (determined during the handshake). Servers may support encryption with
algorithms like AES and Triple DES.
 X.509 server certificates are a requirement for SSL, enabling the client to validate the
server. SSL can also use X.509 client certificates for authentication. These certificates
must be signed by a trusted certificate authority in the server’s keying.

Transport Layer Security (TLS) is an SSL-based protocol defined by the IETF (SSL is
not).

Datagram Transport Layer Security (DTLS)—OSI Layer 5

 DTLS is a datagram communication security protocol based on TLS. It does not

guarantee message delivery or that messages arrive in order. DTLS introduces the
advantages of datagram protocols, including lower latency and reduced overhead.

Kerberos Protocol—OSI Layer 7

 Kerberos is a service request authentication protocol for untrusted networks like the
public Internet. It authenticates requests between trusted hosts, offering built-in
Windows, Mac, and Linux operating system support.
 Windows uses Kerberos as its default authentication protocol and a key component of
services like Active Directory (AD). Broadband service providers use it to
authenticate set-top boxes and cable modems accessing their networks.
 Systems, services, and users, only need to trust the KDC when using Kerberos. KDC
offers authentication and grants tickets to enable nodes to authenticate each other.
Kerberos uses shared secret cryptography to authenticate packets and protect them
during transmission.

Simple Network Management Protocol (SNMP)—OSI Layer 7

 SNMP is a network device management and monitoring protocol that works at the
application layer. It can secure devices on LANs or WANs. SNMP provides a shared
language to allow devices like servers and routers to communicate via a network
management system. SNMP is an original part of the Internet protocol suite defined
by the IETF.
  Components of the SNMP architecture include a manager, an agent, and a
management information base (MIB). The manager is the client, the agent is the
server, and the MIB is the database. The SNMP agent responds to the manager’s
requests using the MIB. While SNMP is widely available, administrators must adjust
the default settings to enable communication between the agents and the network
management system to implement the protocol.
 With the introduction of SNMPv3 in in 2004, the SNMP protocol gained three
important security features: encryption of packets to prevent eavesdropping, integrity
checks to ensure packets were not been tampered in transit, and authentication to
verify that communications come from a known source.

HTTP and HTTPS—OSI Layer 7

 HTTP is an application protocol that specifies rules for web file transfers. Users
indirectly use HTTP when they open their web browser. It runs on top of the Internet
protocol suite.
 HTTPS is the secure version of HTTP, securing the communication between browsers
and websites. It helps prevent DNS spoofing and man-in-the-middle attacks, which is
important for websites that transmit or receive sensitive information. All websites
requiring user logins or handling financial transactions are attractive data theft targets
and should be using HTTPS.
 HTTPS runs over the SSL or TLS protocol using public keys to enable shared data
encryption. HTTP uses port 80 by default, while HTTPS uses port 443 for secure
transfers. With HTTPS, the server and browser must establish the communication
parameters before initiating data transfers.

SASE (Secure Access Service Edge) is an emerging network architecture that combines
network security functions with wide-area networking (WAN) capabilities, providing a
unified approach to network security and connectivity.
VIRTUAL PRIVATE NETWORK & ITS IMPLEMENTATION:
 A virtual private network, or VPN, is an encrypted connection over the Internet from
a device to a network. The encrypted connection helps ensure that sensitive data is
safely transmitted. It prevents unauthorized people from eavesdropping on the traffic
and allows the user to conduct work remotely.

 Implementing a VPN (Virtual Private Network) involves setting up a secure and

encrypted connection between your device and a remote server. This connection helps
protect your online privacy and security by routing your internet traffic through an
encrypted tunnel. Below are the general steps to implement a VPN:

1. Choose a VPN Provider:

Select a reputable VPN provider that offers the features you need, such as strong encryption,
a wide range of server locations, and compatibility with your devices.

2. Sign Up and Subscribe:

Create an account with the chosen VPN provider and choose a subscription plan that suits
your needs.

3. Download and Install the VPN App:

Most VPN providers offer dedicated apps for various devices and operating systems,
including Windows, macOS, iOS, Android, and more. Download and install the appropriate
app for your device.

4. Launch the App and Log In:

Open the VPN app and log in using the credentials you created during sign-up.

5. Select a Server Location:

Once logged in, you'll typically be presented with a list of server locations. Choose a server
location based on your needs, such as accessing geo-restricted content or optimizing for
speed.

6. Connect to the VPN:

Click the "Connect" button within the app to establish a secure connection to the chosen
server. Once connected, your internet traffic will be encrypted and routed through the VPN
server.
7. Configure Additional Settings (Optional):
Most VPN apps offer additional settings that you can configure, such as choosing the VPN
protocol (OpenVPN, IKEv2, etc.), enabling a kill switch (disconnects you from the internet if
the VPN connection drops), or selecting specific apps to use the VPN connection.

8. Test Your Connection:

Once connected to the VPN, make sure to test your connection by visiting websites or using
apps to ensure that everything is working as expected.

9. Disconnect from the VPN:

When you're done using the VPN, remember to disconnect from the VPN server by closing
the app or clicking the "Disconnect" button.

10. Regularly Update the App:

Keep your VPN app updated to ensure you have the latest security features and bug fixes.

Conclusion: It’s important to note that while VPNs provide an added layer of security and
privacy, they are not a one-size-fits-all solution. VPNs can have varying levels of encryption,
logging policies, and performance. Additionally, some online activities may still be traceable
even when using a VPN, depending on the provider's policies and technical implementation.

Lastly, be cautious when using free VPN services, as they might not provide the same level
of security and privacy as paid services. Always research and choose a reputable provider
that aligns with your needs and values.
ACCESS CONTROL LISTS IN WIRELESS SECURITY:
 An access control list (ACL) is a list of rules that specifies which users or systems are
granted or denied access to a particular object or system resource. Access control lists
are also installed in routers or switches, where they act as filters, managing which
traffic can access the network.
 ACL in the context of wireless security typically stands for "Access Control List." An
Access Control List is a security mechanism used to control access to resources or
services based on a predefined list of permissions or rules. In wireless networking,
ACLs are often used to regulate access to Wi-Fi networks and associated resources.

In wireless security, an ACL can be implemented in various ways:

 MAC Address Filtering: Each network device (e.g., laptops, smartphones) has a
unique MAC (Media Access Control) address. ACLs can be configured to allow or
deny access to the network based on these MAC addresses. This means that only
devices with MAC addresses listed in the ACL are allowed to connect to the network.
 IP Address Filtering: ACLs can also be based on IP addresses. Devices with specific
IP addresses can be allowed or denied access to the network. However, in dynamic IP
scenarios, this approach might not be as effective, since IP addresses can change.
 Port-Based Filtering: This approach involves allowing or denying devices based on
specific network ports they are trying to access. For instance, you might allow access
to certain ports for internet browsing but block access to other ports for security
reasons.
 Time-Based Access: ACLs can also be configured to allow or deny access to the
network during specific time intervals. This is useful for scenarios where you want to
restrict access during certain hours, like business hours or nighttime.
 User-Based Access: Some more advanced systems allow ACLs to be tied to specific
user accounts. This is often seen in enterprise environments where employees have
unique credentials for accessing the wireless network.
 It's important to note that while ACLs provide an additional layer of security, they are
not foolproof. Skilled attackers can potentially spoof MAC addresses, making MAC
address filtering less effective. Similarly, relying solely on IP addresses might not be
sufficient if devices use dynamic IP assignment.
 For more robust wireless security, it's recommended to use a combination of security
measures such as strong encryption protocols (e.g., WPA2, WPA3), strong passwords
or passphrase, regular firmware updates, intrusion detection systems, and potentially
more advanced methods like IEEE 802.1X authentication.
 Remember that wireless security is a constantly evolving field, and it's crucial to stay
updated with the latest best practices and technologies to ensure the security of your
network and data.
Wi-Fi SECUIRTY DEDICATED ARCHITECTURES:

Dedicated WiFi Security Architecture:

Access Points (APs): These are the devices that provide wireless network connectivity. In a
dedicated WiFi security architecture, access points play a crucial role in implementing
security measures.

Wireless LAN Controller (WLC): The WLC is a centralized device that manages multiple
access points in a coordinated manner. It is responsible for enforcing security policies,
managing client connections, and distributing configuration changes to the APs.

Authentication Server: This server is responsible for verifying the identity of users or
devices trying to connect to the WiFi network. It plays a critical role in ensuring that only
authorized users gain access.

RADIUS Server: The Remote Authentication Dial-In User Service (RADIUS) server is used
to authenticate and authorize users attempting to connect to the wireless network. It works
closely with the authentication server to validate credentials.

Security Protocols:

WPA/WPA2/WPA3: These are encryption protocols that protect data transmission between
devices and access points. They ensure that data is transmitted securely and cannot be easily
intercepted.
802.1X: This is an authentication framework that enables port-based access control. It uses
the Extensible Authentication Protocol (EAP) to authenticate clients before granting network
access.
EAP-TLS: An EAP method that uses digital certificates for mutual authentication between
the client and the server, enhancing security.
EAP-PEAP: Protected EAP, which establishes a secure tunnel between the client and the
server, preventing eavesdropping.
Intrusion Detection/Prevention System (IDS/IPS): This system monitors network traffic for
suspicious activities or potential security breaches. It can block or mitigate attacks in real-
time.

Firewall: A network firewall can be integrated into the architecture to filter and control
incoming and outgoing traffic. This helps prevent unauthorized access and protects against
various types of attacks.

Explanation:

In this dedicated WiFi security architecture, the primary goal is to ensure that only authorized
users and devices can access the wireless network, and that the data transmitted over the
network remains secure. Here's how the components work together:

User Authentication: When a user or device attempts to connect to the WiFi network, they
are prompted to provide credentials. These credentials are sent to the authentication server,
which verifies their identity.

RADIUS Server: The RADIUS server communicates with the authentication server to
validate the provided credentials. If the credentials are correct, the RADIUS server sends an
access approval to the wireless LAN controller.

Wireless LAN Controller: The WLC enforces security policies and configuration settings
for the access points. It informs the relevant APs to allow the authenticated user/device to
join the network.

Security Protocols: Encryption protocols like WPA2 or WPA3 ensure that data transmitted
between the user/device and the access point is encrypted, preventing unauthorized access to
the data.

Intrusion Detection/Prevention: The IDS/IPS monitors network traffic for anomalies or

attacks. If any suspicious activity is detected, the system can take actions such as alerting
administrators or blocking the malicious traffic.

Firewall: The firewall filters incoming and outgoing traffic, allowing only authorized traffic
to pass through. It can be configured to block specific types of traffic or prevent known
malicious IPs from accessing the network.

This architecture provides a layered approach to WiFi security, combining authentication,

encryption, intrusion detection, and access control to create a robust defense against various
threats. Keep in mind that specific implementations may vary based on the organization's
needs and the technology available at the time of deployment.
Wi-Fi HOT SPOT ARCHITECTURE:

Wi-Fi hotspot architecture allows users to connect to the internet through wireless access
points, typically in public locations like cafes, airports, hotels, and other public areas. Here's
an overview of the components and functioning of a typical Wi-Fi hotspot architecture:

Components:

Access Points (APs): These are the physical devices that provide wireless connectivity to
users' devices. APs are strategically placed within the hotspot area to ensure proper coverage.

Authentication Server: The authentication server is responsible for verifying the identity of
users who want to access the hotspot. It interacts with users during the login process and
grants access based on valid credentials.
RADIUS Server: The Remote Authentication Dial-In User Service (RADIUS) server is used
to authenticate and authorize users connecting to the hotspot. It communicates with the
authentication server to validate credentials and allow or deny access.

Captive Portal: A captive portal is a web page that users see when they attempt to connect to
the hotspot. It prompts users to provide login credentials or agree to terms of service before
granting access.

Backend Server: This server hosts the logic and databases required for user management,
accounting, and other backend processes. It manages user accounts, tracks usage, and
generates billing information if necessary.

Internet Gateway: The internet gateway is the point through which traffic from the hotspot
is forwarded to the internet. It can include routers, firewalls, and other networking
components to manage traffic flow.

Billing and Payment System (Optional): In some cases, a billing and payment system may
be integrated into the architecture to offer paid access to the hotspot. This system manages
payment processing and account activation.

Functioning:

User Association: When a user with a Wi-Fi-enabled device enters the hotspot area, their
device detects the available wireless network. They choose the network associated with the
hotspot.

Captive Portal Interaction: Upon selecting the hotspot's network, the user's device is
automatically redirected to the captive portal's login page. The user is prompted to provide
login credentials or agree to terms of service.

Authentication: The user's credentials are sent to the authentication server, which verifies
them using the RADIUS server. If the credentials are valid, the user is granted access.

Access Grant: Once the user is authenticated, the captive portal allows the user's device to
access the internet through the hotspot's access points.

Internet Access: The user's device can now browse the internet using the hotspot's internet
connection. All data traffic between the device and the internet gateway is managed by the
hotspot's network infrastructure.

Session Management: The backend server tracks user sessions, usage, and potentially
enforces session timeouts or data usage limits as defined by the hotspot's policies.

Logout and Session Termination: When the user decides to disconnect or their session
expires, the backend server terminates the session. The user may also log out manually from
the captive portal.
Billing and Accounting (If Applicable): If the hotspot offers paid access, the billing and
payment system manages the financial transactions, account creation, and subscription
management.

Overall, Wi-Fi hotspot architecture ensures that users can access the internet in a controlled
and secure manner while enabling administrators to manage user access, enforce terms of
use, and potentially monetize the service. The architecture's design and components can vary
based on the hotspot provider's goals, scale, and requirements.
WIRELESS INTRUSION DETECTION & PREVENTION SYSTEMS:

A Wireless Intrusion Detection and Prevention System (WIDPS) is designed to monitor

and protect wireless networks from unauthorized access, attacks, and other security threats. It
consists of various components that work together to provide a comprehensive security
solution.

Here are the key components and their functioning in a WIDPS:

Sensors or Sensors Nodes:

Function: Sensors are deployed throughout the wireless network to monitor network traffic,
detect anomalies, and collect data about the network's behavior.
Functioning: Sensors capture packets of data and analyze them for suspicious patterns or
deviations from normal behavior. They can identify unauthorized access attempts, rogue
devices, and other unusual activities.

Centralized Monitoring Console:

Function: The centralized console serves as the command center for the WIDPS. It receives
data from sensors, processes it, and provides administrators with a real-time view of network
activity and potential security threats.
Functioning: The console aggregates data from sensors, analyzes the data, and generates
alerts or notifications when it detects suspicious or malicious activities. It allows
administrators to monitor and manage the security of the wireless network.

Intrusion Detection System (IDS):

Function: The IDS component of the WIDPS is responsible for identifying potential security
breaches and anomalies in network traffic.
Functioning: The IDS uses various techniques, such as signature-based detection and
anomaly-based detection, to compare network traffic against known attack patterns and
baseline behavior. If a match is found, the IDS generate an alert.

Intrusion Prevention System (IPS):

Function: The IPS takes proactive measures to prevent detected security threats from
compromising the network.
Functioning: The IPS can implement actions like blocking or isolating suspicious devices,
dropping malicious packets, or reconfiguring network settings to mitigate potential threats. It
works in real-time to prevent attacks from causing damage.

Signature Database:
Function: The signature database contains patterns and signatures of known attacks,
vulnerabilities, and malicious activities.
Functioning: The WIDPS compares network traffic against the signatures in the database to
identify matches. This helps detect and block well-known attack methods.

Anomaly Detection Algorithms:

Function: Anomaly detection algorithms analyze network traffic patterns to identify
deviations from normal behavior.
Functioning: These algorithms establish a baseline of normal network behavior and raise
alerts when deviations, such as unusual traffic spikes or unusual communication patterns, are
detected.

Rogue Device Detection:

Function: This component identifies unauthorized or rogue devices that have entered the
network.
Functioning: By monitoring for devices that are not part of the authorized network
infrastructure, the WIDPS can detect and report the presence of potential security threats.

Alert Generation and Notification:

Function: When potential security threats are detected, the system generates alerts to notify
administrators.
Functioning: Alerts can be generated in various forms, such as email notifications, SMS
messages, or visual indicators on the centralized monitoring console. These alerts enable
administrators to take immediate action.

Reporting and Analysis:

Function: The system collects data over time and provides reports for analysis and
compliance purposes.
Functioning: By analyzing historical data and generating reports, administrators can identify
trends, vulnerabilities, and areas of improvement in the network's security posture.

Configuration Management:
Function: This component is responsible for managing the configuration of the WIDPS
components.
Functioning: Configuration management allows administrators to customize the behavior of
the system, update signature databases, adjust detection thresholds, and fine-tune the overall
security settings to align with the network's needs.
Machine Learning and AI Techniques (Optional):
Function: Advanced WIDPS systems may incorporate machine learning and AI techniques to
enhance their detection capabilities.
Functioning: These techniques can adapt to new and evolving threats by learning from
historical data and patterns, allowing the system to identify novel attack vectors that
traditional methods might miss.

In summary, a Wireless Intrusion Detection and Prevention System is a complex solution

that relies on multiple components to monitor, detect, and prevent security threats within a
wireless network.
These components work together to ensure the network's security and integrity while
providing administrators with the tools needed to respond effectively to potential security
incidents.
WIRELESS HONEY POTS FUNCTIONING & IMPLEMENTATION:

A wireless honeypot is a cyber security tool or system designed to attract and trap potential
attackers, allowing security professionals to study their tactics, techniques, and procedures
(TTPs) while keeping them away from actual critical systems and data. The term "honeypot"
is derived from the idea of luring malicious actors in, just like bees are attracted to honey.

Architecture of a Wireless Honeypot:

The architecture of a wireless honeypot can vary based on the specific goals and requirements
of the deployment.
Here's a general outline of its components:
Wireless Access Points (APs): These are the devices that broadcast wireless networks. In the
context of a honeypot, these APs are set up to mimic legitimate networks and attract
attackers.

Decoy Services: Simulated services, such as fake websites, servers, or databases, are set up
to appear as if they contain valuable or sensitive information. These decoy services are
designed to entice attackers into interacting with them.

Logging and Monitoring: The honeypot system must log all interactions, activities, and
traffic. This data is essential for analyzing attacker behavior, identifying vulnerabilities
they're targeting, and understanding their tactics.

Isolation: The honeypot should be isolated from the actual production network to prevent
any real systems or data from being compromised. Network segmentation techniques are
used to ensure separation.

Deception Techniques: Deception tactics can include fake login screens, bogus credentials,
and misleading data. These tricks are employed to manipulate attackers into revealing more
about their methods.

Alerting Mechanisms: The system should have mechanisms to alert security personnel when
an attacker is detected or when certain activities occur that could pose a threat.

Components of a Wireless Honeypot:

Components within a wireless honeypot environment can include:

Virtualization Platforms: Honeypots are often deployed within virtualized environments.

Platforms like VMware, Virtual Box, or Docker allow for the creation of isolated
environments where honeypot instances can run.

Network Emulation Tools: These tools simulate network conditions, such as latency and
bandwidth, to make the honeypot environment more realistic.

Decoy Services: As mentioned earlier, simulated services and data are essential to attract
attackers. This could include fake web servers, FTP servers, or even IoT devices.

Intrusion Detection Systems (IDS): IDS tools monitor network traffic and system activities,
detecting unusual or malicious behavior that could indicate an attack.

Honeypot Management Console: A user interface or console where security professionals

can monitor and manage the honeypot instances, view logs, and analyze captured data.

Data Analysis Tools: After capturing attacker interactions, data analysis tools are used to
make sense of the collected data, identify attack patterns, and derive insights.

Implementation:

Define Goals: Determine the objectives of your honeypot deployment, such as gaining
insight into specific attack vectors or studying the behavior of certain types of attackers.
Select Honeypot Type: Choose the type of honeypot (e.g., high-interaction or low-
interaction) that aligns with your goals and available resources.

Choose Technology: Select the appropriate software, virtualization platform, and tools
needed to create and manage your honeypot environment.

Design Decoy Services: Set up decoy services that mimic real systems. For example, if
you're targeting web-based attacks, create fake websites and APIs.

Isolate the Environment: Ensure that the honeypot environment is isolated from your
production network to prevent any real harm.

Configure Monitoring and Logging: Set up logging mechanisms to capture all activities
and interactions within the honeypot environment.

Analyze Data: After interactions occur, analyze the captured data to gain insights into
attacker tactics and strategies.

Iterate and Improve: Use the information obtained to enhance your security measures,
refine your decoy services, and fine-tune your honeypot setup.

Alerting and Incident Response: Implement alerts and responses to notify security teams
when suspicious activities are detected within the honeypot.

Regular Maintenance: Keep the honeypot environment updated and monitor it consistently
to ensure it remains effective in attracting and studying attackers.

Remember that deploying a honeypot requires careful planning and consideration of legal and
ethical implications. Unauthorized engagement with attackers can lead to legal issues, so
ensure compliance with relevant laws and regulations.
FIREWALLS & THEIR FUNCTIONING:

Definition: A firewall is a network security device or software that acts as a barrier between
a trusted internal network and untrusted external networks, such as the internet. It enforces a
set of rules and policies to control and monitor incoming and outgoing network traffic,
helping to prevent unauthorized access, malicious activities, and data breaches.

Architecture and Internal Design:

The architecture of a firewall typically involves the following components:

Network Interfaces: Firewalls have at least two network interfaces: one connected to the
internal network (trusted side) and one connected to the external network (untrusted side).

Rule-Based Policy Engine: The heart of the firewall, this engine evaluates incoming and
outgoing traffic against a set of predefined rules and policies. It determines whether to allow,
deny, or log traffic based on these rules.

Packet Inspection:
 Stateful Inspection: Firewalls maintain a state table that tracks the state of active
connections. Incoming traffic is evaluated against this table to determine if it's part of
an established connection.
 Deep Packet Inspection (DPI): Some firewalls analyze the content of data packets to
identify applications, protocols, or even malicious code within the traffic.

Logging and Reporting: Firewalls log traffic activity, rule violations, and security events.
These logs are useful for troubleshooting, compliance audits, and security analysis.
Network Address Translation (NAT): Firewalls often perform NAT to hide internal IP
addresses from external networks, enhancing security and privacy.

Proxy Services: Some firewalls act as intermediaries (proxies) between internal clients and
external servers, adding an additional layer of security by isolating the internal network from
direct contact with external servers.

Functioning of Firewalls:

Packet Filtering: Firewalls inspect incoming and outgoing packets based on rules defined in
the policy. Packets that match the allowed criteria are permitted, while those that violate rules
are dropped or rejected.

Stateful Inspection: Firewalls maintain a record of active connections and track their state.
This allows the firewall to recognize legitimate responses to outbound requests and allow
corresponding inbound traffic.

Access Control Lists (ACLs): ACLs define what types of traffic are allowed or denied based
on factors like source and destination IP addresses, port numbers, and protocols.

Application Layer Filtering: Firewalls can analyze the payload of packets to determine the
applications or services generating the traffic. This enables more granular control over
specific applications.

Intrusion Detection and Prevention Systems (IDPS): Some advanced firewalls integrate
intrusion detection and prevention capabilities to identify and block known attack patterns.

Virtual Private Network (VPN) Support: Firewalls can enable secure communication over
untrusted networks by implementing VPN protocols and encryption.

Types of Firewalls:

Packet Filtering Firewalls: These examine packets' header information, such as source and
destination IP addresses, port numbers, and protocols, to make access control decisions.

Stateful Firewalls: They maintain a state table to track the state of active connections. This
helps in distinguishing legitimate traffic from unauthorized attempts.

Proxy Firewalls: Acting as intermediaries, proxy firewalls intercept traffic requests and then
initiate new requests on behalf of clients. This adds an extra layer of separation between
internal and external networks.

Next-Generation Firewalls (NGFW): These combine traditional firewall features with

advanced capabilities like DPI, application-aware filtering, and intrusion prevention.

Application Layer Firewalls: Also known as Layer 7 firewalls; these operate at the
application layer and can make decisions based on the actual content of packets.

Hardware vs. Software Firewalls: Firewalls can be implemented as hardware appliances or

as software running on general-purpose hardware.
Host-Based Firewalls: Installed on individual devices (host systems), these firewalls provide
local security controls for each device.

Cloud Firewalls: Designed specifically for cloud environments, these firewalls provide
security controls for virtual machines and resources within cloud platforms.

Conclusion: The primary goal of a firewall is to protect a network by enforcing security

policies and controlling the flow of network traffic to minimize the risk of unauthorized
access and cyber-attacks.
AUTHENTICATION PROCEDURES IN WIRELESS NETWORKS:

Definition of Authentication:
Authentication is the process of verifying the identity of a user, system, or entity attempting
to access a network, system, application, or service. It ensures that the claimed identity
matches the actual identity, granting authorized access while preventing unauthorized access.

Purpose of Authentication in Wireless Networks:

Authentication in wireless networks serves several critical purposes:

Access Control: Authentication ensures that only authorized users are allowed to connect to
the wireless network, preventing unauthorized individuals or devices from gaining access.

Data Security: By verifying user identities, authentication helps secure sensitive data from
being intercepted or accessed by malicious entities.

Network Integrity: It helps maintain the integrity of the wireless network by preventing
unauthorized devices from causing disruptions or exploiting vulnerabilities.

Resource Allocation: Authentication ensures that network resources are allocated only to
legitimate users, optimizing network performance and preventing abuse.

Accountability: Authentication helps establish accountability by associating network

activities with specific user identities.
Procedures for Authentication in Wireless Networks:

Authentication in wireless networks involves several procedures to validate the identity of

users and devices. Common methods include:

Pre-Shared Key (PSK): This method involves sharing a secret passphrase or key between
the user/device and the network. The user/device presents the correct key during the
authentication process.

802.1X/EAP (Extensible Authentication Protocol): A more advanced method that uses a

central authentication server. The user/device presents credentials, and the server verifies
them using various authentication methods such as username/password, certificates, tokens,
or biometrics.

Certificate-Based Authentication: Users/devices present digital certificates that are issued

by a trusted certificate authority. The certificates contain public keys and provide a more
secure authentication method.

MAC Address Filtering: This method involves allowing only specific MAC addresses
(unique hardware addresses) to connect to the network. While it's not very secure on its own,
it can be used in conjunction with other methods.

Biometric Authentication: In some cases, biometric data like fingerprints, facial

recognition, or iris scans can be used to authenticate users or devices.

Token-Based Authentication: Tokens, physical devices or software applications, generate

time-based or one-time passwords used for authentication. These change frequently, adding
an extra layer of security.

Captive Portal Authentication: Commonly used in public Wi-Fi networks, a captive portal
presents a web page where users enter authentication credentials or accept terms of use before
gaining access.

Multi-Factor Authentication (MFA): Combines multiple authentication methods to

enhance security. For example, users might need to provide a password and a temporary code
sent to their phone.

Challenges and Considerations:

 The chosen authentication method should align with the security requirements and
sensitivity of the data being accessed.
 User convenience should be balanced with security measures to avoid hindering user
experience.
 Regularly updating authentication credentials and keys helps prevent unauthorized
access due to compromised keys.
 Wireless networks should also employ encryption (e.g., WPA/WPA2) to secure data
transmissions in addition to authentication.
 Implementing strong authentication mechanisms is crucial to ensuring the security
and privacy of wireless networks and the sensitive data transmitted over them.